@grafana/create-plugin 7.4.0-canary.2630.25780630776.0 → 7.4.0

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+# v7.4.0 (Wed May 13 2026)
+
+#### 🚀 Enhancement
+
+- feat: harden bundle-stats workflow permissions [#2627](https://github.com/grafana/plugin-tools/pull/2627) ([@jackw](https://github.com/jackw))
+
+#### Authors: 1
+
+- Jack Westbrook ([@jackw](https://github.com/jackw))
+
+---
+
 # v7.3.1 (Wed May 06 2026)
 
 #### 🐛 Bug Fix

package/dist/codemods/migrations/migrations.js

@@ -42,6 +42,12 @@ var defaultMigrations = [
     version: "6.1.13",
     description: "Add setupTests.d.ts for @testing-library/jest-dom types and remove @types/testing-library__jest-dom npm package.",
     scriptPath: import.meta.resolve("./scripts/007-remove-testing-library-types.js")
+  },
+  {
+    name: "008-bundle-stats-permissions",
+    version: "7.3.2",
+    description: "Harden bundle-stats/bundle-size workflow permissions: contents permission was set to write but only read access is required; restricted to read for least-privilege.",
+    scriptPath: import.meta.resolve("./scripts/008-bundle-stats-permissions.js")
   }
   // Do not use LEGACY_UPDATE_CUTOFF_VERSION for new migrations. It is only used above to force migrations to run
   // for those written before the switch to updates as migrations.

package/dist/codemods/migrations/scripts/008-bundle-stats-permissions.js

@@ -0,0 +1,23 @@
+import { parseDocument, stringify } from 'yaml';
+
+const workflowPaths = ["./.github/workflows/bundle-stats.yml", "./.github/workflows/bundle-size.yml"];
+async function migrate(context) {
+  for (const workflowPath of workflowPaths) {
+    if (!context.doesFileExist(workflowPath)) {
+      continue;
+    }
+    const workflowContent = context.getFile(workflowPath);
+    if (!workflowContent) {
+      continue;
+    }
+    const workflowDoc = parseDocument(workflowContent);
+    if (workflowDoc.getIn(["permissions", "contents"]) !== "write") {
+      continue;
+    }
+    workflowDoc.setIn(["permissions", "contents"], "read");
+    context.updateFile(workflowPath, stringify(workflowDoc));
+  }
+  return context;
+}
+
+export { migrate as default };

package/dist/commands/generate.command.js

@@ -93,7 +93,7 @@ function getActionsForTemplateFolder({
   templateData
 }) {
   let files = glob.sync(`${folderPath}/**`, { dot: true });
-  if (templateData.packageManagerName !== "npm") {
+  if (templateData.packageManagerName !== "pnpm") {
     files = files.filter((file) => path.basename(file) !== "npmrc");
   }
   files = files.filter((file) => {

package/dist/utils/utils.packageManager.js

@@ -17,17 +17,9 @@ async function configureYarn(cwd, packageManagerVersion) {
         shell: true,
         cwd
       });
-      spawnSync("yarn", ["config", "set", "executeScripts", "false"], {
-        shell: true,
-        cwd
-      });
-      return "Configured Yarn Berry to use node_modules and disabled script execution during installation.";
+      return "Configured Yarn Berry to use node_modules (PnP is not supported)";
     }
-    spawnSync("yarn", ["config", "set", "ignore-scripts", "true"], {
-      shell: true,
-      cwd
-    });
-    return "Configured Yarn to ignore scripts during installation.";
+    return "";
   } catch (error) {
     throw new Error(
       "There was an error configuring Yarn. Please run `yarn set version stable && yarn config set nodeLinker node-modules` in your plugin directory."

