[release-12.2.2] refactor(annotations): Allow skipping always on dashboard UID migrations (#114108)

refactor(annotations): Allow skipping always on dashboard UID migrations (#113780)

(cherry picked from commit b70c6a726f)

.air.toml

@@ -1,13 +1,13 @@
 [build]
-bin = "./bin/grafana-air"
+bin = "./bin/grafana"
 args_bin = ["server", "-profile", "-profile-addr=127.0.0.1", "-profile-port=6000", "-profile-block-rate=1", "-profile-mutex-rate=5", "-packaging=dev", "cfg:app_mode=development"]
-cmd = "make GO_BUILD_DEV=1 build-air"
+cmd = "make GO_BUILD_DEV=1 build-backend"
 exclude_regex = ["_test.go", "_gen.go"]
 exclude_unchanged = true
 follow_symlink = true
-include_dir = ["apps", "conf", "pkg", "public/views"]
+include_dir = ["apps", "conf", "devenv/dev-dashboards", "pkg", "public/views"]
 include_ext = ["go", "ini", "toml", "html", "json"]
-stop_on_error = true
+stop_on_error = false
 send_interrupt = true
 kill_delay = 500
 

.bra.toml

@@ -17,7 +17,7 @@ watch_exts = [".go", ".ini", ".toml", ".template.html"]
 ignore_files = [".*_gen.go"]
 build_delay = 1500
 cmds = [
-  ["make", "GO_BUILD_DEV=1", "build-go"],
+  ["make", "GO_BUILD_DEV=1", "build-go-fast"],
   ["make", "gen-jsonnet"],
   ["./bin/grafana", "server", "-profile", "-profile-addr=127.0.0.1", "-profile-port=6000", "-profile-block-rate=1", "-profile-mutex-rate=5", "-packaging=dev", "cfg:app_mode=development"]
 ]

.citools/src/air/go.mod

@@ -1,6 +1,6 @@
 module air
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/air-verse/air
 
@@ -21,8 +21,8 @@ require (
 	github.com/spf13/afero v1.14.0 // indirect
 	github.com/spf13/cast v1.8.0 // indirect
 	github.com/tdewolff/parse/v2 v2.8.1 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 )

.citools/src/air/go.sum

@@ -167,19 +167,19 @@ golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b h1:QoALfVG9rhQ/M7vYDScfPdWjG
 golang.org/x/exp v0.0.0-20250531010427-b6e5de432a8b/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
 golang.org/x/image v0.27.0 h1:C8gA4oWU/tKkdCfYT6T2u4faJu3MeNS5O8UPWlPF61w=
 golang.org/x/image v0.27.0/go.mod h1:xbdrClrAUway1MUTEZDq9mz/UpRwYAkFFNUslZtcB+g=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

.citools/src/bra/go.mod

@@ -1,6 +1,6 @@
 module bra
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/unknwon/bra
 
@@ -17,6 +17,6 @@ require (
 	github.com/unknwon/com v1.0.1 // indirect
 	github.com/unknwon/log v0.0.0-20200308114134-929b1006e34a // indirect
 	github.com/urfave/cli v1.22.16 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
 )

.citools/src/bra/go.sum

@@ -56,8 +56,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191020152052-9984515f0562/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/src/cog/go.mod

@@ -1,6 +1,6 @@
 module cog
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/grafana/cog/cmd/cli
 
@@ -40,11 +40,11 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/yalue/merged_fs v1.3.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/src/cog/go.sum

@@ -85,20 +85,20 @@ github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4d
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/yalue/merged_fs v1.3.0 h1:qCeh9tMPNy/i8cwDsQTJ5bLr6IRxbs6meakNE5O+wyY=
 github.com/yalue/merged_fs v1.3.0/go.mod h1:WqqchfVYQyclV2tnR7wtRhBddzBvLVR83Cjw9BKQw0M=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.citools/src/cue/go.mod

@@ -1,6 +1,6 @@
 module cue
 
-go 1.25.5
+go 1.25.3
 
 tool cuelang.org/go/cmd/cue
 
@@ -25,13 +25,13 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/tetratelabs/wazero v1.6.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/src/cue/go.sum

@@ -53,20 +53,20 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tetratelabs/wazero v1.6.0 h1:z0H1iikCdP8t+q341xqepY4EWvHEw8Es7tlqiVzlP3g=
 github.com/tetratelabs/wazero v1.6.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.citools/src/golangci-lint/go.mod

@@ -1,6 +1,6 @@
 module golangci-lint
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 
@@ -198,12 +198,12 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/mod v0.28.0 // indirect
+	golang.org/x/net v0.45.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/tools v0.37.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.6.1 // indirect

.citools/src/golangci-lint/go.sum

@@ -481,8 +481,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
+golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -496,8 +496,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
+golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -507,8 +507,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -529,8 +529,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -545,8 +545,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
@@ -559,8 +559,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
+golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=

.citools/src/jb/go.mod

@@ -1,6 +1,6 @@
 module jb
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb
 
@@ -15,6 +15,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 )

.citools/src/jb/go.sum

@@ -54,8 +54,8 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/src/lefthook/go.mod

@@ -1,6 +1,6 @@
 module lefthook
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/evilmartians/lefthook
 
@@ -43,9 +43,9 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/term v0.35.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

.citools/src/lefthook/go.sum

@@ -91,14 +91,14 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 h1:8ajkpB4hXVftY5ko905id+dOnmorcS2CHNxxHLLDcFM=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61/go.mod h1:IfMagxm39Ys4ybJrDb7W3Ob8RwxftP0Yy+or/NVz1O8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/src/swagger/go.mod

@@ -1,6 +1,6 @@
 module swagger
 
-go 1.25.5
+go 1.25.3
 
 tool github.com/go-swagger/go-swagger/cmd/swagger
 
@@ -51,12 +51,12 @@ require (
 	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.16.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/crypto v0.42.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/src/swagger/go.sum

@@ -101,19 +101,19 @@ go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4
 go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.dockerignore

@@ -4,7 +4,6 @@
 .gitignore
 .vscode
 bin
-!bin/grafana-linux-k8s
 data*
 dist
 docker

.gitattributes

@@ -1,11 +1 @@
 * text=auto eol=lf
-*.gen.ts linguist-generated
-*_gen.ts linguist-generated
-*_gen.go linguist-generated
-*_gen.csv linguist-generated
-*_gen.json linguist-generated
-**/openapi_snapshots/*.json linguist-generated
-apps/**/pkg/apis/*_manifest.go linguist-generated
-public/openapi3.json linguist-generated
-public/api-merged.json linguist-generated
-public/api-enterprise-spec.json linguist-generated

.github/CODEOWNERS

@@ -32,31 +32,30 @@
 /devenv/README.md @grafana/docs-grafana
 
 # START Technical documentation
-/.vale.ini  @grafana/docs-tooling
-/AGENTS.md  @grafana/docs-tooling
-
+/.vale.ini @grafana/docs-tooling
 # `make docs` procedure and related workflows are owned @grafana/docs-tooling. Slack #docs.
 /docs/                                                                            @grafana/docs-tooling
 
 /docs/sources/                                                                    @irenerl24
 
 /docs/sources/alerting/                                                           @JohnnyK-Grafana
+
+/docs/sources/dashboards/                                                         @imatwawana
 /docs/sources/as-code/                                                            @urbiz-grafana
 /docs/sources/developer-resources/                                                @urbiz-grafana
 /docs/sources/datasources/                                                        @lwandz13
+/docs/sources/panels-visualizations/                                              @imatwawana
 /docs/sources/upgrade-guide/                                                      @jtvdez
 /docs/sources/whatsnew/                                                           @jtvdez
 
-
-/docs/sources/developers/plugins/                                                 @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
+/docs/sources/developer-resources/plugins/                                        @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /docs/sources/visualizations/dashboards/                                          @imatwawana
 /docs/sources/visualizations/panels-visualizations/                               @imatwawana
 
-
-/docs/sources/visualizations/dashboards/share-dashboards-panels/_index.md                         @imatwawana @jtvdez
-/docs/sources/visualizations/dashboards/share-dashboards-panels/shared-dashboards/index.md        @jtvdez
-/docs/sources/visualizations/panels-visualizations/query-transform-data/transform-data/index.md   @imatwawana @baldm0mma
-/docs/sources/visualizations/panels-visualizations/query-transform-data/sql-expressions/index.md  @lwandz13 @irenerl24
+/docs/sources/dashboards/share-dashboards-panels/_index.md                        @imatwawana @jtvdez
+/docs/sources/dashboards/share-dashboards-panels/shared-dashboards/index.md       @jtvdez
+/docs/sources/panels-visualizations/query-transform-data/transform-data/index.md  @imatwawana @baldm0mma
+/docs/sources/panels-visualizations/query-transform-data/sql-expressions/index.md  @lwandz13 @irenerl24
 # END Technical documentation
 
 # Backend code
@@ -89,19 +88,13 @@
 /apps/folder/ @grafana/grafana-app-platform-squad
 /apps/playlist/ @grafana/grafana-app-platform-squad
 /apps/plugins/ @grafana/plugins-platform-backend
-/apps/collections/ @grafana/grafana-app-platform-squad @grafana/grafana-frontend-platform
 /apps/preferences/ @grafana/grafana-app-platform-squad @grafana/grafana-frontend-platform
 /apps/shorturl/ @grafana/sharing-squad
 /apps/secret/ @grafana/grafana-operator-experience-squad
-/apps/scope/ @grafana/grafana-operator-experience-squad
 /apps/investigations/ @fcjack @matryer @svennergr
 /apps/advisor/ @grafana/plugins-platform-backend
 /apps/iam/ @grafana/access-squad
 /apps/sdk.mk @grafana/grafana-app-platform-squad
-/apps/correlations @grafana/datapro
-/apps/example/ @grafana/grafana-app-platform-squad
-/apps/logsdrilldown/ @grafana/observability-logs
-/apps/annotation/ @grafana/grafana-backend-services-squad
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
 /pkg/apis/query @grafana/grafana-datasources-core-services
@@ -155,7 +148,7 @@
 /pkg/promlib @grafana/oss-big-tent
 /pkg/storage/ @grafana/grafana-search-and-storage
 /pkg/storage/secret/ @grafana/grafana-operator-experience-squad
-/pkg/services/annotations/ @grafana/grafana-backend-services-squad
+/pkg/services/annotations/ @grafana/grafana-search-and-storage
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
 /pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
@@ -171,7 +164,7 @@
 /pkg/services/kmsproviders/ @grafana/grafana-operator-experience-squad
 /pkg/services/licensing/ @grafana/grafana-operator-experience-squad
 /pkg/services/dsquerierclient/ @grafana/grafana-datasources-core-services
-/pkg/services/navtree/ @grafana/grafana-backend-group @grafana/grafana-search-navigate-organise
+/pkg/services/navtree/ @grafana/grafana-backend-group
 /pkg/services/notifications/ @grafana/grafana-backend-group
 /pkg/services/org/ @grafana/grafana-backend-group
 /pkg/services/playlist/ @grafana/grafana-app-platform-squad
@@ -185,8 +178,7 @@
 /pkg/services/search/ @grafana/grafana-search-and-storage
 /pkg/services/searchusers/ @grafana/grafana-search-and-storage
 /pkg/services/secrets/ @grafana/grafana-operator-experience-squad
-/pkg/services/setting/ @grafana/grafana-backend-services-squad
-/pkg/services/shorturls/ @grafana/sharing-squad
+/pkg/services/shorturls/ @grafana/grafana-backend-group
 /pkg/services/sqlstore/ @grafana/grafana-search-and-storage
 /pkg/services/ssosettings/ @grafana/identity-squad
 /pkg/services/star/ @grafana/grafana-search-and-storage
@@ -200,11 +192,10 @@
 /pkg/setting/ @grafana/grafana-backend-services-squad
 /pkg/tests/ @grafana/grafana-backend-services-squad
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
-/pkg/tests/apis/alerting @grafana/alerting-backend
+/pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/tests/apis/features @grafana/grafana-backend-services-squad
 /pkg/tests/apis/folder @grafana/grafana-search-and-storage
 /pkg/tests/apis/iam @grafana/identity-access-team
-/pkg/tests/apis/shorturl @grafana/sharing-squad
 /pkg/tests/api/correlations/ @grafana/datapro
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
@@ -231,7 +222,6 @@
 /devenv/datasources.yaml @grafana/grafana-backend-group
 /devenv/datasources_docker.yaml @grafana/grafana-backend-group
 /devenv/dev-dashboards-without-uid/ @grafana/dashboards-squad
-/devenv/scopes/ @grafana/grafana-operator-experience-squad
 
 /devenv/dev-dashboards/annotations @grafana/dataviz-squad
 /devenv/dev-dashboards/migrations @grafana/dataviz-squad
@@ -248,7 +238,6 @@
 /devenv/dev-dashboards/panel-library @grafana/dataviz-squad
 /devenv/dev-dashboards/panel-piechart @grafana/dataviz-squad
 /devenv/dev-dashboards/panel-stat @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-status-history @grafana/dataviz-squad
 /devenv/dev-dashboards/panel-table @grafana/dataviz-squad
 /devenv/dev-dashboards/panel-timeline @grafana/dataviz-squad
 /devenv/dev-dashboards/panel-timeseries @grafana/dataviz-squad
@@ -258,6 +247,7 @@
 /devenv/dev-dashboards/all-panels.json @grafana/dataviz-squad
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad
+
 /devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
@@ -313,7 +303,7 @@
 /devenv/docker/blocks/prometheus_random_data/ @grafana/oss-big-tent
 /devenv/docker/blocks/prometheus_high_card/ @grafana/oss-big-tent
 /devenv/docker/blocks/prometheus_utf8/ @grafana/oss-big-tent
-/devenv/docker/blocks/pyroscope/ @grafana/oss-big-tent
+/devenv/docker/blocks/pyroscope/ @grafana/observability-traces-and-profiling
 /devenv/docker/blocks/redis/ @bergquist
 /devenv/docker/blocks/sensugo/ @grafana/grafana-backend-group
 /devenv/docker/blocks/slow_proxy/ @bergquist
@@ -324,7 +314,6 @@
 /devenv/docker/blocks/webdav/ @grafana/alerting-backend
 /devenv/docker/buildcontainer/ @bergquist
 /devenv/docker/compose_header.yml @grafana/grafana-backend-services-squad
-/devenv/docker/compose_volume_section.yml @grafana/grafana-backend-services-squad
 /devenv/docker/debtest/ @bergquist
 /devenv/docker/ha-test-unified-alerting/ @grafana/alerting-backend
 /devenv/docker/ha_test/ @grafana/grafana-backend-services-squad
@@ -363,8 +352,8 @@
 /pkg/tsdb/prometheus/ @grafana/oss-big-tent
 /pkg/tsdb/elasticsearch/ @grafana/partner-datasources
 /pkg/tsdb/loki/ @grafana/oss-big-tent
-/pkg/tsdb/tempo/ @grafana/oss-big-tent
-/pkg/tsdb/grafana-pyroscope-datasource/ @grafana/oss-big-tent
+/pkg/tsdb/tempo/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
+/pkg/tsdb/grafana-pyroscope-datasource/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/parca/ @grafana/oss-big-tent
 
