From 03998abbd008784016442dc00cea8e99da03cf6c Mon Sep 17 00:00:00 2001
From: Steffen Gebert <steffen.gebert@emnify.com>
Date: Sat, 1 Nov 2025 10:26:49 +0100
Subject: [PATCH 1/2] Allow passing rootUrls when signing plugins

Currently there is no way to sign a private plugin
by passing rootUrls to the sign command as adviced
in official documentation using these workflows.

Fixes: #37
---
 build-plugin/action.yml   |  5 +++++
 package-plugin/action.yml | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/build-plugin/action.yml b/build-plugin/action.yml
index bc60936b..4446bcb9 100644
--- a/build-plugin/action.yml
+++ b/build-plugin/action.yml
@@ -18,6 +18,10 @@ inputs:
     description: "Grafana access policy token. https://grafana.com/developers/plugin-tools/publish-a-plugin/sign-a-plugin#generate-an-access-policy-token"
     required: false
     default: ""
+  sign_root_urls:
+    description: "Root URLs for plugin signing"
+    required: false
+    default: ""
   grafana_token:
     description: "[deprecated] Grafana API Key to sign a plugin. Prefer `policy_token`."
     required: false
@@ -67,6 +71,7 @@ runs:
       uses: grafana/plugin-actions/package-plugin@main # zizmor: ignore[unpinned-uses]
       with:
         policy_token: ${{ inputs.policy_token }}
+        sign_root_urls: ${{ inputs.sign_root_urls }}
         node-version: "${{ inputs.node-version }}"
         go-version: "${{ inputs.go-version }}"
         backend-target: "${{ inputs.backend-target }}"
diff --git a/package-plugin/action.yml b/package-plugin/action.yml
index fe60a1a0..beb385a1 100644
--- a/package-plugin/action.yml
+++ b/package-plugin/action.yml
@@ -20,6 +20,10 @@ inputs:
     description: "Grafana access policy token. https://grafana.com/developers/plugin-tools/publish-a-plugin/sign-a-plugin#generate-an-access-policy-token"
     required: false
     default: ""
+  sign_root_urls:
+    description: "Root URLs for plugin signing"
+    required: false
+    default: ""
   go-version:
     description: "Version of go"
     required: false
@@ -100,7 +104,14 @@ runs:
       shell: bash
 
     - name: Sign plugin
-      run: ${{ github.action_path }}/pm.sh sign
+      run: |
+        if [ -n "${{ inputs.sign_root_urls }}" ]; then
+          echo "Signing private plugin including rootUrls"
+          ${{ github.action_path }}/pm.sh sign -- --rootUrls "${{ inputs.sign_root_urls }}"
+        else
+          echo "Signing public plugin"
+          ${{ github.action_path }}/pm.sh sign
+        fi
       shell: bash
       env:
         GRAFANA_ACCESS_POLICY_TOKEN: ${{ inputs.policy_token }}

From 4718e60fc1f7443555f7beea909bc580e25ede17 Mon Sep 17 00:00:00 2001
From: Steffen Gebert <steffen.gebert@emnify.com>
Date: Sat, 1 Nov 2025 14:49:55 +0100
Subject: [PATCH 2/2] Support passing arguments to npm run

In order to supply --rootUrls for
the sign action, we need to enhance
pm.sh with support for passing
arguments to 'npm run'.
---
 package-plugin/pm.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package-plugin/pm.sh b/package-plugin/pm.sh
index 0f54990d..fff1dbd9 100755
--- a/package-plugin/pm.sh
+++ b/package-plugin/pm.sh
@@ -32,5 +32,5 @@ echo "Running '$1' with $pm..."
 if [ "$1" = "install" ]; then
 	"$pm" install
 else
-	"$pm" run "$1"
+	"$pm" run "$1" -- "${@:3}"
 fi