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grafana/create-plugin",
-  "version": "7.4.0-canary.2630.25780630776.0",
+  "version": "7.4.0",
   "repository": {
     "directory": "packages/create-plugin",
     "url": "https://github.com/grafana/plugin-tools"
@@ -55,5 +55,5 @@
   "engines": {
     "node": ">=20"
   },
-  "gitHead": "3dcab2a635d081430256b57dedf7a75a7b2cfbc8"
+  "gitHead": "d9190314df0893842f12e33bbdfb7d39c3a704cc"
 }

package/src/codemods/migrations/migrations.ts

@@ -50,6 +50,13 @@ export default [
       'Add setupTests.d.ts for @testing-library/jest-dom types and remove @types/testing-library__jest-dom npm package.',
     scriptPath: import.meta.resolve('./scripts/007-remove-testing-library-types.js'),
   },
+  {
+    name: '008-bundle-stats-permissions',
+    version: '7.3.2',
+    description:
+      'Harden bundle-stats/bundle-size workflow permissions: contents permission was set to write but only read access is required; restricted to read for least-privilege.',
+    scriptPath: import.meta.resolve('./scripts/008-bundle-stats-permissions.js'),
+  },
   // Do not use LEGACY_UPDATE_CUTOFF_VERSION for new migrations. It is only used above to force migrations to run
   // for those written before the switch to updates as migrations.
 ] satisfies Migration[];

package/src/codemods/migrations/scripts/008-bundle-stats-permissions.test.ts

@@ -0,0 +1,231 @@
+import { describe, it, expect } from 'vitest';
+import { Context } from '../../context.js';
+import migrate from './008-bundle-stats-permissions.js';
+import { parse } from 'yaml';
+
+const workflowPath = './.github/workflows/bundle-stats.yml';
+const legacyWorkflowPath = './.github/workflows/bundle-size.yml';
+
+describe('008-bundle-stats-permissions', () => {
+  it('should not modify anything if workflow file does not exist', async () => {
+    const context = new Context('/virtual');
+
+    await migrate(context);
+
+    expect(context.listChanges()).toEqual({});
+  });
+
+  it('should not modify anything if workflow file is empty', async () => {
+    const context = new Context('/virtual');
+    context.addFile(workflowPath, '');
+    const initialChanges = context.listChanges();
+
+    await migrate(context);
+
+    expect(context.listChanges()).toEqual(initialChanges);
+  });
+
+  it('should not modify anything if permissions block is missing', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      workflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+    const initialChanges = context.listChanges();
+
+    await migrate(context);
+
+    expect(context.listChanges()).toEqual(initialChanges);
+  });
+
+  it('should not modify anything if permissions.contents key is missing', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      workflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+permissions:
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+    const initialChanges = context.listChanges();
+
+    await migrate(context);
+
+    expect(context.listChanges()).toEqual(initialChanges);
+  });
+
+  it('should not modify anything if permissions.contents is already read', async () => {
+    const context = new Context('/virtual');
+    const original = `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: read
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`;
+    context.addFile(workflowPath, original);
+
+    await migrate(context);
+
+    expect(context.getFile(workflowPath)).toBe(original);
+  });
+
+  it('should not modify anything if permissions.contents is none', async () => {
+    const context = new Context('/virtual');
+    const original = `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: none
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`;
+    context.addFile(workflowPath, original);
+
+    await migrate(context);
+
+    expect(context.getFile(workflowPath)).toBe(original);
+  });
+
+  it('should update permissions.contents from write to read', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      workflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+
+    await migrate(context);
+
+    const migrated = parse(context.getFile(workflowPath) || '');
+    expect(migrated.permissions.contents).toBe('read');
+  });
+
+  it('should preserve other permissions when updating contents', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      workflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+
+    await migrate(context);
+
+    const migrated = parse(context.getFile(workflowPath) || '');
+    expect(migrated.permissions).toEqual({
+      contents: 'read',
+      'pull-requests': 'write',
+      actions: 'read',
+    });
+  });
+
+  it('should update permissions.contents in the legacy bundle-size.yml workflow', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      legacyWorkflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+
+    await migrate(context);
+
+    const migrated = parse(context.getFile(legacyWorkflowPath) || '');
+    expect(migrated.permissions.contents).toBe('read');
+  });
+
+  it('should update both workflow filenames if both exist', async () => {
+    const context = new Context('/virtual');
+    const original = `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`;
+    context.addFile(workflowPath, original);
+    context.addFile(legacyWorkflowPath, original);
+
+    await migrate(context);
+
+    expect(parse(context.getFile(workflowPath) || '').permissions.contents).toBe('read');
+    expect(parse(context.getFile(legacyWorkflowPath) || '').permissions.contents).toBe('read');
+  });
+
+  it('should be idempotent', async () => {
+    const context = new Context('/virtual');
+    context.addFile(
+      workflowPath,
+      `name: Bundle Stats
+on: [pull_request]
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+jobs:
+  compare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+`
+    );
+
+    await expect(migrate).toBeIdempotent(context);
+  });
+});