 # OSS Big Tent backend code
@@ -421,8 +410,8 @@
 
 /crowdin.yml @grafana/grafana-frontend-platform
 /public/locales/ @grafanabot
-i18next.config.ts @grafana/grafana-frontend-platform
-/public/locales/enterprise/i18next.config.ts @grafana/grafana-frontend-platform
+/public/locales/i18next-parser.config.cjs @grafana/grafana-frontend-platform
+/public/locales/i18next-parser-enterprise.config.cjs @grafana/grafana-frontend-platform
 /public/app/core/internationalization/ @grafana/grafana-frontend-platform
 /e2e/ @grafana/grafana-frontend-platform
 /e2e-playwright/cloud-plugins-suite/ @grafana/partner-datasources
@@ -439,8 +428,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /e2e-playwright/dashboards/PanelSandboxDashboard.json @grafana/plugins-platform-frontend
 /e2e-playwright/dashboards/TestDashboard.json @grafana/dashboards-squad @grafana/grafana-search-navigate-organise
 /e2e-playwright/dashboards/TestV2Dashboard.json @grafana/dashboards-squad
-/e2e-playwright/dashboards/V2DashWithRepeats.json @grafana/dashboards-squad
-/e2e-playwright/dashboards/V2DashWithTabRepeats.json @grafana/dashboards-squad
 /e2e-playwright/dashboards-suite/adhoc-filter-from-panel.spec.ts @grafana/datapro
 /e2e-playwright/dashboards-suite/dashboard-browse-nested.spec.ts @grafana/grafana-search-navigate-organise
 /e2e-playwright/dashboards-suite/dashboard-browse.spec.ts @grafana/grafana-search-navigate-organise
@@ -479,12 +466,22 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /e2e-playwright/fixtures/long-trace-response.json @grafana/observability-traces-and-profiling
 /e2e-playwright/fixtures/tempo-response.json @grafana/oss-big-tent
 /e2e-playwright/fixtures/prometheus-response.json @grafana/datapro
-/e2e-playwright/panels-suite/ @grafana/dataviz-squad
+/e2e-playwright/panels-suite/canvas-scene.spec.ts @grafana/dataviz-squad
 /e2e-playwright/panels-suite/dashlist.spec.ts @grafana/grafana-search-navigate-organise
+/e2e-playwright/panels-suite/datagrid-data-change.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/datagrid-editing-features.spec.ts @grafana/dataviz-squad
 /e2e-playwright/panels-suite/frontend-sandbox-panel.spec.ts @grafana/plugins-platform-frontend
+/e2e-playwright/panels-suite/geomap-layer-types.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/geomap-map-controls.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/geomap-spatial-operations-transform.spec.ts @grafana/dataviz-squad
 /e2e-playwright/panels-suite/panelEdit_base.spec.ts @grafana/dashboards-squad
 /e2e-playwright/panels-suite/panelEdit_queries.spec.ts @grafana/dashboards-squad
 /e2e-playwright/panels-suite/panelEdit_transforms.spec.ts @grafana/datapro
+/e2e-playwright/panels-suite/table-footer.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/table-kitchenSink.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/table-markdown.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/table-sparkline.spec.ts @grafana/dataviz-squad
+/e2e-playwright/panels-suite/table-utils.ts @grafana/dataviz-squad
 /e2e-playwright/plugin-e2e/ @grafana/oss-big-tent @grafana/partner-datasources
 /e2e-playwright/plugin-e2e/plugin-e2e-api-tests/ @grafana/plugins-platform-frontend
 /e2e-playwright/smoke-tests-suite/ @grafana/grafana-frontend-platform
@@ -501,7 +498,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /e2e-playwright/various-suite/frontend-sandbox-app.spec.ts @grafana/plugins-platform-frontend
 /e2e-playwright/various-suite/frontend-sandbox-datasource.spec.ts @grafana/plugins-platform-frontend
 /e2e-playwright/various-suite/gauge.spec.ts @grafana/dataviz-squad
-/e2e-playwright/various-suite/grafana-datasource-random-walk.spec.ts @grafana/grafana-frontend-platform
 /e2e-playwright/various-suite/graph-auto-migrate.spec.ts @grafana/dataviz-squad
 /e2e-playwright/various-suite/inspect-drawer.spec.ts @grafana/dashboards-squad
 /e2e-playwright/various-suite/keybinds.spec.ts @grafana/grafana-frontend-platform
@@ -553,7 +549,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-data/src/geo/ @grafana/dataviz-squad
 /packages/grafana-data/src/monaco/ @grafana/partner-datasources
 /packages/grafana-data/src/panel/ @grafana/dashboards-squad
-/packages/grafana-data/src/panel/suggestions/ @grafana/dataviz-squad
 /packages/grafana-data/src/query/ @grafana/grafana-datasources-core-services
 /packages/grafana-data/src/rbac/ @grafana/access-squad
 /packages/grafana-data/src/table/ @grafana/dataviz-squad
@@ -561,8 +556,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-data/src/themes/ @grafana/grafana-frontend-platform
 /packages/grafana-data/src/transformations/ @grafana/datapro
 /packages/grafana-data/src/types/ @grafana/grafana-frontend-platform
-/packages/grafana-data/src/types/scopes.ts @grafana/grafana-operator-experience-squad
-/packages/grafana-data/src/types/suggestions.ts @grafana/dataviz-squad
 /packages/grafana-data/src/utils/__snapshots__/ @grafanabot
 /packages/grafana-data/src/utils/anyToNumber.ts @grafana/grafana-frontend-platform
 /packages/grafana-data/src/utils/arrayUtils* @grafana/grafana-frontend-platform
@@ -615,7 +608,7 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-o11y-ds-frontend/ @grafana/observability-logs
 /packages/grafana-o11y-ds-frontend/src/IntervalInput/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/NodeGraph/ @grafana/observability-traces-and-profiling
-/packages/grafana-o11y-ds-frontend/src/pyroscope/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
+/packages/grafana-o11y-ds-frontend/src/pyroscope/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/SpanBar/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/TraceToLogs/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/TraceToMetrics/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
@@ -636,7 +629,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-runtime/rollup.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-runtime/src/index.ts @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
 /packages/grafana-runtime/src/internal/index.ts @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
-/packages/grafana-runtime/src/internal/openFeature @grafana/grafana-frontend-platform
 /packages/grafana-runtime/src/unstable.ts @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
 /packages/grafana-runtime/tsconfig.build.json @grafana/grafana-frontend-platform
 /packages/grafana-runtime/tsconfig.json @grafana/grafana-frontend-platform
@@ -691,9 +683,10 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-schema/src/**/gauge @grafana/dataviz-squad
 /packages/grafana-schema/src/**/geomap @grafana/dataviz-squad
 /packages/grafana-schema/src/**/googlecloudmonitoring @grafana/partner-datasources
-/packages/grafana-schema/src/**/grafanapyroscope @grafana/oss-big-tent
+/packages/grafana-schema/src/**/grafanapyroscope @grafana/observability-traces-and-profiling
 /packages/grafana-schema/src/**/heatmap @grafana/dataviz-squad
 /packages/grafana-schema/src/**/histogram @grafana/dataviz-squad
+/packages/grafana-schema/src/**/librarypanel @grafana/sharing-squad
 /packages/grafana-schema/src/**/logs @grafana/observability-logs
 /packages/grafana-schema/src/**/logsnew @grafana/observability-logs
 /packages/grafana-schema/src/**/loki @grafana/oss-big-tent @grafana/observability-logs
@@ -720,11 +713,10 @@ i18next.config.ts @grafana/grafana-frontend-platform
 /packages/grafana-ui/src/components/BarGauge/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/DataLinks/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/Gauge/ @grafana/dataviz-squad
-/packages/grafana-ui/src/components/RadialGauge/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/PluginSignatureBadge/ @grafana/plugins-platform-frontend
-/packages/grafana-ui/src/components/Sparkline/ @grafana/dataviz-squad
+/packages/grafana-ui/src/components/Sparkline/ @grafana/grafana-frontend-platform @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/Table/ @grafana/dataviz-squad
-/packages/grafana-ui/src/components/Table/Cells/SparklineCell.tsx @grafana/dataviz-squad
+/packages/grafana-ui/src/components/Table/Cells/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/uPlot/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/ValuePicker/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/VizLayout/ @grafana/dataviz-squad
@@ -743,18 +735,6 @@ i18next.config.ts @grafana/grafana-frontend-platform
 # @grafana/test-utils
 /packages/grafana-test-utils @grafana/grafana-frontend-platform
 
-# @grafana/api-clients
-/packages/grafana-api-clients/ @grafana/grafana-frontend-platform @grafana/grafana-search-navigate-organise
-/packages/grafana-api-clients/src/clients/rtkq/advisor/ @grafana/plugins-platform-frontend
-/packages/grafana-api-clients/src/clients/rtkq/correlations/ @grafana/datapro
-/packages/grafana-api-clients/src/clients/rtkq/dashboard/ @grafana/dashboards-squad
-/packages/grafana-api-clients/src/clients/rtkq/folder/ @grafana/grafana-search-navigate-organise
-/packages/grafana-api-clients/src/clients/rtkq/iam/ @grafana/access-squad @grafana/identity-squad
-/packages/grafana-api-clients/src/clients/rtkq/logsdrilldown/ @grafana/observability-logs
-/packages/grafana-api-clients/src/clients/rtkq/preferences/ @grafana/plugins-platform-frontend
-/packages/grafana-api-clients/src/clients/rtkq/provisioning/ @grafana/grafana-git-ui-sync-team
-/packages/grafana-api-clients/src/clients/rtkq/shorturl/ @grafana/sharing-squad
-
 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
 /package.json @grafana/frontend-ops
@@ -805,7 +785,7 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/core/components/ColorScale/ @grafana/dataviz-squad
 /public/app/core/components/DynamicImports/ @grafana/grafana-search-navigate-organise
 /public/app/core/components/EmptyListCTA/ @grafana/grafana-frontend-platform
-/public/app/core/components/FolderFilter/ @grafana/grafana-search-navigate-organise
+/public/app/core/components/FolderFilter/ @grafana/sharing-squad
 /public/app/core/components/Footer/ @grafana/grafana-search-navigate-organise
 /public/app/core/components/ForgottenPassword/ @grafana/grafana-search-navigate-organise
 /public/app/core/components/Form/ @grafana/grafana-frontend-platform
@@ -847,6 +827,7 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/core/constants.ts @grafana/grafana-frontend-platform
 /public/app/core/context/ @grafana/grafana-frontend-platform
 /public/app/core/copy/appNotification.ts @grafana/grafana-search-navigate-organise
+/public/app/core/core.ts @grafana/grafana-frontend-platform
 /public/app/core/crash/ @grafana/observability-traces-and-profiling
 /public/app/core/history/ @grafana/observability-traces-and-profiling
 /public/app/core/hooks/useBusEvent.ts @grafana/grafana-frontend-platform
@@ -894,7 +875,6 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/core/utils/accessControl.ts @grafana/identity-access-team
 /public/app/core/utils/applyStateChanges.ts @grafana/dashboards-squad
 /public/app/core/utils/arrayMove.ts @grafana/grafana-frontend-platform
-/public/app/core/utils/isFrontendService.ts @grafana/grafana-frontend-platform
 /public/app/core/utils/auth.ts @grafana/identity-access-team
 /public/app/core/utils/browser* @grafana/grafana-frontend-platform
 /public/app/core/utils/colors.ts @grafana/grafana-frontend-platform
@@ -948,14 +928,12 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
 /public/app/features/logs/ @grafana/observability-logs
 /public/app/features/live/ @grafana/dashboards-squad
-/public/app/features/stars/ @grafana/grafana-search-navigate-organise
 /public/app/features/apiserver/ @grafana/grafana-app-platform-squad
 /public/app/features/manage-dashboards/ @grafana/dashboards-squad
 /public/app/features/migrate-to-cloud @grafana/grafana-operator-experience-squad
 /public/app/features/notifications/ @grafana/grafana-search-navigate-organise
 /public/app/features/org/ @grafana/grafana-search-navigate-organise
 /public/app/features/panel/ @grafana/dashboards-squad
-/public/app/features/panel/suggestions/ @grafana/dataviz-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
 /public/app/features/profile/ @grafana/grafana-frontend-platform
@@ -967,14 +945,13 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/features/serviceaccounts/ @grafana/identity-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
-/public/app/features/theme-playground/ @grafana/grafana-frontend-platform
 /public/app/features/trails/ @grafana/observability-metrics
 /public/app/features/transformers/ @grafana/datapro
 /public/app/features/transformers/timeSeriesTable/ @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
+/public/app/features/preferences/ @grafana/grafana-frontend-platform
 /public/app/features/bookmarks/ @grafana/grafana-search-navigate-organise
-/public/app/plugins/panel/* @grafana/dataviz-squad
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
 /public/app/plugins/panel/annolist/ @grafana/dashboards-squad
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
@@ -994,7 +971,7 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /public/app/plugins/panel/state-timeline/ @grafana/dataviz-squad
 /public/app/plugins/panel/status-history/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/ @grafana/dataviz-squad
-/public/app/plugins/panel/table/cells/SparklineCellOptionsEditor.tsx @grafana/dataviz-squad
+/public/app/plugins/panel/table/cells/SparklineCellOptionsEditor.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /public/app/plugins/panel/timeseries/ @grafana/dataviz-squad
 /public/app/plugins/panel/trend/ @grafana/dataviz-squad
 /public/app/plugins/panel/geomap/ @grafana/dataviz-squad
@@ -1068,14 +1045,13 @@ playwright.storybook.config.ts @grafana/grafana-frontend-platform
 /scripts/trigger_windows_build.sh @grafana/grafana-developer-enablement-squad
 /scripts/cleanup-husky.sh @grafana/frontend-ops
 /scripts/verify-repo-update/ @grafana/grafana-developer-enablement-squad
+/scripts/generate-rtk-apis.ts @grafana/grafana-frontend-platform
+/scripts/process-specs.ts @grafana/grafana-frontend-platform
 /scripts/generate-alerting-rtk-apis.ts @grafana/alerting-frontend
 /scripts/levitate-parse-json-report.js @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
 /scripts/codemods/explicit-barrel-imports.cjs @grafana/frontend-ops
-
-/scripts/codeowners-manifest/ @grafana/dataviz-squad
-/scripts/test-coverage-by-codeowner.js @grafana/dataviz-squad
-/jest.config.codeowner.js @grafana/dataviz-squad
+/scripts/rtk-client-generator/ @grafana/grafana-search-navigate-organise
 
 /scripts/**/generate-transformations* @grafana/datapro
 /scripts/webpack/ @grafana/frontend-ops
@@ -1104,15 +1080,14 @@ eslint-suppressions.json @grafanabot
 /public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources
 /public/app/plugins/datasource/zipkin/ @grafana/oss-big-tent
-/public/app/plugins/datasource/tempo/ @grafana/oss-big-tent
-/public/app/plugins/datasource/grafana-pyroscope-datasource/ @grafana/oss-big-tent
+/public/app/plugins/datasource/tempo/ @grafana/oss-big-tent @grafana/observability-traces-and-profiling
+/public/app/plugins/datasource/grafana-pyroscope-datasource/ @grafana/observability-traces-and-profiling
 /public/app/plugins/datasource/parca/ @grafana/oss-big-tent
 /public/app/plugins/datasource/alertmanager/ @grafana/alerting-squad
 
 # Grafana Sharing Squad
 /public/app/features/dashboard-scene/sharing/ @grafana/sharing-squad
 /public/app/features/dashboard/components/ShareModal/ @grafana/sharing-squad
-/public/app/features/dashboard/dashgrid/DashboardLibrary/ @grafana/sharing-squad
 /public/app/features/manage-dashboards/components/SnapshotListTable.tsx @grafana/sharing-squad
 /pkg/services/dashboardsnapshots/ @grafana/sharing-squad
 /public/app/features/explore/QueryLibrary/ @grafana/sharing-squad
@@ -1183,7 +1158,6 @@ embed.go @grafana/grafana-as-code
 /pkg/registry/ @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
 /pkg/registry/apis/folders @grafana/grafana-search-and-storage
-/pkg/registry/apis/datasource @grafana/grafana-datasources-core-services
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
 /pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
@@ -1287,7 +1261,6 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/changelog.yml @zserge
 /.github/workflows/shellcheck.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-build.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/cleanup-branches.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-artifact.yml @grafana/grafana-developer-enablement-squad
 /.github/actions/changelog @zserge
 /.github/workflows/swagger-gen.yml @grafana/grafana-backend-group
@@ -1297,15 +1270,10 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
 /.github/workflows/frontend-perf-tests.yaml @grafana/grafana-frontend-platform
-/.github/workflows/release-npm.yml @grafana/grafana-frontend-platform
-/.github/workflows/scripts/determine-npm-tag.sh @grafana/grafana-frontend-platform
-/.github/workflows/scripts/validate-commit-in-head.sh @grafana/grafana-frontend-platform
 /.github/zizmor.yml @grafana/grafana-developer-enablement-squad
 /.github/license_finder.yaml @bergquist
 /.github/actionlint.yaml @grafana/grafana-developer-enablement-squad
 /.github/workflows/pr-test-docker.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/update-schema-types.yml @grafana/plugins-platform-frontend
-/.github/workflows/defaults-ini-docs-reminder.yml @grafana/docs-tooling @jtvdez
 
 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot

.github/actions/change-detection/action.yml

@@ -31,9 +31,6 @@ outputs:
   dockerfile:
     description: Whether the dockerfile or self have changed in any way
     value: ${{ steps.changed-files.outputs.dockerfile_any_changed || 'true' }}
-  devenv:
-    description: Whether the devenv or self have changed in any way
-    value: ${{ steps.changed-files.outputs.devenv_any_changed || 'true' }}
 runs:
   using: composite
   steps:
@@ -139,9 +136,6 @@ runs:
             - '.vale.ini'
             - '.github/actions/change-detection/**'
             - '${{ inputs.self }}'
-          devenv:
-            - 'devenv/**'
-            - '${{ inputs.self }}'
     - name: Print all change groups
       shell: bash
       run: |
@@ -163,5 +157,3 @@ runs:
         echo " --> ${{ steps.changed-files.outputs.docs_all_changed_files }}"
         echo "Dockerfile: ${{ steps.changed-files.outputs.dockerfile_any_changed || 'true' }}"
         echo " --> ${{ steps.changed-files.outputs.dockerfile_all_changed_files }}"
-        echo "devenv: ${{ steps.changed-files.outputs.devenv_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.devenv_all_changed_files }}"

.github/actions/setup-enterprise/action.yml

@@ -33,48 +33,16 @@ runs:
       env:
         GH_TOKEN: ${{ steps.generate_token.outputs.token }}
       run: |
-        RETRIES="5"
-
-        for i in $(seq 1 $RETRIES); do
-          echo "Attempt $i to clone..."
-
-          if git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise; then
-            echo "Clone succeeded on attempt $i"
-            break
-          fi
-
-          if [ $i -eq $RETRIES ]; then
-            echo "Clone failed after $RETRIES attempts, failing pipeline."
-            exit 1
-          fi
-
-          sleep "$i"
-        done
+        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
 
         cd ../grafana-enterprise
 
-        for i in $(seq 1 $RETRIES); do
-          echo "Attempt $i to checkout..."
-
-          if git checkout ${GITHUB_HEAD_REF}; then
-            echo "checked out ${GITHUB_HEAD_REF}"
-          elif git checkout ${GITHUB_BASE_REF}; then
-            echo "checked out ${GITHUB_BASE_REF}"
-          else
-            git checkout main
-          fi
-
-          if [ $? -eq 0 ]; then
-            echo "Checkout succeeded, breaking retry loop"
-            break
-          fi
-
-          if [ $i -eq $RETRIES ]; then
-            echo "Checkout failed after $RETRIES attempts, failing pipeline."
-            exit 1
-          fi
-
-          sleep "$i"
-        done
+        if git checkout ${GITHUB_HEAD_REF}; then
+          echo "checked out ${GITHUB_HEAD_REF}"
+        elif git checkout ${GITHUB_BASE_REF}; then
+          echo "checked out ${GITHUB_BASE_REF}"
+        else
+          git checkout main
+        fi
 
         QUIET=1 ./build.sh

.github/commands.json

@@ -144,7 +144,7 @@
     "name": "datasource/grafana-pyroscope",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/457"
+      "url": "https://github.com/orgs/grafana/projects/221"
     }
   },
   {

.github/dependabot.yml

@@ -1,65 +1,32 @@
 version: 2
 updates:
   - package-ecosystem: "github-actions"
-    commit-message:
-      prefix: deps(actions)
     directory: "/"
     schedule:
       interval: "daily"
   - package-ecosystem: "gomod"
-    commit-message:
-      prefix: deps(go)
     directories:
       - "/"
-      - "/apps/advisor"
-      - "/apps/alerting/alertenrichment"
-      - "/apps/alerting/notifications"
-      - "/apps/alerting/rules"
-      - "/apps/correlations"
-      - "/apps/dashboard"
-      - "/apps/folder"
-      - "/apps/iam"
-      - "/apps/investigations"
       - "/apps/playlist"
-      - "/apps/plugins"
-      - "/apps/preferences"
-      - "/apps/provisioning"
-      - "/apps/scope"
       - "/apps/secret"
-      - "/apps/shorturl"
-      - "/hack"
+      - "/apps/investigations"
       - "/pkg/aggregator"
       - "/pkg/apimachinery"
+      - "/pkg/apis/folder"
       - "/pkg/apiserver"
       - "/pkg/build"
       - "/pkg/build/wire"
-      - "/pkg/codegen"
-      - "/pkg/plugins/codegen"
       - "/pkg/promlib"
       - "/pkg/semconv"
+      - "/pkg/storage/unified/apistore"
+      - "/pkg/storage/unified/resource"
       - "/pkg/util/xorm"
-      - "/scripts/go-workspace"
-      - "/scripts/modowners"
     schedule:
       interval: "daily"
       time: "02:00"
       timezone: Etc/UTC
-    open-pull-requests-limit: 20
-    # group some updates together for easier review
-    groups:
-      go.opentelemetry.io:
-        patterns:
-          - "go.opentelemetry.io/*"
-      k8s.io:
-        patterns:
-          - "k8s.io/*"
-      aws-sdk-go:
-        patterns:
-          - "github.com/aws/aws-sdk-go*"
-          - "github.com/aws/smithy-go"
+    open-pull-requests-limit: 10
   - package-ecosystem: "docker"
-    commit-message:
-      prefix: deps(docker)
     directories:
       - "/"
       - "/packaging/docker/custom"
@@ -68,4 +35,4 @@ updates:
       interval: "daily"
       time: "02:00"
       timezone: Etc/UTC
-    open-pull-requests-limit: 20
+    open-pull-requests-limit: 10

.github/renovate.json5

@@ -1,9 +1,6 @@
 {
   extends: ["config:recommended"],
-  enabledManagers: ["npm", "docker-compose"],
-  ignorePresets: [
-    "github>grafana/grafana-renovate-config//presets/labels",
-  ],
+  enabledManagers: ["npm"],
   ignoreDeps: [
     // ignoring these until we can upgrade to react 19
     // see epic here: https://github.com/grafana/grafana/issues/98813
@@ -26,7 +23,7 @@
     "@types/slate-react", // we don't want to continue using this on the long run, use Monaco editor instead of Slate
     "@types/slate", // we don't want to continue using this on the long run, use Monaco editor instead of Slate
   ],
-  includePaths: ["package.json", "packages/**", "public/app/plugins/**", "devenv/frontend-service/docker-compose.yaml"],
+  includePaths: ["package.json", "packages/**", "public/app/plugins/**"],
   ignorePaths: ["emails/**", "**/mocks/**"],
   labels: ["area/frontend", "dependencies", "no-changelog"],
   postUpdateOptions: ["yarnDedupeHighest"],

.github/workflows/actionlint.yml

@@ -0,0 +1,60 @@
+# This workflow depends on the ./actionlint-format.txt file. It is MIT licensed (thanks, rhysd!): https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
+name: Actionlint
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  run-actionlint:
+    name: Lint GitHub Actions files
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # to check out the code
+      actions: read # to read the workflow files
+      security-events: write # for uploading the SARIF report
+
+    env:
+      ACTIONLINT_VERSION: 1.7.7
+      # curl -LXGET https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt | grep linux_amd64
+      CHECKSUM: 023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      # GitHub Actions only runs x86_64. This will break if that assumption changes.
+      - name: Download Actionlint
+        run: |
+          set -euo pipefail
+          curl -OLXGET https://github.com/rhysd/actionlint/releases/download/v"${ACTIONLINT_VERSION}"/actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
+          echo "${CHECKSUM}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzf actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
+          test -f actionlint
+          chmod +x actionlint
+
+      - name: Run Actionlint
+        run: ./actionlint -format "$(cat .github/workflows/actionlint-format.txt)" | tee results.sarif
+
+      - name: Upload to GitHub security events
+        if: success() || failure()
+        # If there are security problems, GitHub will automatically comment on the PR for us.
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          sarif_file: results.sarif
+          category: actionlint

.github/workflows/actionlint.yml.disabled

@@ -1,60 +0,0 @@
-# This workflow depends on the ./actionlint-format.txt file. It is MIT licensed (thanks, rhysd!): https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
-name: Actionlint
-
-on:
-  push:
-    branches:
-      - main
-      - release-*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-jobs:
-  run-actionlint:
-    name: Lint GitHub Actions files
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # to check out the code
-      actions: read # to read the workflow files
-      security-events: write # for uploading the SARIF report
-
-    env:
-      ACTIONLINT_VERSION: 1.7.7
-      # curl -LXGET https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt | grep linux_amd64
-      CHECKSUM: 023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
-        with:
-          persist-credentials: false
-
-      # GitHub Actions only runs x86_64. This will break if that assumption changes.
-      - name: Download Actionlint
-        run: |
-          set -euo pipefail
-          curl -OLXGET https://github.com/rhysd/actionlint/releases/download/v"${ACTIONLINT_VERSION}"/actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          echo "${CHECKSUM}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
-          tar xzf actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          test -f actionlint
-          chmod +x actionlint
-
-      - name: Run Actionlint
-        run: ./actionlint -format "$(cat .github/workflows/actionlint-format.txt)" | tee results.sarif
-
-      - name: Upload to GitHub security events
-        if: success() || failure()
-        # If there are security problems, GitHub will automatically comment on the PR for us.
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
-        with:
-          sarif_file: results.sarif
-          category: actionlint

.github/workflows/alerting-swagger-gen.yml

@@ -0,0 +1,37 @@
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 1'
+
+jobs:
+  gen-swagger:
+    name: Alerting Swagger spec generation cron job
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+          persist-credentials: false
+      - name: Set go version
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+        with:
+          go-version-file: go.mod
+      - name: Build swagger
+        run: |
+          make -C pkg/services/ngalert/api/tooling post.json api.json
+      - name: Open Pull Request
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: update alerting swagger spec"
+          title: "Alerting: Update Swagger spec"
+          body: |
+            This is an automated pull request to update the alerting swagger spec.
+            Please review and merge.
+          branch: update-alerting-swagger-spec
+          delete-branch: true
+          labels: 'area/alerting,type/docs,no-changelog'
+          team-reviewers: 'grafana/alerting-backend'
+          draft: false

.github/workflows/alerting-swagger-gen.yml.disabled

@@ -1,37 +0,0 @@
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * 1'
-
-jobs:
-  gen-swagger:
-    name: Alerting Swagger spec generation cron job
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 2
-          persist-credentials: false
-      - name: Set go version
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
-        with:
-          go-version-file: go.mod
-      - name: Build swagger
-        run: |
-          make -C pkg/services/ngalert/api/tooling post.json api.json
-      - name: Open Pull Request
-        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "chore: update alerting swagger spec"
-          title: "Alerting: Update Swagger spec"
-          body: |
-            This is an automated pull request to update the alerting swagger spec.
-            Please review and merge.
-          branch: update-alerting-swagger-spec
-          delete-branch: true
-          labels: 'area/alerting,type/docs,no-changelog'
-          team-reviewers: 'grafana/alerting-backend'
-          draft: false

.github/workflows/alerting-update-module.yml

@@ -0,0 +1,160 @@
+name: Update Alerting Module
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-grafana:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4 # 4.2.2
+        with:
+          persist-credentials: false
+      - name: Check if update branch exists
+        run: |
+          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
+            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
+            echo "Please review and merge/close the existing PR before running this workflow again."
+            exit 1
+          fi
+
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # 5.5.0
+        with:
+          "go-version-file": "go.mod"
+
+      - name: Extract current commit hash of alerting module
+        id: current-commit
+        run: |
+          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
+          echo "from_commit=$FROM_COMMIT" >> "$GITHUB_OUTPUT"
+
+      - name: Get current branch name
+        id: current-branch-name
+        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
+
+      - name: Get latest commit
+        id: latest-commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+          BRANCH: ${{ steps.current-branch-name.outputs.name }}
+        run: |
+          TO_COMMIT="$(gh api repos/grafana/alerting/commits/"$BRANCH" --jq '.sha')"
+           if [ -z "$TO_COMMIT" ]; then
+            echo "Branch $BRANCH not found in alerting repo"
+            exit 1
+          fi
+          echo "to_commit=$TO_COMMIT" >> "$GITHUB_OUTPUT"
+
+      - name: Compare commit hashes
+        run: |
+          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
+          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
+          
+          # Compare just the length of the shorter hash
+          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
+          
+          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
+            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
+            exit 0
+          fi
+          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
+
+      - name: Check for commit history
+        id: check-commits
+        env:
+          GH_TOKEN: ${{ github.token }}
+          FROM_COMMIT: ${{ steps.current-commit.outputs.from_commit }}
+          TO_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
+        run: |
+          # get all commits that contains 'Alerting:' in the message
+          ALERTING_COMMITS="$(gh api repos/grafana/alerting/compare/"$FROM_COMMIT"..."$TO_COMMIT" \
+            --jq '.commits[].commit.message | split("\n")[0]')" || true
+
+          # Use printf instead of echo -e for better multiline handling
+          printf "%s\n" "$ALERTING_COMMITS"
+
+          # make the list for markdown and replace PR numbers with links
+          ALERTING_COMMITS_FORMATTED="$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/alerting\/pull\/\1)/g'; done)"
+
+          {
+            echo "alerting_commits<<EOF"
+            echo "$ALERTING_COMMITS_FORMATTED"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Update alerting module
+        env:
+          GOSUMDB: off
+          PINNED_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
+        run: |
+          go get github.com/grafana/alerting@"$PINNED_COMMIT"
+          make update-workspace
+
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=alerting-team:app-id
+            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
+
+      - name: "Generate token"
+        id: generate_token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
+        id: create-pr
+        with:
+          token: '${{ steps.generate_token.outputs.token }}'
+          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
+          branch: alerting/update-alerting-module
+          delete-branch: true
+          labels: |
+            no-changelog
+            no-backport
+          body: |
+            Updates Grafana Alerting module to latest version.
+
+            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
+            <details>
+            <summary>Commits</summary>
+
+            ${{ steps.check-commits.outputs.alerting_commits }}
+
+            </details>
+
+            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+      - name: Add PR URL to Summary
+        if: steps.create-pr.outputs.pull-request-url != ''
+        env:
+          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
+        run: |
+          {
+            echo "## Pull Request Created"
+            echo "🔗 [View Pull Request]($PR_URL)"
+          } >> "$GITHUB_STEP_SUMMARY"
+      - name: Send Slack Message
+        uses: grafana/shared-workflows/actions/send-slack-message@send-slack-message/v2.0.3
+        with:
+          method: 'chat.postMessage'
+          # send to alerting-reviews channel
+          payload-templated: true
+          payload:  |
+            {
+              "channel": "C076RNRRZ2N",
+              "text": "Update alerting module in Grafana ${{ steps.create-pr.outputs.pull-request-url }}"
+            }

.github/workflows/alerting-update-module.yml.disabled

@@ -1,160 +0,0 @@
-name: Update Alerting Module
-
-on:
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  update-grafana:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Check if update branch exists
-        run: |
-          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
-            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
-            echo "Please review and merge/close the existing PR before running this workflow again."
-            exit 1
-          fi
-
-      - name: Setup Go
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # 6.0.0
-        with:
-          "go-version-file": "go.mod"
-
-      - name: Extract current commit hash of alerting module
-        id: current-commit
-        run: |
-          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
-          echo "from_commit=$FROM_COMMIT" >> "$GITHUB_OUTPUT"
-
-      - name: Get current branch name
-        id: current-branch-name
-        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
-
-      - name: Get latest commit
-        id: latest-commit
-        env:
-          GH_TOKEN: ${{ github.token }}
-          BRANCH: ${{ steps.current-branch-name.outputs.name }}
-        run: |
-          TO_COMMIT="$(gh api repos/grafana/alerting/commits/"$BRANCH" --jq '.sha')"
-           if [ -z "$TO_COMMIT" ]; then
-            echo "Branch $BRANCH not found in alerting repo"
-            exit 1
-          fi
-          echo "to_commit=$TO_COMMIT" >> "$GITHUB_OUTPUT"
-
-      - name: Compare commit hashes
-        run: |
-          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
-          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
-
-          # Compare just the length of the shorter hash
-          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
-
-          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
-            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
-            exit 0
-          fi
-          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
-
-      - name: Check for commit history
-        id: check-commits
-        env:
-          GH_TOKEN: ${{ github.token }}
-          FROM_COMMIT: ${{ steps.current-commit.outputs.from_commit }}
-          TO_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
-        run: |
-          # get all commits that contains 'Alerting:' in the message
-          ALERTING_COMMITS="$(gh api repos/grafana/alerting/compare/"$FROM_COMMIT"..."$TO_COMMIT" \
-            --jq '.commits[].commit.message | split("\n")[0]')" || true
-
-          # Use printf instead of echo -e for better multiline handling
-          printf "%s\n" "$ALERTING_COMMITS"
-
-          # make the list for markdown and replace PR numbers with links
-          ALERTING_COMMITS_FORMATTED="$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/alerting\/pull\/\1)/g'; done)"
-
-          {
-            echo "alerting_commits<<EOF"
-            echo "$ALERTING_COMMITS_FORMATTED"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Update alerting module
-        env:
-          GOSUMDB: off
-          PINNED_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
-        run: |
-          go get github.com/grafana/alerting@"$PINNED_COMMIT"
-          make update-workspace
-
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          repo_secrets: |
-            GITHUB_APP_ID=alerting-team:app-id
-            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
-
-      - name: "Generate token"
-        id: generate_token
-        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
-        id: create-pr
-        with:
-          token: '${{ steps.generate_token.outputs.token }}'
-          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
-          branch: alerting/update-alerting-module
-          delete-branch: true
-          labels: |
-            no-changelog
-            no-backport
-          body: |
-            Updates Grafana Alerting module to latest version.
-
-            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
-            <details>
-            <summary>Commits</summary>
-
-            ${{ steps.check-commits.outputs.alerting_commits }}
-
-            </details>
-
-            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
-      - name: Add PR URL to Summary
-        if: steps.create-pr.outputs.pull-request-url != ''
-        env:
-          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
-        run: |
-          {
-            echo "## Pull Request Created"
-            echo "🔗 [View Pull Request]($PR_URL)"
-          } >> "$GITHUB_STEP_SUMMARY"
-      - name: Send Slack Message
-        uses: grafana/shared-workflows/actions/send-slack-message@send-slack-message/v2.0.4
-        with:
-          method: 'chat.postMessage'
-          # send to alerting-reviews channel
-          payload-templated: true
-          payload:  |
-            {
-              "channel": "C076RNRRZ2N",
-              "text": "Update alerting module in Grafana ${{ steps.create-pr.outputs.pull-request-url }}"
-            }

.github/workflows/analytics-events-report.yml

@@ -0,0 +1,29 @@
+name: Analytics Events Report
+
+on:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  generate-report:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Generate analytics report
+        run: yarn analytics-report

.github/workflows/analytics-events-report.yml.disabled

@@ -1,29 +0,0 @@
-name: Analytics Events Report
-
-on:
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  generate-report:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
-
-      - name: Generate analytics report
-        run: yarn analytics-report

.github/workflows/backend-code-checks.yml

@@ -0,0 +1,92 @@
+name: Backend Code Checks
+
+on:
+  pull_request:
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+
+jobs:
+  detect-changes:
+    name: Detect whether code changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.detect-changes.outputs.backend }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true # required to get more history in the changed-files action
+          fetch-depth: 2
+      - name: Detect changes
+        id: detect-changes
+        uses: ./.github/actions/change-detection
+        with:
+          self: .github/workflows/backend-code-checks.yml
+
+  validate-configs:
+    permissions:
+      contents: read
+      id-token: write
+    needs: detect-changes
+    if: needs.detect-changes.outputs.changed == 'true'
+    name: Validate Backend Configs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5.5.0
+        with:
+          # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
+          # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
+          # This ensures the GHAs environment matches what we use in the Drone pipeline
+          go-version: 1.24.1
+          cache: true
+
+      - name: Verify code generation
+        run: |
+          CODEGEN_VERIFY=1 make gen-cue
+          CODEGEN_VERIFY=1 make gen-jsonnet
+
+      - name: Validate go.mod
+        run: go run scripts/modowners/modowners.go check go.mod
+
+      # Enterprise setup is needed for complete OpenAPI spec generation
+      # We only do this for internal PRs
+      - name: Setup Grafana Enterprise
+        if: github.event.pull_request.head.repo.fork == false
+        uses: ./.github/actions/setup-enterprise
+
+      - name: Generate and Validate OpenAPI Specs
+        run: |
+          # For PRs from forks, we'll just run the basic swagger-gen without validation
+          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            echo "PR is from a fork, skipping enterprise-based validation"
+            make swagger-gen
+            exit 0
+          fi
+
+          # Clean and regenerate OpenAPI specs
+          make swagger-clean && make openapi3-gen
+
+          # Check if the generated specs differ from what's in the repository
+          for f in public/api-merged.json public/openapi3.json; do git add $f; done
+          if [ -z "$(git diff --name-only --cached)" ]; then
+            echo "OpenAPI specs are up to date!"
+          else
+            echo "OpenAPI specs are OUT OF DATE!"
+            git diff --cached
+            echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
+            exit 1
+          fi

.github/workflows/backend-code-checks.yml.disabled

@@ -1,90 +0,0 @@
-name: Backend Code Checks
-
-on:
-  pull_request:
-    paths-ignore:
-      - '*.md'
-      - 'docs/**'
-      - 'latest.json'
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '*.md'
-      - 'docs/**'
-      - 'latest.json'
-
-jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.backend }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/backend-code-checks.yml
-
-  validate-configs:
-    permissions:
-      contents: read
-      id-token: write
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
-    name: Validate Backend Configs
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: go.mod
-          cache: true
-
-      - name: Verify code generation
-        run: |
-          CODEGEN_VERIFY=1 make gen-cue
-          CODEGEN_VERIFY=1 make gen-jsonnet
-          CODEGEN_VERIFY=1 make gen-apps
-
-      - name: Validate go.mod
-        run: go run scripts/modowners/modowners.go check go.mod
-
-      # Enterprise setup is needed for complete OpenAPI spec generation
-      # We only do this for internal PRs
-      - name: Setup Grafana Enterprise
-        if: github.event.pull_request.head.repo.fork == false
-        uses: ./.github/actions/setup-enterprise
-
-      - name: Generate and Validate OpenAPI Specs
-        run: |
-          # For PRs from forks, we'll just run the basic swagger-gen without validation
-          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
-            echo "PR is from a fork, skipping enterprise-based validation"
-            make swagger-gen
-            exit 0
-          fi
-
-          # Clean and regenerate OpenAPI specs
-          make swagger-clean && make openapi3-gen
-
-          # Check if the generated specs differ from what's in the repository
-          for f in public/api-merged.json public/openapi3.json public/api-enterprise-spec.json; do git add $f; done
-          if [ -z "$(git diff --name-only --cached)" ]; then
-            echo "OpenAPI specs are up to date!"
-          else
-            echo "OpenAPI specs are OUT OF DATE!"
-            git diff --cached
-            echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
-            exit 1
-          fi

.github/workflows/backend-unit-tests.yml

@@ -0,0 +1,148 @@
+name: Backend Unit Tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+permissions: {}
+
+jobs:
+  detect-changes:
+    name: Detect whether code changed
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.detect-changes.outputs.backend }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true # required to get more history in the changed-files action
+          fetch-depth: 2
+      - name: Detect changes
+        id: detect-changes
+        uses: ./.github/actions/change-detection
+        with:
+          self: .github/workflows/backend-unit-tests.yml
+
+  grafana:
+    # Run this workflow only for PRs from forks
+    # the `pr-backend-unit-tests-enterprise` workflow will run instead
+    needs: detect-changes
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    strategy:
+      matrix:
+        shard: [
+          1/8, 2/8, 3/8, 4/8,
+          5/8, 6/8, 7/8, 8/8,
+        ]
+      fail-fast: false
+
+    name: Grafana (${{ matrix.shard }})
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5.5.0
+        with:
+          go-version-file: go.mod
+      - name: Run unit tests
+        env:
+          SHARD: ${{ matrix.shard }}
+        run: |
+          set -euo pipefail
+          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
+          CGO_ENABLED=0 go test -short -timeout=30m "${PACKAGES[@]}"
+
+  grafana-enterprise:
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    needs: detect-changes
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    strategy:
+      matrix:
+        shard: [
+          1/8, 2/8, 3/8, 4/8,
+          5/8, 6/8, 7/8, 8/8,
+        ]
+      fail-fast: false
+
+    name: Grafana Enterprise (${{ matrix.shard }})
+    runs-on: ubuntu-x64-large
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      # Set up repository clone
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5.5.0
+        with:
+          go-version-file: go.mod
+      - name: Setup Enterprise
+        uses: ./.github/actions/setup-enterprise
+        with:
+          github-app-name: 'grafana-ci-bot'
+
+      # Prepare what we need to upload test results
+      - run: echo "RESULTS_FILE=$(date --rfc-3339=seconds --utc | sed -s 's/ /-/g')_${SHARD/\//_}.xml" >> "$GITHUB_ENV"
+        env:
+          SHARD: ${{ matrix.shard }}
+      - run: go install github.com/jstemmer/go-junit-report/v2@85bf4716ac1f025f2925510a9f5e9f5bb347c009
+
+      # Run code
+      - name: Run unit tests
+        env:
+          SHARD: ${{ matrix.shard }}
+        run: |
+          set -euo pipefail
+
+          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
+          # This tee requires pipefail to be set, otherwise `go test`'s exit code is thrown away.
+          # That means having no `-o pipefail` => failing tests => exit code 0, which is wrong.
+          CGO_ENABLED=0 go test -short -timeout=30m "${PACKAGES[@]}"
+
+  # This is the job that is actually required by rulesets.
+  # We need to require EITHER the OSS or the Enterprise job to pass.
+  # However, if one is skipped, GitHub won't flat-map the shards,
+  #   so they won't be accepted by a ruleset.
+  required-backend-unit-tests:
+    needs:
+      - grafana
+      - grafana-enterprise
+    # always() is the best function here.
+    # success() || failure() will skip this function if any need is also skipped.
+    # That means conditional test suites will fail the entire requirement check.
+    if: always()
+
+    name: All backend unit tests complete
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check test suites
+        env:
+          NEEDS: ${{ toJson(needs) }}
+        run: |
+          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
+          echo "$FAILURES"
+          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
+            exit 1
+          fi
+          echo "All OK!"