package/src/codemods/migrations/scripts/008-bundle-stats-permissions.ts

@@ -0,0 +1,29 @@
+import { type Context } from '../../context.js';
+import { parseDocument, stringify } from 'yaml';
+
+const workflowPaths = ['./.github/workflows/bundle-stats.yml', './.github/workflows/bundle-size.yml'];
+
+export default async function migrate(context: Context) {
+  for (const workflowPath of workflowPaths) {
+    if (!context.doesFileExist(workflowPath)) {
+      continue;
+    }
+
+    const workflowContent = context.getFile(workflowPath);
+
+    if (!workflowContent) {
+      continue;
+    }
+
+    const workflowDoc = parseDocument(workflowContent);
+
+    if (workflowDoc.getIn(['permissions', 'contents']) !== 'write') {
+      continue;
+    }
+
+    workflowDoc.setIn(['permissions', 'contents'], 'read');
+    context.updateFile(workflowPath, stringify(workflowDoc));
+  }
+
+  return context;
+}

package/src/commands/generate.command.ts

@@ -135,7 +135,8 @@ function getActionsForTemplateFolder({
 }) {
   let files = glob.sync(`${folderPath}/**`, { dot: true });
 
-  if (templateData.packageManagerName !== 'npm') {
+  // The npmrc file is only useful for `pnpm` settings. We can remove it for other package managers.
+  if (templateData.packageManagerName !== 'pnpm') {
     files = files.filter((file) => path.basename(file) !== 'npmrc');
   }
 

package/src/utils/utils.packageManager.ts

@@ -24,18 +24,9 @@ export async function configureYarn(cwd: string, packageManagerVersion: string)
         shell: true,
         cwd,
       });
-      spawnSync('yarn', ['config', 'set', 'executeScripts', 'false'], {
-        shell: true,
-        cwd,
-      });
-      return 'Configured Yarn Berry to use node_modules and disabled script execution during installation.';
+      return 'Configured Yarn Berry to use node_modules (PnP is not supported)';
     }
-    spawnSync('yarn', ['config', 'set', 'ignore-scripts', 'true'], {
-      shell: true,
-      cwd,
-    });
-
-    return 'Configured Yarn to ignore scripts during installation.';
+    return '';
   } catch (error) {
     throw new Error(
       'There was an error configuring Yarn. Please run `yarn set version stable && yarn config set nodeLinker node-modules` in your plugin directory.'

package/templates/common/npmrc

@@ -1 +1,12 @@
-ignore-scripts=true
+# This file is required for PNPM
+
+# PNPM 8 changed the default resolution mode to "lowest-direct" which is not how we expect resolutions to work
+resolution-mode="highest"
+
+# Make sure the default patterns are still included (https://pnpm.io/npmrc#public-hoist-pattern)
+public-hoist-pattern[]="*eslint*"
+public-hoist-pattern[]="*prettier*"
+
+# Hoist all types packages to the root for better TS support
+public-hoist-pattern[]="@types/*"
+public-hoist-pattern[]="*terser-webpack-plugin*"

package/templates/github/workflows/bundle-stats.yml

@@ -10,7 +10,7 @@ on:
       - main
 
 permissions:
-  contents: write
+  contents: read
   pull-requests: write
   actions: read