.github/workflows/backend-unit-tests.yml.disabled

@@ -1,148 +0,0 @@
-name: Backend Unit Tests
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-permissions: {}
-
-jobs:
-  detect-changes:
-    name: Detect whether code changed
-    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
-    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.backend }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/backend-unit-tests.yml
-
-  grafana:
-    # Run this workflow only for PRs from forks
-    # the `pr-backend-unit-tests-enterprise` workflow will run instead
-    needs: detect-changes
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
-    strategy:
-      matrix:
-        shard: [
-          1/8, 2/8, 3/8, 4/8,
-          5/8, 6/8, 7/8, 8/8,
-        ]
-      fail-fast: false
-
-    name: Grafana (${{ matrix.shard }})
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: go.mod
-      - name: Run unit tests
-        env:
-          SHARD: ${{ matrix.shard }}
-        run: |
-          set -euo pipefail
-          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
-          CGO_ENABLED=0 go test -short -timeout=30m "${PACKAGES[@]}"
-
-  grafana-enterprise:
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    needs: detect-changes
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
-    strategy:
-      matrix:
-        shard: [
-          1/8, 2/8, 3/8, 4/8,
-          5/8, 6/8, 7/8, 8/8,
-        ]
-      fail-fast: false
-
-    name: Grafana Enterprise (${{ matrix.shard }})
-    runs-on: ubuntu-x64-large
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      # Set up repository clone
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: go.mod
-      - name: Setup Enterprise
-        uses: ./.github/actions/setup-enterprise
-        with:
-          github-app-name: 'grafana-ci-bot'
-
-      # Prepare what we need to upload test results
-      - run: echo "RESULTS_FILE=$(date --rfc-3339=seconds --utc | sed -s 's/ /-/g')_${SHARD/\//_}.xml" >> "$GITHUB_ENV"
-        env:
-          SHARD: ${{ matrix.shard }}
-      - run: go install github.com/jstemmer/go-junit-report/v2@85bf4716ac1f025f2925510a9f5e9f5bb347c009
-
-      # Run code
-      - name: Run unit tests
-        env:
-          SHARD: ${{ matrix.shard }}
-        run: |
-          set -euo pipefail
-
-          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
-          # This tee requires pipefail to be set, otherwise `go test`'s exit code is thrown away.
-          # That means having no `-o pipefail` => failing tests => exit code 0, which is wrong.
-          CGO_ENABLED=0 go test -short -timeout=30m "${PACKAGES[@]}"
-
-  # This is the job that is actually required by rulesets.
-  # We need to require EITHER the OSS or the Enterprise job to pass.
-  # However, if one is skipped, GitHub won't flat-map the shards,
-  #   so they won't be accepted by a ruleset.
-  required-backend-unit-tests:
-    needs:
-      - grafana
-      - grafana-enterprise
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All backend unit tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"

.github/workflows/backport-trigger.yml

@@ -0,0 +1,47 @@
+# We need secrets to backport, but they're not available for actions ran by forks.
+# So this workflow is used as a 'trigger', which the backport-workflow.yml will with
+# via workflow_run
+
+name: Backport (trigger)
+on:
+  pull_request:
+    types:
+      - closed
+      - labeled
+
+permissions: {}
+
+jobs:
+  trigger:
+    # Only run this job if the PR has been merged and has a label containing "backport v"
+    if: |
+      github.repository == 'grafana/grafana' &&
+      github.event.pull_request.merged == true &&
+      contains(join(github.event.pull_request.labels.*.name, ','), 'backport v')
+    runs-on: ubuntu-latest
+    steps:
+      # TODO: save this as job summary instead?
+      - name: Trigger
+        run: |
+          echo "Triggering workflow"
+          echo "See https://github.com/${{ github.repository }}/actions/workflows/workflow_run.yml for progress"
+
+      # Create a JSON artifact with details of this PR to pass to the backport workflow.
+      # The { action: 'labelled', label: 'backport-1.23.x' } can only be determined from this event payload,
+      # and is needed to do a backport after a PR has been merged
+      #
+      # Important that we don't run *anything* from the PR which could modify the backport_data.json file
+      - name: Create action data
+        run: |
+          jq '{
+            action: .action,
+            label: .label.name,
+            pr_number: .number,
+          }' "$GITHUB_EVENT_PATH" > /tmp/pr_info.json
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr_info
+          path: /tmp/pr_info.json
+          retention-days: 1

.github/workflows/backport-trigger.yml.disabled

@@ -1,47 +0,0 @@
-# We need secrets to backport, but they're not available for actions ran by forks.
-# So this workflow is used as a 'trigger', which the backport-workflow.yml will with
-# via workflow_run
-
-name: Backport (trigger)
-on:
-  pull_request:
-    types:
-      - closed
-      - labeled
-
-permissions: {}
-
-jobs:
-  trigger:
-    # Only run this job if the PR has been merged and has a label containing "backport v"
-    if: |
-      github.repository == 'grafana/grafana' &&
-      github.event.pull_request.merged == true &&
-      contains(join(github.event.pull_request.labels.*.name, ','), 'backport v')
-    runs-on: ubuntu-latest
-    steps:
-      # TODO: save this as job summary instead?
-      - name: Trigger
-        run: |
-          echo "Triggering workflow"
-          echo "See https://github.com/${{ github.repository }}/actions/workflows/workflow_run.yml for progress"
-
-      # Create a JSON artifact with details of this PR to pass to the backport workflow.
-      # The { action: 'labelled', label: 'backport-1.23.x' } can only be determined from this event payload,
-      # and is needed to do a backport after a PR has been merged
-      #
-      # Important that we don't run *anything* from the PR which could modify the backport_data.json file
-      - name: Create action data
-        run: |
-          jq '{
-            action: .action,
-            label: .label.name,
-            pr_number: .number,
-          }' "$GITHUB_EVENT_PATH" > /tmp/pr_info.json
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: pr_info
-          path: /tmp/pr_info.json
-          retention-days: 1

.github/workflows/backport-workflow.yml

@@ -0,0 +1,88 @@
+# Runs the actual backport, after being triggered by the backport-trigger.yml workflow.
+
+name: Backport (workflow)
+run-name: "Backport for ${{ github.event.workflow_run.head_branch }} #${{ github.event.workflow_run.run_number }}"
+on:
+  workflow_run: # zizmor: ignore[dangerous-triggers] backport-trigger.yml does not run any user code
+    workflows: ["Backport (trigger)"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  backport:
+    # Only run this job if the triggering workflow was not skipped (and on grafana repo)
+    if: github.event.workflow_run.head_repository.fork == false && github.repository == 'grafana/grafana' && github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      actions: read
+    steps:
+      - name: Get vault secrets
+        id: secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          export_env: false
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ fromJSON(steps.secrets.outputs.secrets).APP_PEM }}
+
+      - name: Download PR info artifact
+        uses: actions/download-artifact@v4
+        id: download-pr-info
+        with:
+          github-token: ${{ github.token }}
+          run-id: ${{ github.event.workflow_run.id }}
+          name: pr_info
+
+      - name: Get PR info
+        id: pr-info
+        env:
+          PR_INFO_FILE: ${{ steps.download-pr-info.outputs.download-path }}/pr_info.json
+        # jq-magic to convert the JSON object into a list of key=value pairs for $GITHUB_OUTPUT
+        run:
+          jq -r 'to_entries[] | select(.value | type != "object") | "\(.key)=\(.value)"' "$PR_INFO_FILE" >> "$GITHUB_OUTPUT"
+
+      - name: Print PR info
+        env:
+          PR_ACTION: ${{ steps.pr-info.outputs.action }}
+          PR_LABEL: ${{ steps.pr-info.outputs.label }}
+          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
+        run: |
+          echo "PR action: $PR_ACTION"
+          echo "PR label: $PR_LABEL"
+          echo "PR number: $PR_NUMBER"
+
+      - name: Checkout Grafana
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 2
+          fetch-tags: false
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: true
+
+      - name: Configure git user
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local --add --bool push.autoSetupRemote true
+
+      - name: Run backport
+        uses: grafana/grafana-github-actions-go/backport@dev
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          # If triggered by being labelled, only backport that label.
+          # Otherwise, the action will backport all labels.
+          pr_label: ${{ steps.pr-info.outputs.action == 'labeled' && steps.pr-info.outputs.label || '' }}
+          pr_number: ${{ steps.pr-info.outputs.pr_number }}
+          repo_owner: ${{ github.repository_owner }}
+          repo_name: ${{ github.event.repository.name }}

.github/workflows/backport-workflow.yml.disabled

@@ -1,88 +0,0 @@
-# Runs the actual backport, after being triggered by the backport-trigger.yml workflow.
-
-name: Backport (workflow)
-run-name: "Backport for ${{ github.event.workflow_run.head_branch }} #${{ github.event.workflow_run.run_number }}"
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] backport-trigger.yml does not run any user code
-    workflows: ["Backport (trigger)"]
-    types:
-      - completed
-
-permissions: {}
-
-jobs:
-  backport:
-    # Only run this job if the triggering workflow was not skipped (and on grafana repo)
-    if: github.event.workflow_run.head_repository.fork == false && github.repository == 'grafana/grafana' && github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      actions: read
-    steps:
-      - name: Get vault secrets
-        id: secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          export_env: false
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ fromJSON(steps.secrets.outputs.secrets).APP_PEM }}
-
-      - name: Download PR info artifact
-        uses: actions/download-artifact@v6
-        id: download-pr-info
-        with:
-          github-token: ${{ github.token }}
-          run-id: ${{ github.event.workflow_run.id }}
-          name: pr_info
-
-      - name: Get PR info
-        id: pr-info
-        env:
-          PR_INFO_FILE: ${{ steps.download-pr-info.outputs.download-path }}/pr_info.json
-        # jq-magic to convert the JSON object into a list of key=value pairs for $GITHUB_OUTPUT
-        run:
-          jq -r 'to_entries[] | select(.value | type != "object") | "\(.key)=\(.value)"' "$PR_INFO_FILE" >> "$GITHUB_OUTPUT"
-
-      - name: Print PR info
-        env:
-          PR_ACTION: ${{ steps.pr-info.outputs.action }}
-          PR_LABEL: ${{ steps.pr-info.outputs.label }}
-          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
-        run: |
-          echo "PR action: $PR_ACTION"
-          echo "PR label: $PR_LABEL"
-          echo "PR number: $PR_NUMBER"
-
-      - name: Checkout Grafana
-        uses: actions/checkout@v5
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-          fetch-depth: 2
-          fetch-tags: false
-          token: ${{ steps.generate_token.outputs.token }}
-          persist-credentials: true
-
-      - name: Configure git user
-        run: |
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local --add --bool push.autoSetupRemote true
-
-      - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@dev
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          # If triggered by being labelled, only backport that label.
-          # Otherwise, the action will backport all labels.
-          pr_label: ${{ steps.pr-info.outputs.action == 'labeled' && steps.pr-info.outputs.label || '' }}
-          pr_number: ${{ steps.pr-info.outputs.pr_number }}
-          repo_owner: ${{ github.repository_owner }}
-          repo_name: ${{ github.event.repository.name }}

.github/workflows/changelog.yml

@@ -0,0 +1,191 @@
+name: Generate changelog
+on:
+  workflow_call:
+    inputs:
+      previous_version:
+        type: string
+        required: false
+        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
+      version:
+        type: string
+        required: true
+        description: 'Target release version (semver, git tag, branch or commit)'
+      target:
+        required: true
+        type: string
+        description: 'The base branch that these changes are being merged into'
+      dry_run:
+        required: false
+        default: false
+        type: boolean
+      latest:
+        required: false
+        default: false
+        type: boolean
+      work_branch:
+        required: false
+        type: string
+        description: "Use specific branch for changelog"
+
+  workflow_dispatch:
+    inputs:
+      previous_version:
+        type: string
+        required: false
+        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
+      version:
+        type: string
+        required: true
+        description: 'Target release version (semver, git tag, branch or commit)'
+      target:
+        required: true
+        type: string
+        description: 'The base branch that these changes are being merged into'
+      dry_run:
+        required: false
+        default: false
+        type: boolean
+      latest:
+        required: false
+        default: false
+        type: boolean
+      work_branch:
+        required: false
+        type: string
+        description: "Use specific branch for changelog"
+
+permissions: {}
+
+jobs:
+  main:
+    env:
+      RUN_ID: ${{ github.run_id }}
+      VERSION: ${{ inputs.version }}
+      PREVIOUS_VERISON: ${{ inputs.previous_version }}
+      TARGET: ${{ inputs.target }}
+      DRY_RUN: ${{ inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      pull-requests: write
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: "Checkout Grafana repo"
+        uses: "actions/checkout@v4"
+        with:
+          ref: main
+          sparse-checkout: |
+            .github/workflows
+            .github/actions
+            CHANGELOG.md
+            .nvmrc
+            .prettierignore
+            .prettierrc.js
+          fetch-depth: 0
+          fetch-tags: true
+      - name: Setup nodejs environment
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+      - name: "Configure git user"
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local --add --bool push.autoSetupRemote true
+      - name: "Create branch"
+        run: |
+          if [[ "$WORK_BRANCH" == '' ]]; then
+            git switch -c "changelog/${RUN_ID}/${VERSION}"
+            exit 0
+          fi
+
+          # Checkout the changelog branch if exists, otherwise create a new one
+          if git show-ref --verify --quiet "refs/remotes/origin/$WORK_BRANCH"; then
+            git switch --track "origin/$WORK_BRANCH"
+          else
+            git switch -c "$WORK_BRANCH"
+          fi
+        env:
+          WORK_BRANCH: ${{ inputs.work_branch }}
+      - name: "Generate changelog"
+        id: changelog
+        uses: ./.github/actions/changelog
+        with:
+          previous: ${{ inputs.previous_version }}
+          github_token: ${{ steps.generate_token.outputs.token }}
+          target: v${{ inputs.version }}
+          output_file: changelog_items.md
+      - name: "Patch CHANGELOG.md"
+        run: |
+          # Prepare CHANGELOG.md content with version delimiters
+          (
+            echo
+            echo "# ${VERSION} ($(date '+%F'))"
+            echo
+            cat changelog_items.md
+          ) > CHANGELOG.part
+
+          # Check if a version exists in the changelog
+          if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
+            # Replace the content between START and END delimiters
+            echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
+            sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
+                   -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
+          else
+            # Prepend changelog part to the main changelog file
+            echo "Version $VERSION not found in the CHANGELOG.md"
+            (
+              echo "<!-- ${VERSION} START -->"
+              cat CHANGELOG.part
+              echo "<!-- ${VERSION} END -->"
+              cat CHANGELOG.md
+            ) > CHANGELOG.tmp
+            mv CHANGELOG.tmp CHANGELOG.md
+          fi
+
+          git diff CHANGELOG.md
+
+      - name: "Prettify CHANGELOG.md"
+        run: npx prettier --write CHANGELOG.md
+      - name: "Commit changelog changes"
+        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
+      - name: "git push"
+        if: inputs.dry_run != true
+        run: git push
+      - name: "Create changelog PR"
+        run: |
+          if gh pr view &>/dev/null; then
+            echo "Changelog pr has already been created"
+          else
+
+            gh pr create \
+              --dry-run="${DRY_RUN}" \
+              --label "no-backport" \
+              --label "no-changelog" \
+              -B "${TARGET}" \
+              --title "Release: update changelog for ${TARGET}" \
+              --body "Changelog changes for release versions:"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Add release version to PR description"
+        if: inputs.dry_run != true
+        run: |
+          gh pr view --json body --jq .body > pr_body.md
+          echo " -  ${VERSION}" >> pr_body.md
+          gh pr edit --body-file pr_body.md
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/changelog.yml.disabled

@@ -1,191 +0,0 @@
-name: Generate changelog
-on:
-  workflow_call:
-    inputs:
-      previous_version:
-        type: string
-        required: false
-        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
-      version:
-        type: string
-        required: true
-        description: 'Target release version (semver, git tag, branch or commit)'
-      target:
-        required: true
-        type: string
-        description: 'The base branch that these changes are being merged into'
-      dry_run:
-        required: false
-        default: false
-        type: boolean
-      latest:
-        required: false
-        default: false
-        type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"
-
-  workflow_dispatch:
-    inputs:
-      previous_version:
-        type: string
-        required: false
-        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
-      version:
-        type: string
-        required: true
-        description: 'Target release version (semver, git tag, branch or commit)'
-      target:
-        required: true
-        type: string
-        description: 'The base branch that these changes are being merged into'
-      dry_run:
-        required: false
-        default: false
-        type: boolean
-      latest:
-        required: false
-        default: false
-        type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"
-
-permissions: {}
-
-jobs:
-  main:
-    env:
-      RUN_ID: ${{ github.run_id }}
-      VERSION: ${{ inputs.version }}
-      PREVIOUS_VERISON: ${{ inputs.previous_version }}
-      TARGET: ${{ inputs.target }}
-      DRY_RUN: ${{ inputs.dry_run }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: write
-      pull-requests: write
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: "Checkout Grafana repo"
-        uses: "actions/checkout@v5"
-        with:
-          ref: main
-          sparse-checkout: |
-            .github/workflows
-            .github/actions
-            CHANGELOG.md
-            .nvmrc
-            .prettierignore
-            .prettierrc.js
-          fetch-depth: 0
-          fetch-tags: true
-      - name: Setup nodejs environment
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: .nvmrc
-      - name: "Configure git user"
-        run: |
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local --add --bool push.autoSetupRemote true
-      - name: "Create branch"
-        run: |
-          if [[ "$WORK_BRANCH" == '' ]]; then
-            git switch -c "changelog/${RUN_ID}/${VERSION}"
-            exit 0
-          fi
-
-          # Checkout the changelog branch if exists, otherwise create a new one
-          if git show-ref --verify --quiet "refs/remotes/origin/$WORK_BRANCH"; then
-            git switch --track "origin/$WORK_BRANCH"
-          else
-            git switch -c "$WORK_BRANCH"
-          fi
-        env:
-          WORK_BRANCH: ${{ inputs.work_branch }}
-      - name: "Generate changelog"
-        id: changelog
-        uses: ./.github/actions/changelog
-        with:
-          previous: ${{ inputs.previous_version }}
-          github_token: ${{ steps.generate_token.outputs.token }}
-          target: v${{ inputs.version }}
-          output_file: changelog_items.md
-      - name: "Patch CHANGELOG.md"
-        run: |
-          # Prepare CHANGELOG.md content with version delimiters
-          (
-            echo
-            echo "# ${VERSION} ($(date '+%F'))"
-            echo
-            cat changelog_items.md
-          ) > CHANGELOG.part
-
-          # Check if a version exists in the changelog
-          if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
-            # Replace the content between START and END delimiters
-            echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
-                   -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
-          else
-            # Prepend changelog part to the main changelog file
-            echo "Version $VERSION not found in the CHANGELOG.md"
-            (
-              echo "<!-- ${VERSION} START -->"
-              cat CHANGELOG.part
-              echo "<!-- ${VERSION} END -->"
-              cat CHANGELOG.md
-            ) > CHANGELOG.tmp
-            mv CHANGELOG.tmp CHANGELOG.md
-          fi
-
-          git diff CHANGELOG.md
-
-      - name: "Prettify CHANGELOG.md"
-        run: npx prettier --write CHANGELOG.md
-      - name: "Commit changelog changes"
-        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
-      - name: "git push"
-        if: inputs.dry_run != true
-        run: git push
-      - name: "Create changelog PR"
-        run: |
-          if gh pr view &>/dev/null; then
-            echo "Changelog pr has already been created"
-          else
-
-            gh pr create \
-              --dry-run="${DRY_RUN}" \
-              --label "no-backport" \
-              --label "no-changelog" \
-              -B "${TARGET}" \
-              --title "Release: update changelog for ${TARGET}" \
-              --body "Changelog changes for release versions:"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: "Add release version to PR description"
-        if: inputs.dry_run != true
-        run: |
-          gh pr view --json body --jq .body > pr_body.md
-          echo " -  ${VERSION}" >> pr_body.md
-          gh pr edit --body-file pr_body.md
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/cleanup-branches.yml.disabled

@@ -1,18 +0,0 @@
-name: Clean up orphaned branches
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 9 * * 1"
-
-jobs:
-  cleanup-branches:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: read
-    steps:
-      - uses: actions/checkout@v5
-      - uses: grafana/shared-workflows/actions/cleanup-branches@cleanup-branches/v0.2.1
-        with:
-          dry-run: true
-          max-date: "1 month ago"

.github/workflows/codeowners-validator.yml

@@ -0,0 +1,44 @@
+name: "Codeowners Validator"
+
+on:
+  pull_request:
+    branches: [ main ]
+
+permissions: {}
+
+jobs:
+  codeowners-validator:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      # Checks-out your repository, which is validated in the next step
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: GitHub CODEOWNERS Validator
+        uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
+        # input parameters
+        with:
+          # ==== GitHub Auth ====
+
+          # "The list of checks that will be executed. By default, all checks are executed. Possible values: files,owners,duppatterns,syntax"
+          checks: "files,duppatterns,syntax"
+
+          # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
+          experimental_checks: "notowned,avoid-shadowing"
+
+          # The repository path in which CODEOWNERS file should be validated."
+          repository_path: "."
+
+          # Defines the level on which the application should treat check issues as failures. Defaults to warning, which treats both errors and warnings as failures, and exits with error code 3. Possible values are error and warning. Default: warning"
+          check_failure_level: "error"
+
+          # The comma-separated list of patterns that should be ignored by not-owned-checker. For example, you can specify * and as a result, the * pattern from the CODEOWNERS file will be ignored and files owned by this pattern will be reported as unowned unless a later specific pattern will match that path. It's useful because often we have default owners entry at the begging of the CODOEWNERS file, e.g. * @global-owner1 @global-owner2"
+          not_owned_checker_skip_patterns: ""
+
+          # Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
+          owner_checker_allow_unowned_patterns: "false"
+
+          # Specifies whether only teams are allowed as owners of files.
+          owner_checker_owners_must_be_teams: "false"

.github/workflows/codeowners-validator.yml.disabled

@@ -1,44 +0,0 @@
-name: "Codeowners Validator"
-
-on:
-  pull_request:
-    branches: [ main ]
-
-permissions: {}
-
-jobs:
-  codeowners-validator:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      # Checks-out your repository, which is validated in the next step
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: GitHub CODEOWNERS Validator
-        uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
-        # input parameters
-        with:
-          # ==== GitHub Auth ====
-
-          # "The list of checks that will be executed. By default, all checks are executed. Possible values: files,owners,duppatterns,syntax"
-          checks: "files,duppatterns,syntax"
-
-          # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
-          experimental_checks: "notowned,avoid-shadowing"
-
-          # The repository path in which CODEOWNERS file should be validated."
-          repository_path: "."
-
-          # Defines the level on which the application should treat check issues as failures. Defaults to warning, which treats both errors and warnings as failures, and exits with error code 3. Possible values are error and warning. Default: warning"
-          check_failure_level: "error"
-
-          # The comma-separated list of patterns that should be ignored by not-owned-checker. For example, you can specify * and as a result, the * pattern from the CODEOWNERS file will be ignored and files owned by this pattern will be reported as unowned unless a later specific pattern will match that path. It's useful because often we have default owners entry at the begging of the CODOEWNERS file, e.g. * @global-owner1 @global-owner2"
-          not_owned_checker_skip_patterns: ""
-
-          # Specifies whether CODEOWNERS may have unowned files. For example, `/infra/oncall-rotator/oncall-config.yml` doesn't have owner and this is not reported.
-          owner_checker_allow_unowned_patterns: "false"
-
-          # Specifies whether only teams are allowed as owners of files.
-          owner_checker_owners_must_be_teams: "false"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,97 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL checks"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ['**'] # run on all branches
+    paths-ignore:
+      - '**/*.cue'
+      - '**/*.json'
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/*.yml'
+      - pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
+  schedule:
+    - cron: '0 4 * * 6'
+
+permissions:
+  security-events: write
+
+jobs:
+  detect-changes:
+    name: Detect whether code changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      javascript: ${{ steps.detect-changes.outputs.frontend }}
+      go: ${{ steps.detect-changes.outputs.backend }}
+      actions: 'true'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true # required to get more history in the changed-files action
+          fetch-depth: 2
+      - name: Detect changes
+        id: detect-changes
+        uses: ./.github/actions/change-detection
+        with:
+          self: .github/workflows/codeql-analysis.yml
+
+  analyze:
+    needs: detect-changes
+    name: Analyze
+    runs-on: ubuntu-latest
+    continue-on-error: true # doesn't block PRs from being merged if this fails
+    if: github.repository == 'grafana/grafana'
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are listed here
+        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
+        language: ['actions', 'javascript', 'go']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      if: needs.detect-changes.outputs[matrix.language] == 'true'
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+        persist-credentials: false
+
+    - if: matrix.language == 'go' && needs.detect-changes.outputs.go == 'true'
+      name: Set go version
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+      with:
+        go-version-file: go.mod
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      if: needs.detect-changes.outputs[matrix.language] == 'true'
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - if: matrix.language == 'go' && needs.detect-changes.outputs.go == 'true'
+      name: Build go files
+      run: |
+        go mod verify
+        make build-go
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3

.github/workflows/codeql-analysis.yml.disabled

@@ -1,100 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-name: "CodeQL checks"
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-    paths-ignore:
-      - '**/*.cue'
-      - '**/*.json'
-      - '**/*.md'
-      - '**/*.txt'
-      - '**/*.yml'
-      - pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
-  schedule:
-    - cron: '0 4 * * 6'
-
-permissions:
-  security-events: write
-
-jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      javascript: ${{ steps.detect-changes.outputs.frontend }}
-      go: ${{ steps.detect-changes.outputs.backend }}
-      actions: 'true'
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/codeql-analysis.yml
-
-  analyze:
-    needs: detect-changes
-    name: Analyze
-    runs-on: ubuntu-x64-large-io
-    continue-on-error: true # doesn't block PRs from being merged if this fails
-    if: github.repository == 'grafana/grafana'
-
-    strategy:
-      fail-fast: false
-      matrix:
-        # Override automatic language detection by changing the below list
-        # Supported options are listed here
-        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
-        language: ['actions', 'javascript', 'go']
-        # Learn more...
-        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
-
-    steps:
-    - name: Checkout repository
-      if: needs.detect-changes.outputs[matrix.language] == 'true'
-      uses: actions/checkout@v5
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        persist-credentials: false
-
-    - if: matrix.language == 'go' && needs.detect-changes.outputs.go == 'true'
-      name: Set go version
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
-      with:
-        cache: false
-        go-version-file: go.mod
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      if: needs.detect-changes.outputs[matrix.language] == 'true'
-      uses: github/codeql-action/init@v4
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    - if: matrix.language == 'go' && needs.detect-changes.outputs.go == 'true'
-      name: Build go files
-      run: |
-        go mod verify
-        make build-go
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4

.github/workflows/commands.yml

@@ -0,0 +1,70 @@
+name: Run commands when issues are labeled or comments added
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
+on:
+  issues:
+    types: [labeled, unlabeled]
+  issue_comment:
+    types: [created]
+
+concurrency:
+  group: issue-commands-${{ github.event.issue.number }}
+
+permissions: {}
+
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ "${{ github.repository }}" == "grafana/grafana" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+
+      - name: Generate token
+        id: generate_token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: Run Commands
+        uses: ./actions/commands
+        with:
+          metricsWriteAPIKey: ""
+          token: ${{ steps.generate_token.outputs.token }}
+          configPath: commands

.github/workflows/commands.yml.disabled

@@ -1,70 +0,0 @@
-name: Run commands when issues are labeled or comments added
-
-# important: this workflow uses a github app that is strictly limited
-# to issues. If you want to change the triggers for this workflow,
-# please review if the permissions are still sufficient.
-on:
-  issues:
-    types: [labeled, unlabeled]
-  issue_comment:
-    types: [created]
-
-concurrency:
-  group: issue-commands-${{ github.event.issue.number }}
-
-permissions: {}
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ "${{ github.repository }}" == "grafana/grafana" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
-          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
-
-      - name: Generate token
-        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-
-      - name: Checkout Actions
-        uses: actions/checkout@v5
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: Run Commands
-        uses: ./actions/commands
-        with:
-          metricsWriteAPIKey: ""
-          token: ${{ steps.generate_token.outputs.token }}
-          configPath: commands

.github/workflows/core-plugins-build-and-release.yml

@@ -0,0 +1,276 @@
+name: Build and release core plugins
+
+on:
+  workflow_dispatch:
+    inputs:
+      plugin_id:
+        description: "ID of the plugin you want to publish"
+        required: true
+        type: choice
+        options:
+          - grafana-azure-monitor-datasource
+          - grafana-pyroscope-datasource
+          - grafana-testdata-datasource
+          - jaeger
+          - parca
+          - stackdriver
+          - tempo
+          - zipkin
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-${{ inputs.plugin_id }}
+  cancel-in-progress: true
+
+env:
+  GRABPL_VERSION: 3.0.44
+  GCP_BUCKET: integration-artifacts # Dev: plugins-community-staging
+  GCOM_API: https://grafana.com # Dev: https://grafana-dev.com
+
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  build-and-publish:
+    env:
+      PLUGIN_ID: ${{ inputs.plugin_id }}
+    name: Build and publish ${{ inputs.plugin_id }}
+    runs-on: ubuntu-latest
+    outputs:
+      type: ${{ steps.get_dir.outputs.dir }}
+      has_backend: ${{ steps.check_backend.outputs.has_backend }}
+      version: ${{ steps.build_frontend.outputs.version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Verify inputs
+        run: |
+          if [ -z "$PLUGIN_ID" ]; then echo "Missing plugin ID"; exit 1; fi
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
+          repo_secrets: |
+            PLUGINS_GOOGLE_CREDENTIALS=core-plugins-build-and-release:PLUGINS_GOOGLE_CREDENTIALS
+            PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
+            PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
+        with:
+          credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'
+      - name: Setup nodejs environment
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .nvmrc
+          cache: yarn
+      - name: Find plugin directory
+        shell: bash
+        id: get_dir
+        run: |
+          dir="$(dirname \
+            "$(grep -Elir --include=plugin.json --exclude-dir=dist \
+              '"id": "'"${PLUGIN_ID}"'"' \
+              public/app/plugins \
+            )" \
+          )"
+          echo "dir=${dir}" >> "$GITHUB_OUTPUT"
+      - name: Install frontend dependencies
+        shell: bash
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          yarn install --immutable
+      - name: Download grabpl executable
+        shell: sh
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          mkdir -pv ./bin
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v"$GRABPL_VERSION"/grabpl
+          chmod 0755 ./bin/grabpl
+      - name: Check backend
+        id: check_backend
+        shell: bash
+        run: |
+          if grep -Eqr --include=main.go 'datasource.Manage\('"$PLUGIN_ID" pkg/tsdb; then
+            echo "has_backend=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_backend=false" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Setup golang environment
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+        if: steps.check_backend.outputs.has_backend == 'true'
+        with:
+          go-version-file: go.mod
+      - name: Install Mage
+        shell: bash
+        if: steps.check_backend.outputs.has_backend == 'true'
+        run: |
+          go install github.com/magefile/mage
+      - name: Check tools
+        shell: bash
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          echo "======================================="
+          echo "  Frontend tools"
+          echo "======================================="
+          echo "-------- node version -----"
+          node --version
+          echo "-------- npm version -----"
+          npm --version
+          echo "-------- yarn version -----"
+          yarn --version
+          echo "======================================="
+          echo "  Misc tools"
+          echo "======================================="
+          echo "-------- docker version -----"
+          docker --version
+          echo "-------- jq version -----"
+          jq --version
+          echo "-------- grabpl version -----"
+          ./bin/grabpl --version
+          echo "======================================="
+      - name: Check backend tools
+        shell: bash
+        if: steps.check_backend.outputs.has_backend == 'true'
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          echo "======================================="
+          echo "  Backend tools"
+          echo "======================================="
+          echo "-------- go version -----"
+          go version
+          echo "-------- mage version -----"
+          mage --version
+          echo "======================================="
+      - name: build:frontend
+        shell: bash
+        id: build_frontend
+        env:
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          command="plugin:build:commit"
+          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
+            # Release branch, do not add commit hash to version
+            command="plugin:build"
+          fi
+          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
+          version="$(jq -r .info.version "$OUTPUT_DIR"/dist/plugin.json)"
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+      - name: build:backend
+        if: steps.check_backend.outputs.has_backend == 'true'
+        shell: bash
+        env:
+          VERSION: ${{ steps.build_frontend.outputs.version }}  
+        run: |
+          make build-plugin-go PLUGIN_ID="$PLUGIN_ID"
+      - name: package
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        run: |
+          mkdir -p ci/jobs/package
+          bin/grabpl plugin package
+        env:
+          GRAFANA_API_KEY: ${{ env.PLUGINS_GRAFANA_API_KEY }}
+          PLUGIN_SIGNATURE_TYPE: grafana
+      - name: Check existing release
+        env:
+          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
+          VERSION: ${{ steps.build_frontend.outputs.version }}  
+          GCOM_API: ${{ env.GCOM_API }}
+        run: |
+          api_res="$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
+            "$GCOM_API/api/plugins/$PLUGIN_ID?version=$VERSION" \
+            -H 'accept: application/json')"
+          api_res_code="$(echo "$api_res" | jq -r .code)"
+          if [ "$api_res_code" = "NotFound" ]; then
+            echo "No existing release found"
+          else
+            echo "Expecting a missing release, got:"
+            echo "$api_res"
+            exit 1
+          fi
+      - name: store build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          path: ${{ steps.get_dir.outputs.dir }}/ci/packages/*.zip
+      - name: Publish release to Google Cloud Storage
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        env:
+          VERSION: ${{ steps.build_frontend.outputs.version }}
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+        run: |
+          echo "Publish release to Google Cloud Storage:"
+          set -x
+          touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
+          gsutil -m cp -r ci/packages/*windows* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/windows"
+          gsutil -m cp -r ci/packages/*linux* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/linux"
+          gsutil -m cp -r ci/packages/*darwin* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/darwin"
+          gsutil -m cp -r ci/packages/*any* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any"
+      - name: Publish new plugin version on grafana.com
+        if: steps.check_backend.outputs.has_backend == 'true'
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        env:
+          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
+          VERSION: ${{ steps.build_frontend.outputs.version }}  
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
+          GCOM_API: ${{ env.GCOM_API }}
+        run: |
+          echo "Publish new plugin version on grafana.com:"
+          echo "Plugin version: ${VERSION}"
+
+          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
+          jq -n '{"url": env.OUTPUT_URL}' > body.json
+          osarchs=(linux_amd64 linux_arm64 linux_arm windows_amd64 darwin_amd64 darwin_arm64)
+          for osarch in "${osarchs[@]}"; do
+            echo "Processing $osarch"
+            KEY="${osarch//_/-}" \
+            OSARCH="$osarch" \
+            jq -s '. as $i | .[0] | .download[env.KEY] = {
+              "url": "https://storage.googleapis.com/\(env.GCP_BUCKET)/\(env.PLUGIN_ID)/release/\(env.VERSION)/linux/\(env.PLUGIN_ID)-\(env.VERSION).\(env.OSARCH).zip",
+              "md5": $i[1].plugin.md5
+            }' body.json ci/packages/info-"$osarch".json > tmp.json && mv tmp.json body.json
+          done
+
+          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
+          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+            echo "Failed to publish plugin version. Got:"
+            echo "$result"
+            exit 1
+          fi
+      - name: Publish new plugin version on grafana.com (frontend only)
+        if: steps.check_backend.outputs.has_backend == 'false'
+        working-directory: ${{ steps.get_dir.outputs.dir }}
+        env:
+          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
+          VERSION: ${{ steps.build_frontend.outputs.version }}
+          GCOM_API: ${{ env.GCOM_API }}
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+        run: |
+          echo "Publish new plugin version on grafana.com:"
+          echo "Plugin version: ${VERSION}"
+
+          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
+          DOWNLOAD_URL="https://storage.googleapis.com/$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip" \
+          MD5_CHECKSUM="$(jq -r '.plugin.md5' ci/packages/info-any.json)" \
+          jq -rn '{
+            "url": env.OUTPUT_URL,
+            "download": {
+              "any": {
+                "url": env.DOWNLOAD_URL,
+                "md5": env.MD5_CHECKSUM
+              }
+            }
+          }' > body.json
+
+          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
+          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+            echo "Failed to publish plugin version. Got:"
+            echo "$result"
+            exit 1
+          fi

.github/workflows/core-plugins-build-and-release.yml.disabled

@@ -1,276 +0,0 @@
-name: Build and release core plugins
-
-on:
-  workflow_dispatch:
-    inputs:
-      plugin_id:
-        description: "ID of the plugin you want to publish"
-        required: true
-        type: choice
-        options:
-          - grafana-azure-monitor-datasource
-          - grafana-pyroscope-datasource
-          - grafana-testdata-datasource
-          - jaeger
-          - parca
-          - stackdriver
-          - tempo
-          - zipkin
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-${{ inputs.plugin_id }}
-  cancel-in-progress: true
-
-env:
-  GRABPL_VERSION: 3.0.44
-  GCP_BUCKET: integration-artifacts # Dev: plugins-community-staging
-  GCOM_API: https://grafana.com # Dev: https://grafana-dev.com
-
-# These permissions are needed to assume roles from Github's OIDC.
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  build-and-publish:
-    env:
-      PLUGIN_ID: ${{ inputs.plugin_id }}
-    name: Build and publish ${{ inputs.plugin_id }}
-    runs-on: ubuntu-latest
-    outputs:
-      type: ${{ steps.get_dir.outputs.dir }}
-      has_backend: ${{ steps.check_backend.outputs.has_backend }}
-      version: ${{ steps.build_frontend.outputs.version }}
-    steps:
-      - name: checkout
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Verify inputs
-        run: |
-          if [ -z "$PLUGIN_ID" ]; then echo "Missing plugin ID"; exit 1; fi
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
-          repo_secrets: |
-            PLUGINS_GOOGLE_CREDENTIALS=core-plugins-build-and-release:PLUGINS_GOOGLE_CREDENTIALS
-            PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
-            PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
-      - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093'
-        with:
-          credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'
-      - name: Setup nodejs environment
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: .nvmrc
-          cache: yarn
-      - name: Find plugin directory
-        shell: bash
-        id: get_dir
-        run: |
-          dir="$(dirname \
-            "$(grep -Elir --include=plugin.json --exclude-dir=dist \
-              '"id": "'"${PLUGIN_ID}"'"' \
-              public/app/plugins \
-            )" \
-          )"
-          echo "dir=${dir}" >> "$GITHUB_OUTPUT"
-      - name: Install frontend dependencies
-        shell: bash
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          yarn install --immutable
-      - name: Download grabpl executable
-        shell: sh
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          mkdir -pv ./bin
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v"$GRABPL_VERSION"/grabpl
-          chmod 0755 ./bin/grabpl
-      - name: Check backend
-        id: check_backend
-        shell: bash
-        run: |
-          if grep -Eqr --include=main.go 'datasource.Manage\('"$PLUGIN_ID" pkg/tsdb; then
-            echo "has_backend=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "has_backend=false" >> "$GITHUB_OUTPUT"
-          fi
-      - name: Setup golang environment
-        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
-        if: steps.check_backend.outputs.has_backend == 'true'
-        with:
-          go-version-file: go.mod
-      - name: Install Mage
-        shell: bash
-        if: steps.check_backend.outputs.has_backend == 'true'
-        run: |
-          go install github.com/magefile/mage
-      - name: Check tools
-        shell: bash
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          echo "======================================="
-          echo "  Frontend tools"
-          echo "======================================="
-          echo "-------- node version -----"
-          node --version
-          echo "-------- npm version -----"
-          npm --version
-          echo "-------- yarn version -----"
-          yarn --version
-          echo "======================================="
-          echo "  Misc tools"
-          echo "======================================="
-          echo "-------- docker version -----"
-          docker --version
-          echo "-------- jq version -----"
-          jq --version
-          echo "-------- grabpl version -----"
-          ./bin/grabpl --version
-          echo "======================================="
-      - name: Check backend tools
-        shell: bash
-        if: steps.check_backend.outputs.has_backend == 'true'
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          echo "======================================="
-          echo "  Backend tools"
-          echo "======================================="
-          echo "-------- go version -----"
-          go version
-          echo "-------- mage version -----"
-          mage --version
-          echo "======================================="
-      - name: build:frontend
-        shell: bash
-        id: build_frontend
-        env:
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          command="plugin:build:commit"
-          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
-            # Release branch, do not add commit hash to version
-            command="plugin:build"
-          fi
-          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
-          version="$(jq -r .info.version "$OUTPUT_DIR"/dist/plugin.json)"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
-      - name: build:backend
-        if: steps.check_backend.outputs.has_backend == 'true'
-        shell: bash
-        env:
-          VERSION: ${{ steps.build_frontend.outputs.version }}  
-        run: |
-          make build-plugin-go PLUGIN_ID="$PLUGIN_ID"
-      - name: package
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        run: |
-          mkdir -p ci/jobs/package
-          bin/grabpl plugin package
-        env:
-          GRAFANA_API_KEY: ${{ env.PLUGINS_GRAFANA_API_KEY }}
-          PLUGIN_SIGNATURE_TYPE: grafana
-      - name: Check existing release
-        env:
-          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
-          VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCOM_API: ${{ env.GCOM_API }}
-        run: |
-          api_res="$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            "$GCOM_API/api/plugins/$PLUGIN_ID?version=$VERSION" \
-            -H 'accept: application/json')"
-          api_res_code="$(echo "$api_res" | jq -r .code)"
-          if [ "$api_res_code" = "NotFound" ]; then
-            echo "No existing release found"
-          else
-            echo "Expecting a missing release, got:"
-            echo "$api_res"
-            exit 1
-          fi
-      - name: store build artifacts
-        uses: actions/upload-artifact@v5
-        with:
-          name: build-artifacts
-          path: ${{ steps.get_dir.outputs.dir }}/ci/packages/*.zip
-      - name: Publish release to Google Cloud Storage
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        env:
-          VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
-        run: |
-          echo "Publish release to Google Cloud Storage:"
-          set -x
-          touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/windows"
-          gsutil -m cp -r ci/packages/*linux* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/linux"
-          gsutil -m cp -r ci/packages/*darwin* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/darwin"
-          gsutil -m cp -r ci/packages/*any* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any"
-      - name: Publish new plugin version on grafana.com
-        if: steps.check_backend.outputs.has_backend == 'true'
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        env:
-          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
-          VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCOM_API: ${{ env.GCOM_API }}
-        run: |
-          echo "Publish new plugin version on grafana.com:"
-          echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          jq -n '{"url": env.OUTPUT_URL}' > body.json
-          osarchs=(linux_amd64 linux_arm64 linux_arm windows_amd64 darwin_amd64 darwin_arm64)
-          for osarch in "${osarchs[@]}"; do
-            echo "Processing $osarch"
-            KEY="${osarch//_/-}" \
-            OSARCH="$osarch" \
-            jq -s '. as $i | .[0] | .download[env.KEY] = {
-              "url": "https://storage.googleapis.com/\(env.GCP_BUCKET)/\(env.PLUGIN_ID)/release/\(env.VERSION)/linux/\(env.PLUGIN_ID)-\(env.VERSION).\(env.OSARCH).zip",
-              "md5": $i[1].plugin.md5
-            }' body.json ci/packages/info-"$osarch".json > tmp.json && mv tmp.json body.json
-          done
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
-            echo "Failed to publish plugin version. Got:"
-            echo "$result"
-            exit 1
-          fi
-      - name: Publish new plugin version on grafana.com (frontend only)
-        if: steps.check_backend.outputs.has_backend == 'false'
-        working-directory: ${{ steps.get_dir.outputs.dir }}
-        env:
-          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
-          VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCOM_API: ${{ env.GCOM_API }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
-        run: |
-          echo "Publish new plugin version on grafana.com:"
-          echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          DOWNLOAD_URL="https://storage.googleapis.com/$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip" \
-          MD5_CHECKSUM="$(jq -r '.plugin.md5' ci/packages/info-any.json)" \
-          jq -rn '{
-            "url": env.OUTPUT_URL,
-            "download": {
-              "any": {
-                "url": env.DOWNLOAD_URL,
-                "md5": env.MD5_CHECKSUM
-              }
-            }
-          }' > body.json
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
-            echo "Failed to publish plugin version. Got:"
-            echo "$result"
-            exit 1
-          fi

.github/workflows/create-security-branch.yml

@@ -0,0 +1,79 @@
+name: Create security branch
+on:
+  workflow_call:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+    outputs:
+      branch:
+        description: The new security branch that was created
+        value: ${{ jobs.main.outputs.branch }}
+  workflow_dispatch:
+    inputs:
+      release_branch:
+        type: string
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
+        required: true
+      security_branch_number:
+        type: string
+        description: 'The security branch number (e.g., 01)'
+        required: false
+        default: '01'
+      repository:
+        type: string
+        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
+        required: true
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    outputs:
+      branch: ${{ steps.branch.outputs.branch }}
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.release_branch }}
+
+      - name: Create security branch
+        id: branch
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }}
+          INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }}
+          INPUT_REPOSITORY: ${{ inputs.repository }}
+        run: |
+          chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh
+          .github/workflows/scripts/create-security-branch/create-security-branch.sh

.github/workflows/create-security-branch.yml.disabled

@@ -1,79 +0,0 @@
-name: Create security branch
-on:
-  workflow_call:
-    inputs:
-      release_branch:
-        type: string
-        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
-        required: true
-      security_branch_number:
-        type: string
-        description: 'The security branch number (e.g., 01)'
-        required: false
-        default: '01'
-      repository:
-        type: string
-        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
-        required: true
-    outputs:
-      branch:
-        description: The new security branch that was created
-        value: ${{ jobs.main.outputs.branch }}
-  workflow_dispatch:
-    inputs:
-      release_branch:
-        type: string
-        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
-        required: true
-      security_branch_number:
-        type: string
-        description: 'The security branch number (e.g., 01)'
-        required: false
-        default: '01'
-      repository:
-        type: string
-        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
-        required: true
-
-permissions:
-  contents: write
-  id-token: write
-
-jobs:
-  main:
-    runs-on: ubuntu-latest
-    outputs:
-      branch: ${{ steps.branch.outputs.branch }}
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          repository: ${{ inputs.repository }}
-          ref: ${{ inputs.release_branch }}
-
-      - name: Create security branch
-        id: branch
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }}
-          INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }}
-          INPUT_REPOSITORY: ${{ inputs.repository }}
-        run: |
-          chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh
-          .github/workflows/scripts/create-security-branch/create-security-branch.sh

.github/workflows/defaults-ini-docs-reminder.yml

@@ -1,24 +0,0 @@
-name: Remind about config documentation updates
-on:
-  pull_request:
-    types: [opened]
-    paths:
-      - 'conf/defaults.ini'
-
-jobs:
-  add-comment:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
-        with:
-          message: |
-            Hi there! 👋 This PR modifies `conf/defaults.ini`.
-            
-            If this change introduces user-facing configuration options or modifies existing ones, please remember to update [`docs/sources/setup-grafana/configure-grafana/_index.md`](https://github.com/grafana/grafana/blob/main/docs/sources/setup-grafana/configure-grafana/_index.md).
-            
-            If this change is internal-only (experimental flags, internal refactoring, etc.), you can ignore this reminder.
-            
-            Questions? Reach out to the #docs channel on Slack.

.github/workflows/deploy-storybook-preview.yml

@@ -0,0 +1,81 @@
+name: Deploy Storybook preview
+
+on:
+  pull_request:
+    paths:
+      - 'packages/grafana-ui/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  deploy-storybook-preview:
+    name: Deploy Storybook preview
+    runs-on: ubuntu-latest
+    # Don't run from forks for the moment. If we find this useful we can do the workflow_run dance
+    # to make it work for forks.
+    if: github.event.pull_request.head.repo.fork == false
+    permissions:
+      contents: read
+      id-token: write
+
+    env:
+      BUCKET_NAME: grafana-storybook-previews
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: ./.github/actions/setup-node
+
+      - name: Install dependencies
+        env:
+          # If the PR isn't from a fork then don't use the slower yarn checks
+          YARN_ENABLE_HARDENED_MODE: ${{ github.event.pull_request.head.repo.fork == false && '1' || '0' }}
+        run: yarn install --immutable
+
+      - name: Build storybook
+        run: yarn storybook:build
+
+      # Create the GCS folder name for the preview. Creates a consistent name for all deploys for the PR.
+      # Matches format of `pr_<PR_NUMBER>_<SANITIZED_BRANCH>`.
+      # Where `SANITIZED_BRANCH` is the branch name with only alphanumeric and hyphens, limited to 30 characters.
+      - name: Create deploy name
+        id: create-deploy-name
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Convert branch name to only contain alphanumeric and hyphens
+          SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr -cs "[:alnum:]-" "-" | sed "s/^-//;s/-$//")
+
+          # Check if SANITIZED_BRANCH is empty and fail if it is
+          if [ -z "$SANITIZED_BRANCH" ]; then
+            echo "Error: Branch name resulted in empty string after sanitization"
+            exit 1
+          fi
+
+          echo "deploy-name=pr_${PR_NUMBER}_${SANITIZED_BRANCH:0:30}" >> "$GITHUB_OUTPUT"
+
+      - name: Upload Storybook
+        uses: grafana/shared-workflows/actions/push-to-gcs@main
+        with:
+          environment: prod
+          bucket: ${{ env.BUCKET_NAME }}
+          bucket_path: ${{ steps.create-deploy-name.outputs.deploy-name }}
+          path: packages/grafana-ui/dist/storybook
+          service_account: github-gf-storybook-preview@grafanalabs-workload-identity.iam.gserviceaccount.com
+          parent: false
+
+      - name: Write summary
+        env:
+          DEPLOY_NAME: ${{ steps.create-deploy-name.outputs.deploy-name }}
+        run: |
+          echo "## Storybook preview deployed! 🚀" >> $GITHUB_STEP_SUMMARY
+          echo "Check it out at https://storage.googleapis.com/${BUCKET_NAME}/${DEPLOY_NAME}/index.html" >> $GITHUB_STEP_SUMMARY

.github/workflows/deploy-storybook-preview.yml.disabled

@@ -1,81 +0,0 @@
-name: Deploy Storybook preview
-
-on:
-  pull_request:
-    paths:
-      - 'packages/grafana-ui/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  deploy-storybook-preview:
-    name: Deploy Storybook preview
-    runs-on: ubuntu-latest
-    # Don't run from forks for the moment. If we find this useful we can do the workflow_run dance
-    # to make it work for forks.
-    if: github.event.pull_request.head.repo.fork == false
-    permissions:
-      contents: read
-      id-token: write
-
-    env:
-      BUCKET_NAME: grafana-storybook-previews
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: ./.github/actions/setup-node
-
-      - name: Install dependencies
-        env:
-          # If the PR isn't from a fork then don't use the slower yarn checks
-          YARN_ENABLE_HARDENED_MODE: ${{ github.event.pull_request.head.repo.fork == false && '1' || '0' }}
-        run: yarn install --immutable
-
-      - name: Build storybook
-        run: yarn storybook:build
-
-      # Create the GCS folder name for the preview. Creates a consistent name for all deploys for the PR.
-      # Matches format of `pr_<PR_NUMBER>_<SANITIZED_BRANCH>`.
-      # Where `SANITIZED_BRANCH` is the branch name with only alphanumeric and hyphens, limited to 30 characters.
-      - name: Create deploy name
-        id: create-deploy-name
-        env:
-          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Convert branch name to only contain alphanumeric and hyphens
-          SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr -cs "[:alnum:]-" "-" | sed "s/^-//;s/-$//")
-
-          # Check if SANITIZED_BRANCH is empty and fail if it is
-          if [ -z "$SANITIZED_BRANCH" ]; then
-            echo "Error: Branch name resulted in empty string after sanitization"
-            exit 1
-          fi
-
-          echo "deploy-name=pr_${PR_NUMBER}_${SANITIZED_BRANCH:0:30}" >> "$GITHUB_OUTPUT"
-
-      - name: Upload Storybook
-        uses: grafana/shared-workflows/actions/push-to-gcs@main
-        with:
-          environment: prod
-          bucket: ${{ env.BUCKET_NAME }}
-          bucket_path: ${{ steps.create-deploy-name.outputs.deploy-name }}
-          path: packages/grafana-ui/dist/storybook
-          service_account: github-gf-storybook-preview@grafanalabs-workload-identity.iam.gserviceaccount.com
-          parent: false
-
-      - name: Write summary
-        env:
-          DEPLOY_NAME: ${{ steps.create-deploy-name.outputs.deploy-name }}
-        run: |
-          echo "## Storybook preview deployed! 🚀" >> $GITHUB_STEP_SUMMARY
-          echo "Check it out at https://storage.googleapis.com/${BUCKET_NAME}/${DEPLOY_NAME}/index.html" >> $GITHUB_STEP_SUMMARY

.github/workflows/detect-breaking-changes-levitate.yml

@@ -0,0 +1,411 @@
+# Only runs if anything under the packages/ directory changes.
+---
+name: Levitate / Detect breaking changes in PR
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+on:
+  pull_request:
+    paths:
+      - 'packages/**'
+      - '.nvmrc'
+      - '.github/workflows/detect-breaking-changes-levitate.yml'
+    branches:
+      - 'main'
+
+jobs:
+  buildPR:
+    name: Build PR packages artifacts
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: './pr'
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: './pr'
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: './pr/.nvmrc'
+
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore yarn cache
+        uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: yarn-cache-folder-${{ hashFiles('**/yarn.lock', '.yarnrc.yml') }}
+          restore-keys: |
+            yarn-cache-folder-
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Build packages
+        run: yarn packages:build
+
+      - name: Pack packages
+        run: yarn packages:pack --out ./%s.tgz
+
+      - name: Zip built tarballed packages
+        run: zip -r ./pr_built_packages.zip ./packages/**/*.tgz
+
+      - name: Upload build output as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: buildPr
+          path: './pr/pr_built_packages.zip'
+
+  buildBase:
+    name: Build Base packages artifacts
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    defaults:
+      run:
+        working-directory: './base'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: './base'
+          ref: ${{ github.event.pull_request.base.ref }}
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: './base/.nvmrc'
+
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore yarn cache
+        uses: actions/cache@v4
+        id: yarn-cache
+        with:
+          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
+          key: yarn-cache-folder-${{ hashFiles('**/yarn.lock', '.yarnrc.yml') }}
+          restore-keys: |
+            yarn-cache-folder-
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Build packages
+        run: yarn packages:build
+
+      - name: Pack packages
+        run: yarn packages:pack --out ./%s.tgz
+
+      - name: Zip built tarballed packages
+        run: zip -r ./base_built_packages.zip ./packages/**/*.tgz
+
+      - name: Upload build output as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: buildBase
+          path: './base/base_built_packages.zip'
+
+  Detect:
+    name: Detect breaking changes between PR and base
+    runs-on: ubuntu-latest
+    needs: ['buildPR', 'buildBase']
+    env:
+      GITHUB_STEP_NUMBER: 8
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Get built packages from pr
+        uses: actions/download-artifact@v4
+        with:
+          name: buildPr
+
+      - name: Get built packages from base
+        uses: actions/download-artifact@v4
+        with:
+          name: buildBase
+
+      - name: Unzip artifact from pr
+        run: unzip -j pr_built_packages.zip -d ./pr && rm pr_built_packages.zip
+
+      - name: Unzip artifact from base
+        run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
+
+      - id: 'auth'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        with:
+          workload_identity_provider: projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider
+          service_account: github-plugins-data-levitate@grafanalabs-workload-identity.iam.gserviceaccount.com
+          project_id: 'grafanalabs-global'
+
+      - name: 'Set up Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        with:
+          version: '>= 363.0.0'
+          project_id: 'grafanalabs-global'
+          install_components: 'bq'
+
+      - name: Detect breaking changes
+        id: breaking-changes
+        run: ./scripts/check-breaking-changes.sh
+        env:
+          FORCE_COLOR: 3
+          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} # used in check-breaking-changes.sh and levitate-parse-json-report.js
+
+      - name: Persisting the check output
+        run: |
+            mkdir -p ./levitate
+            echo "{ \"exit_code\": ${IS_BREAKING}, \"message\": \"${MESSAGE}\", \"pr_number\": \"${PR_NUMBER}\" }" > ./levitate/result.json
+        env:
+          IS_BREAKING: ${{ steps.breaking-changes.outputs.is_breaking }}
+          MESSAGE: ${{ steps.breaking-changes.outputs.message }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+
+      - name: Upload check output as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: levitate
+          path: levitate/
+
+
+  Report:
+    name: Report breaking changes in PR comment
+    runs-on: ubuntu-latest
+    needs: ['Detect']
+    permissions:
+      contents: read
+      id-token: write
+    if: github.event.pull_request.head.repo.full_name == github.repository
+
+    steps:
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana in vault
+          repo_secrets: |
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+
+      - name: Generate token
+        id: generate_token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: 'Download artifact'
+        uses: actions/download-artifact@v4
+        with:
+          name: levitate
+
+      - name: Parsing levitate result
+        uses: actions/github-script@v7
+        id: levitate-run
+        with:
+          script: |
+            const filePath = 'result.json';
+            const script = require('./.github/workflows/scripts/json-file-to-job-output.js');
+            await script({ core, filePath });
+
+      # Check if label exists
+      - name: Check if "levitate breaking change" label exists
+        id: does-label-exist
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        with:
+          script: |
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            });
+            return labels.some(label => label.name === 'levitate breaking change') ? 1 : 0
+
+      # put the markdown into a variable
+      - name: Levitate Markdown
+        id: levitate-markdown
+        run: |
+            if [ -f "levitate.md" ]; then
+            {
+              echo 'levitate_markdown<<EOF'
+              cat levitate.md
+              echo EOF
+            } >> "$GITHUB_OUTPUT"
+            else
+              echo "levitate_markdown=No breaking changes detected" >> "$GITHUB_OUTPUT"
+            fi
+
+
+      # Comment on the PR
+      - name: Comment on PR
+        if: steps.levitate-run.outputs.exit_code == 1
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
+        with:
+          header: levitate-breaking-change-comment
+          number: ${{ github.event.pull_request.number }}
+          message: |
+            ⚠️ &nbsp;&nbsp;**Possible breaking changes (md version)**&nbsp;&nbsp; ⚠️
+
+            ${{ steps.levitate-markdown.outputs.levitate_markdown }}
+
+            [Read our guideline](https://github.com/grafana/grafana/blob/main/contribute/breaking-changes-guide/breaking-changes-guide.md)
+
+            * Your pull request merge won't be blocked.
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      # Remove comment from the PR (no more breaking changes)
+      - name: Remove comment from PR
+        if: steps.levitate-run.outputs.exit_code == 0
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
+        with:
+          header: levitate-breaking-change-comment
+          number: ${{ github.event.pull_request.number }}
+          delete: true
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Send Slack Message via Payload
+        id: slack
+        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && github.repository == 'grafana/grafana'
+        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
+        with:
+          channel-id: "C031SLFH6G0"
+          payload:  |
+            {
+              "channel": "C031SLFH6G0",
+              "text": ":warning: Possible breaking changes detected in *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :warning:",
+              "icon_emoji": ":grot:",
+              "username": "Levitate Bot",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*grafana/grafana* repository has possible breaking changes"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n\nAuthor: ${{ github.event.pull_request.user.login }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>"
+                    }
+                  ]
+                }
+              ]
+            }
+
+      # Add the label
+      - name: Add "levitate breaking change" label
+        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            await github.rest.issues.addLabels({
+              issue_number: process.env.PR_NUMBER,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['levitate breaking change']
+            })
+
+      # Remove label (no more breaking changes)
+      - name: Remove "levitate breaking change" label
+        if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            await github.rest.issues.removeLabel({
+              issue_number: process.env.PR_NUMBER,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              name: 'levitate breaking change'
+            })
+
+      # Add reviewers
+      # This is very weird, the actual request goes through (comes back with a 201), but does not assign the team.
+      # Related issue: https://github.com/renovatebot/renovate/issues/1908
+      - name: Add "grafana/plugins-platform-frontend" as a reviewer
+        if: steps.levitate-run.outputs.exit_code == 1
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            await github.rest.pulls.requestReviewers({
+              pull_number: process.env.PR_NUMBER,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              reviewers: [],
+              team_reviewers: ['plugins-platform-frontend']
+            });
+
+      # Remove reviewers (no more breaking changes)
+      - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
+        if: steps.levitate-run.outputs.exit_code == 0
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            await github.rest.pulls.removeRequestedReviewers({
+              pull_number: process.env.PR_NUMBER,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              reviewers: [],
+              team_reviewers: ['plugins-platform-frontend']
+            });
+
+      - name: Exit
+        run: |
+          if [ "${LV_EXIT_CODE}" -ne 0 ]; then
+            echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
+          fi
+
+          exit "${LV_EXIT_CODE}"
+        shell: bash
+        env:
+          LV_EXIT_CODE: ${{ steps.levitate-run.outputs.exit_code }}

.github/workflows/detect-breaking-changes-levitate.yml.disabled

@@ -1,411 +0,0 @@
-# Only runs if anything under the packages/ directory changes.
----
-name: Levitate / Detect breaking changes in PR
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-on:
-  pull_request:
-    paths:
-      - 'packages/**'
-      - '.nvmrc'
-      - '.github/workflows/detect-breaking-changes-levitate.yml'
-    branches:
-      - 'main'
-
-jobs:
-  buildPR:
-    name: Build PR packages artifacts
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: './pr'
-    permissions:
-      contents: read
-      id-token: write
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          path: './pr'
-          persist-credentials: false
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: './pr/.nvmrc'
-
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
-
-      - name: Restore yarn cache
-        uses: actions/cache@v4
-        id: yarn-cache
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: yarn-cache-folder-${{ hashFiles('**/yarn.lock', '.yarnrc.yml') }}
-          restore-keys: |
-            yarn-cache-folder-
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Build packages
-        run: yarn packages:build
-
-      - name: Pack packages
-        run: yarn packages:pack --out ./%s.tgz
-
-      - name: Zip built tarballed packages
-        run: zip -r ./pr_built_packages.zip ./packages/**/*.tgz
-
-      - name: Upload build output as artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: buildPr
-          path: './pr/pr_built_packages.zip'
-
-  buildBase:
-    name: Build Base packages artifacts
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    defaults:
-      run:
-        working-directory: './base'
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          path: './base'
-          ref: ${{ github.event.pull_request.base.ref }}
-          persist-credentials: false
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: './base/.nvmrc'
-
-      - name: Get yarn cache directory path
-        id: yarn-cache-dir-path
-        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
-
-      - name: Restore yarn cache
-        uses: actions/cache@v4
-        id: yarn-cache
-        with:
-          path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
-          key: yarn-cache-folder-${{ hashFiles('**/yarn.lock', '.yarnrc.yml') }}
-          restore-keys: |
-            yarn-cache-folder-
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Build packages
-        run: yarn packages:build
-
-      - name: Pack packages
-        run: yarn packages:pack --out ./%s.tgz
-
-      - name: Zip built tarballed packages
-        run: zip -r ./base_built_packages.zip ./packages/**/*.tgz
-
-      - name: Upload build output as artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: buildBase
-          path: './base/base_built_packages.zip'
-
-  Detect:
-    name: Detect breaking changes between PR and base
-    runs-on: ubuntu-latest
-    needs: ['buildPR', 'buildBase']
-    env:
-      GITHUB_STEP_NUMBER: 8
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: actions/setup-node@v6
-        with:
-          node-version-file: '.nvmrc'
-
-      - name: Get built packages from pr
-        uses: actions/download-artifact@v6
-        with:
-          name: buildPr
-
-      - name: Get built packages from base
-        uses: actions/download-artifact@v6
-        with:
-          name: buildBase
-
-      - name: Unzip artifact from pr
-        run: unzip -j pr_built_packages.zip -d ./pr && rm pr_built_packages.zip
-
-      - name: Unzip artifact from base
-        run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
-
-      - id: 'auth'
-        uses: 'google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093'
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        with:
-          workload_identity_provider: projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider
-          service_account: github-plugins-data-levitate@grafanalabs-workload-identity.iam.gserviceaccount.com
-          project_id: 'grafanalabs-global'
-
-      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db'
-        if: github.event.pull_request.head.repo.full_name == github.repository
-        with:
-          version: '>= 363.0.0'
-          project_id: 'grafanalabs-global'
-          install_components: 'bq'
-
-      - name: Detect breaking changes
-        id: breaking-changes
-        run: ./scripts/check-breaking-changes.sh
-        env:
-          FORCE_COLOR: 3
-          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} # used in check-breaking-changes.sh and levitate-parse-json-report.js
-
-      - name: Persisting the check output
-        run: |
-            mkdir -p ./levitate
-            echo "{ \"exit_code\": ${IS_BREAKING}, \"message\": \"${MESSAGE}\", \"pr_number\": \"${PR_NUMBER}\" }" > ./levitate/result.json
-        env:
-          IS_BREAKING: ${{ steps.breaking-changes.outputs.is_breaking }}
-          MESSAGE: ${{ steps.breaking-changes.outputs.message }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-
-      - name: Upload check output as artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: levitate
-          path: levitate/
-
-
-  Report:
-    name: Report breaking changes in PR comment
-    runs-on: ubuntu-latest
-    needs: ['Detect']
-    permissions:
-      contents: read
-      id-token: write
-    if: github.event.pull_request.head.repo.full_name == github.repository
-
-    steps:
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana in vault
-          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
-
-      - name: Generate token
-        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: 'Download artifact'
-        uses: actions/download-artifact@v6
-        with:
-          name: levitate
-
-      - name: Parsing levitate result
-        uses: actions/github-script@v8
-        id: levitate-run
-        with:
-          script: |
-            const filePath = 'result.json';
-            const script = require('./.github/workflows/scripts/json-file-to-job-output.js');
-            await script({ core, filePath });
-
-      # Check if label exists
-      - name: Check if "levitate breaking change" label exists
-        id: does-label-exist
-        uses: actions/github-script@v8
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        with:
-          script: |
-            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-            });
-            return labels.some(label => label.name === 'levitate breaking change') ? 1 : 0
-
-      # put the markdown into a variable
-      - name: Levitate Markdown
-        id: levitate-markdown
-        run: |
-            if [ -f "levitate.md" ]; then
-            {
-              echo 'levitate_markdown<<EOF'
-              cat levitate.md
-              echo EOF
-            } >> "$GITHUB_OUTPUT"
-            else
-              echo "levitate_markdown=No breaking changes detected" >> "$GITHUB_OUTPUT"
-            fi
-
-
-      # Comment on the PR
-      - name: Comment on PR
-        if: steps.levitate-run.outputs.exit_code == 1
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
-        with:
-          header: levitate-breaking-change-comment
-          number: ${{ github.event.pull_request.number }}
-          message: |
-            ⚠️ &nbsp;&nbsp;**Possible breaking changes (md version)**&nbsp;&nbsp; ⚠️
-
-            ${{ steps.levitate-markdown.outputs.levitate_markdown }}
-
-            [Read our guideline](https://github.com/grafana/grafana/blob/main/contribute/breaking-changes-guide/breaking-changes-guide.md)
-
-            * Your pull request merge won't be blocked.
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      # Remove comment from the PR (no more breaking changes)
-      - name: Remove comment from PR
-        if: steps.levitate-run.outputs.exit_code == 0
-        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405
-        with:
-          header: levitate-breaking-change-comment
-          number: ${{ github.event.pull_request.number }}
-          delete: true
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      - name: Send Slack Message via Payload
-        id: slack
-        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && github.repository == 'grafana/grafana'
-        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
-        with:
-          channel-id: "C031SLFH6G0"
-          payload:  |
-            {
-              "channel": "C031SLFH6G0",
-              "text": ":warning: Possible breaking changes detected in *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :warning:",
-              "icon_emoji": ":grot:",
-              "username": "Levitate Bot",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*grafana/grafana* repository has possible breaking changes"
-                  }
-                },
-                {
-                  "type": "section",
-                  "fields": [
-                    {
-                      "type": "mrkdwn",
-                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n\nAuthor: ${{ github.event.pull_request.user.login }}"
-                    },
-                    {
-                      "type": "mrkdwn",
-                      "text": "*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>"
-                    }
-                  ]
-                }
-              ]
-            }
-
-      # Add the label
-      - name: Add "levitate breaking change" label
-        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0
-        uses: actions/github-script@v8
-        env:
-          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            await github.rest.issues.addLabels({
-              issue_number: process.env.PR_NUMBER,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              labels: ['levitate breaking change']
-            })
-
-      # Remove label (no more breaking changes)
-      - name: Remove "levitate breaking change" label
-        if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1
-        uses: actions/github-script@v8
-        env:
-          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            await github.rest.issues.removeLabel({
-              issue_number: process.env.PR_NUMBER,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              name: 'levitate breaking change'
-            })
-
-      # Add reviewers
-      # This is very weird, the actual request goes through (comes back with a 201), but does not assign the team.
-      # Related issue: https://github.com/renovatebot/renovate/issues/1908
-      - name: Add "grafana/plugins-platform-frontend" as a reviewer
-        if: steps.levitate-run.outputs.exit_code == 1
-        uses: actions/github-script@v8
-        env:
-          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            await github.rest.pulls.requestReviewers({
-              pull_number: process.env.PR_NUMBER,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              reviewers: [],
-              team_reviewers: ['plugins-platform-frontend']
-            });
-
-      # Remove reviewers (no more breaking changes)
-      - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
-        if: steps.levitate-run.outputs.exit_code == 0
-        uses: actions/github-script@v8
-        env:
-          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            await github.rest.pulls.removeRequestedReviewers({
-              pull_number: process.env.PR_NUMBER,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              reviewers: [],
-              team_reviewers: ['plugins-platform-frontend']
-            });
-
-      - name: Exit
-        run: |
-          if [ "${LV_EXIT_CODE}" -ne 0 ]; then
-            echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
-          fi
-
-          exit "${LV_EXIT_CODE}"
-        shell: bash
-        env:
-          LV_EXIT_CODE: ${{ steps.levitate-run.outputs.exit_code }}

.github/workflows/detect-plugin-extension-changes.yml

@@ -0,0 +1,156 @@
+---
+name: Detect Plugin Extension Changes
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - 'packages/**'
+      - 'public/**'
+
+env:
+  # Space-separated list of keywords referring to plugin extensions
+  PLUGIN_EXTENSION_KEYWORDS: "usePluginLinks, usePluginComponent, usePluginComponents, usePluginFunctions, PluginExtensionPoints"
+
+jobs:
+  detect-plugin-extension-changes:
+    name: Detect Plugin Extension Changes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    if: github.event.pull_request.head.repo.full_name == github.repository
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Check for plugin extension changes
+        id: check-changes
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { execSync } = require('child_process');
+            const fs = require('fs');
+            
+            // Plugin extension keywords from environment
+            const keywords = process.env.PLUGIN_EXTENSION_KEYWORDS.split(',');
+            const baseSha = '${{ github.event.pull_request.base.sha }}';
+            const headSha = '${{ github.event.pull_request.head.sha }}';
+            
+            console.log('Checking for plugin extension changes...');
+            console.log('Keywords:', keywords);
+            
+            // Get changed files in packages/ and public/ directories
+            let changedFiles = [];
+            const diffOutput = execSync(
+              `git diff --name-only ${baseSha}...${headSha} -- packages/ public/`,
+              { encoding: 'utf8' }
+            ).trim();
+            
+            if (diffOutput) {
+              changedFiles = diffOutput.split('\n').filter(file => {
+                // Validate file path and ensure it's in target directories
+                return file.match(/^(packages\/|public\/)/) && 
+                        file.match(/^[a-zA-Z0-9._/-]+$/) && 
+                        fs.existsSync(file);
+              });
+            }
+            
+            console.log('Changed files to check:', changedFiles);
+            
+            // Check each file for plugin extension keywords
+            const filesWithChanges = new Set();
+            let hasPluginExtensionChanges = false;
+            
+            for (const file of changedFiles) {
+              try {
+                // Get the diff for this specific file
+                const fileDiff = execSync(
+                  `git diff ${baseSha}...${headSha} -- "${file}"`,
+                  { encoding: 'utf8' }
+                );
+                
+                // Check if any keywords are in the diff
+                for (const keyword of keywords) {
+                  if (fileDiff.includes(keyword)) {
+                    console.log(`Found ${keyword} in ${file}`);
+                    filesWithChanges.add(file);
+                    hasPluginExtensionChanges = true;
+                    break; // Found at least one keyword, move to next file
+                  }
+                }
+              } catch (error) {
+                console.log(`Error checking file ${file}:`, error.message);
+              }
+            }
+            
+            // Set outputs
+            const filesArray = Array.from(filesWithChanges);
+            const formattedFiles = filesArray.length > 0 
+              ? '`' + filesArray.join('`\\n- `') + '`'
+              : '';
+            
+            core.setOutput('plugin_extension_changes', hasPluginExtensionChanges.toString());
+            core.setOutput('formatted_changed_files', formattedFiles);
+
+            if (hasPluginExtensionChanges) {
+              console.log('The following files have changes that may affect plugin extensions:');
+              console.log(filesArray);
+            } else {
+              console.log('No changes detected in core Grafana extensions or extension points.');
+            }
+
+      - name: Send Slack Message via Payload
+        id: slack
+        if: steps.check-changes.outputs.plugin_extension_changes == 'true'
+        uses: grafana/shared-workflows/actions/send-slack-message@0941e3408fa4789fec9062c44a2a9e1832146ba6 #v2.0.1
+        with:
+          method: chat.postMessage
+          payload-templated: true
+          payload: |
+            {
+              "channel": "C031SLFH6G0",
+              "text": "Plugin Extension changes in core Grafana *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :information_source:",
+              "icon_emoji": ":grot:",
+              "username": "Plugin Extension Bot",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*Plugin Extensions:* possible changes to extension points in core Grafana."
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>\n*Author:* ${{ github.event.pull_request.user.login }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*File(s) with changes:*\n- ${{ steps.check-changes.outputs.formatted_changed_files }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*What to do?*\nMake sure that:\n- All extension point ids start with `grafana/`\n- All extension point ids are exposed via <https://github.com/grafana/grafana/blob/main/packages/grafana-data/src/types/pluginExtensions.ts#L183|the `PluginExtensionPoints` enum in grafana-data>\n- Core Grafana is not registering extensions to extension points offered by plugins"
+                  }
+                }
+              ]
+            } 

.github/workflows/detect-plugin-extension-changes.yml.disabled

@@ -1,156 +0,0 @@
----
-name: Detect Plugin Extension Changes
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-on:
-  pull_request:
-    branches:
-      - 'main'
-    paths:
-      - 'packages/**'
-      - 'public/**'
-
-env:
-  # Space-separated list of keywords referring to plugin extensions
-  PLUGIN_EXTENSION_KEYWORDS: "usePluginLinks, usePluginComponent, usePluginComponents, usePluginFunctions, PluginExtensionPoints"
-
-jobs:
-  detect-plugin-extension-changes:
-    name: Detect Plugin Extension Changes
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    if: github.event.pull_request.head.repo.full_name == github.repository
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Check for plugin extension changes
-        id: check-changes
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const { execSync } = require('child_process');
-            const fs = require('fs');
-            
-            // Plugin extension keywords from environment
-            const keywords = process.env.PLUGIN_EXTENSION_KEYWORDS.split(',');
-            const baseSha = '${{ github.event.pull_request.base.sha }}';
-            const headSha = '${{ github.event.pull_request.head.sha }}';
-            
-            console.log('Checking for plugin extension changes...');
-            console.log('Keywords:', keywords);
-            
-            // Get changed files in packages/ and public/ directories
-            let changedFiles = [];
-            const diffOutput = execSync(
-              `git diff --name-only ${baseSha}...${headSha} -- packages/ public/`,
-              { encoding: 'utf8' }
-            ).trim();
-            
-            if (diffOutput) {
-              changedFiles = diffOutput.split('\n').filter(file => {
-                // Validate file path and ensure it's in target directories
-                return file.match(/^(packages\/|public\/)/) && 
-                        file.match(/^[a-zA-Z0-9._/-]+$/) && 
-                        fs.existsSync(file);
-              });
-            }
-            
-            console.log('Changed files to check:', changedFiles);
-            
-            // Check each file for plugin extension keywords
-            const filesWithChanges = new Set();
-            let hasPluginExtensionChanges = false;
-            
-            for (const file of changedFiles) {
-              try {
-                // Get the diff for this specific file
-                const fileDiff = execSync(
-                  `git diff ${baseSha}...${headSha} -- "${file}"`,
-                  { encoding: 'utf8' }
-                );
-                
-                // Check if any keywords are in the diff
-                for (const keyword of keywords) {
-                  if (fileDiff.includes(keyword)) {
-                    console.log(`Found ${keyword} in ${file}`);
-                    filesWithChanges.add(file);
-                    hasPluginExtensionChanges = true;
-                    break; // Found at least one keyword, move to next file
-                  }
-                }
-              } catch (error) {
-                console.log(`Error checking file ${file}:`, error.message);
-              }
-            }
-            
-            // Set outputs
-            const filesArray = Array.from(filesWithChanges);
-            const formattedFiles = filesArray.length > 0 
-              ? '`' + filesArray.join('`\\n- `') + '`'
-              : '';
-            
-            core.setOutput('plugin_extension_changes', hasPluginExtensionChanges.toString());
-            core.setOutput('formatted_changed_files', formattedFiles);
-
-            if (hasPluginExtensionChanges) {
-              console.log('The following files have changes that may affect plugin extensions:');
-              console.log(filesArray);
-            } else {
-              console.log('No changes detected in core Grafana extensions or extension points.');
-            }
-
-      - name: Send Slack Message via Payload
-        id: slack
-        if: steps.check-changes.outputs.plugin_extension_changes == 'true'
-        uses: grafana/shared-workflows/actions/send-slack-message@0941e3408fa4789fec9062c44a2a9e1832146ba6 #v2.0.1
-        with:
-          method: chat.postMessage
-          payload-templated: true
-          payload: |
-            {
-              "channel": "C031SLFH6G0",
-              "text": "Plugin Extension changes in core Grafana *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :information_source:",
-              "icon_emoji": ":grot:",
-              "username": "Plugin Extension Bot",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*Plugin Extensions:* possible changes to extension points in core Grafana."
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>\n*Author:* ${{ github.event.pull_request.user.login }}"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*File(s) with changes:*\n- ${{ steps.check-changes.outputs.formatted_changed_files }}"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*What to do?*\nMake sure that:\n- All extension point ids start with `grafana/`\n- All extension point ids are exposed via <https://github.com/grafana/grafana/blob/main/packages/grafana-data/src/types/pluginExtensions.ts#L183|the `PluginExtensionPoints` enum in grafana-data>\n- Core Grafana is not registering extensions to extension points offered by plugins"
-                  }
-                }
-              ]
-            } 

.github/workflows/documentation-ci.yml

@@ -0,0 +1,26 @@
+name: Documentation CI
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["docs/sources/**"]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  vale:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+    container:
+      image: grafana/vale:latest # zizmor: ignore[unpinned-images]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
+        with:
+          filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/documentation-ci.yml.disabled

@@ -1,26 +0,0 @@
-name: Documentation CI
-on:
-  pull_request:
-    branches: ["main"]
-    paths: ["docs/sources/**"]
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  vale:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      security-events: write
-    container:
-      image: grafana/vale:latest # zizmor: ignore[unpinned-images]
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
-        with:
-          filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
-          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ephemeral-instances-pr-comment.yml

@@ -42,7 +42,7 @@ jobs:
           private_key: ${{ env.APP_PEM }}
 
       - name: Checkout ephemeral instances repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           repository: grafana/ephemeral-grafana-instances-github-action
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/feature-toggles-ci.yml

@@ -0,0 +1,31 @@
+name: Feature toggles CI
+
+on:
+  pull_request:
+    paths:
+      - 'pkg/services/featuremgmt/toggles_gen_test.go'
+      - 'pkg/services/featuremgmt/registry.go'
+      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
+
+permissions: {}
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v5.5.0
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run feature toggle tests
+        run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/

.github/workflows/feature-toggles-ci.yml.disabled

@@ -1,33 +0,0 @@
-name: Feature toggles CI
-
-on:
-  pull_request:
-    paths:
-      - 'pkg/services/featuremgmt/toggles_gen_test.go'
-      - 'pkg/services/featuremgmt/registry.go'
-      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
-
-permissions: {}
-
-jobs:
-  test:
-    name: Feature toggles documentation is in sync with source
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Set up Go
-        uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: 'go.mod'
-          cache: true
-
-      - name: Run feature toggle tests
-        run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/

.github/workflows/frontend-lint.yml

@@ -0,0 +1,189 @@
+name: Lint Frontend
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+permissions: {}
+
+jobs:
+  detect-changes:
+    name: Detect whether code changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.detect-changes.outputs.frontend }}
+      prettier: ${{ steps.detect-changes.outputs.frontend == 'true' || steps.detect-changes.outputs.docs == 'true' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true # required to get more history in the changed-files action
+          fetch-depth: 2
+      - name: Detect changes
+        id: detect-changes
+        uses: ./.github/actions/change-detection
+        with:
+          self: .github/workflows/frontend-lint.yml
+
+  lint-frontend-prettier:
+    needs: detect-changes
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-prettier-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.prettier == 'true'
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-prettier-enterprise:
+    needs: detect-changes
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.prettier == 'true'
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-typecheck:
+    needs: detect-changes
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-typecheck-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-typecheck-enterprise:
+    needs: detect-changes
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-api-clients:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-api-clients-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Verify API clients
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - name: Generate API clients
+      run: |
+        extract_error_message='ERROR! API client generation failed!'
+        yarn generate-apis || (echo "${extract_error_message}" && false)
+    - name: Verify generated clients
+      run: |
+        uncommited_error_message="ERROR! API client generation has not been committed. Please run 'yarn generate-apis', commit the changes and push again."
+        file_diff="$(git diff ':!conf')"
+        if [ -n "$file_diff" ]; then
+            echo "$file_diff"
+            echo "${uncommited_error_message}"
+            exit 1
+        fi
+  lint-frontend-api-clients-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Verify API clients (enterprise)
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - name: Generate API clients
+      run: |
+        extract_error_message='ERROR! API client generation failed!'
+        yarn generate-apis || (echo "${extract_error_message}" && false)
+    - name: Verify generated clients
+      run: |
+        uncommited_error_message="ERROR! API client generation has not been committed. Please run 'yarn generate-apis', commit the changes and push again."
+        file_diff="$(git diff ':!conf')"
+        if [ -n "$file_diff" ]; then
+            echo "$file_diff"
+            echo "${uncommited_error_message}"
+            exit 1
+        fi

.github/workflows/frontend-lint.yml.disabled

@@ -1,189 +0,0 @@
-name: Lint Frontend
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-permissions: {}
-
-jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.frontend }}
-      prettier: ${{ steps.detect-changes.outputs.frontend == 'true' || steps.detect-changes.outputs.docs == 'true' }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/frontend-lint.yml
-
-  lint-frontend-prettier:
-    needs: detect-changes
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-prettier-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.prettier == 'true'
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-prettier-enterprise:
-    needs: detect-changes
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.prettier == 'true'
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-typecheck:
-    needs: detect-changes
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-typecheck-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
-    name: Typecheck
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run typecheck
-  lint-frontend-typecheck-enterprise:
-    needs: detect-changes
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
-    name: Typecheck
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run typecheck
-  lint-frontend-api-clients:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-api-clients-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
-    name: Verify API clients
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - name: Generate API clients
-      run: |
-        extract_error_message='ERROR! API client generation failed!'
-        yarn generate-apis || (echo "${extract_error_message}" && false)
-    - name: Verify generated clients
-      run: |
-        uncommited_error_message="ERROR! API client generation has not been committed. Please run 'yarn generate-apis', commit the changes and push again."
-        file_diff="$(git diff ':!conf')"
-        if [ -n "$file_diff" ]; then
-            echo "$file_diff"
-            echo "${uncommited_error_message}"
-            exit 1
-        fi
-  lint-frontend-api-clients-enterprise:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
-    name: Verify API clients (enterprise)
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v6
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - name: Generate API clients
-      run: |
-        extract_error_message='ERROR! API client generation failed!'
-        yarn generate-apis || (echo "${extract_error_message}" && false)
-    - name: Verify generated clients
-      run: |
-        uncommited_error_message="ERROR! API client generation has not been committed. Please run 'yarn generate-apis', commit the changes and push again."
-        file_diff="$(git diff ':!conf')"
-        if [ -n "$file_diff" ]; then
-            echo "$file_diff"
-            echo "${uncommited_error_message}"
-            exit 1
-        fi

.github/workflows/frontend-perf-tests.yaml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
           persist-credentials: false
 

.github/workflows/go-lint.yml

@@ -0,0 +1,74 @@
+name: golangci-lint
+on:
+  push:
+    paths:
+      - pkg/**
+      - .github/workflows/go-lint.yml
+      - go.*
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  detect-changes:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
+    name: Detect whether code changed
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      changed: ${{ steps.detect-changes.outputs.backend }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: true # required to get more history in the changed-files action
+          fetch-depth: 2
+      - name: Detect changes
+        id: detect-changes
+        uses: ./.github/actions/change-detection
+        with:
+          self: .github/workflows/go-lint.yml
+
+  go-fmt:
+    needs: detect-changes
+    if: needs.detect-changes.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v5.5.0
+        with:
+          go-version-file: ./go.mod
+      - name: Run gofmt
+        run: |
+          GOFMT="$(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}' | xargs gofmt -s -e -l 2>&1 | grep -v '/pkg/build/' || true)"
+          if [ -n "$GOFMT" ]; then
+            echo "Found files that are not gofmt'ed"
+            echo "Run 'gofmt -s -w .' or 'make gofmt' or install the pre-commit hook with 'make lefthook-install'"
+            echo "${GOFMT}"
+            exit 1
+          fi
+
+  lint-go:
+    needs: detect-changes
+    if: needs.detect-changes.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@v5.5.0
+        with:
+          go-version-file: ./go.mod
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
+        with:
+          version: v2.5.0
+          args: |
+            --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
+          install-mode: binary

.github/workflows/go-lint.yml.disabled

@@ -1,74 +0,0 @@
-name: golangci-lint
-on:
-  push:
-    paths:
-      - pkg/**
-      - .github/workflows/go-lint.yml
-      - go.*
-    branches:
-      - main
-  pull_request:
-
-permissions:
-  contents: read
-
-jobs:
-  detect-changes:
-    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
-    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.backend }}
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/go-lint.yml
-
-  go-fmt:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: ./go.mod
-      - name: Run gofmt
-        run: |
-          GOFMT="$(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}' | xargs gofmt -s -e -l 2>&1 | grep -v '/pkg/build/' || true)"
-          if [ -n "$GOFMT" ]; then
-            echo "Found files that are not gofmt'ed"
-            echo "Run 'gofmt -s -w .' or 'make gofmt' or install the pre-commit hook with 'make lefthook-install'"
-            echo "${GOFMT}"
-            exit 1
-          fi
-
-  lint-go:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
-    runs-on: ubuntu-x64-large-io
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - uses: actions/setup-go@v6.0.0
-        with:
-          go-version-file: ./go.mod
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
-        with:
-          version: v2.5.0
-          args: |
-            --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
-          install-mode: binary

.github/workflows/issue-opened.yml

@@ -0,0 +1,169 @@
+name: Run commands when issues are opened
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
+on:
+  issues:
+    types: [opened]
+
+concurrency:
+  group: issue-opened-${{ github.event.issue.number }}
+
+permissions: {}
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+
+      # give issue-openers a chance to add labels after submit
+      - name: Sleep for 2 minutes
+        run: sleep 2m
+        shell: bash
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.2.1 # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+
+      - name: Generate token
+        id: generate_token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          permission-issues: write
+
+      - name: Run Commands
+        uses: ./actions/commands
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          configPath: "issue-opened"
+
+  auto-triage:
+    needs: [main]
+    permissions:
+      contents: read
+      id-token: write
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.2.1 # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
+          repo_secrets: |
+            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
+            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
+            GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
+            GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem
+
+      - name: Generate token
+        id: generate_token
+        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          permission-members: read
+          permission-issues: write
+      - name: Check if member of grafana org
+        id: check-if-grafana-org-member
+        continue-on-error: true
+        run: gh api https://api.github.com/orgs/grafana/members/${{ env.ACTOR }} >/dev/null 2>&1 && echo "is_grafana_org_member=true" >> "$GITHUB_OUTPUT"
+        env:
+            GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+            ACTOR: ${{ github.actor }}
+      - name: Checkout
+        if: steps.check-if-grafana-org-member.outputs.is_grafana_org_member != 'true' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          persist-credentials: false
+          sparse-checkout: |
+            .github/workflows/auto-triager
+      - name: Send issue to the auto triager action
+        id: auto_triage
+        if: steps.check-if-grafana-org-member.outputs.is_grafana_org_member != 'true' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
+        uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          issue_number: ${{ github.event.issue.number }}
+          openai_api_key: ${{ env.AUTOTRIAGER_OPENAI_API_KEY }}
+          add_labels: true
+          labels_file: ${{ github.workspace }}/.github/workflows/auto-triager/labels.txt
+          types_file: ${{ github.workspace }}/.github/workflows/auto-triager/types.txt
+          prompt_file: ${{ github.workspace }}/.github/workflows/auto-triager/prompt.txt
+
+      - name: "Send Slack notification"
+        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
+        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        with:
+          payload: >
+            {
+              "icon_emoji": ":robocto:",
+              "username": "Auto Triager",
+              "type": "mrkdwn",
+              "text": "Auto triager found the following labels: ${{ steps.auto_triage.outputs.triage_labels }} for issue ${{ github.event.issue.html_url }}",
+              "channel": "#triage-automation-ci"
+            }
+        env:
+          SLACK_WEBHOOK_URL:  ${{ env.AUTOTRIAGER_SLACK_WEBHOOK_URL }}
+  auto-label-internal-issues:
+    needs: [main]
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      id-token: write
+    steps:
+        - name: "Get vault secrets"
+          id: vault-secrets
+          uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.2.1 # zizmor: ignore[unpinned-uses]
+          with:
+            # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
+            repo_secrets: |
+              GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
+              GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem  
+        - name: Generate token
+          id: generate_token
+          uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+          with:
+            app-id: ${{ env.GITHUB_APP_ID }}
+            private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+            permission-members: read
+        - name: Check if member of grafana org
+          id: check-if-grafana-org-member
+          continue-on-error: true
+          run: gh api https://api.github.com/orgs/grafana/members/${{ env.ACTOR }} >/dev/null 2>&1 && echo "is_grafana_org_member=true" >> "$GITHUB_OUTPUT"
+          env:
+              GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+              ACTOR: ${{ github.actor }}
+        - name: "Auto label internal issues"
+          if:  steps.check-if-grafana-org-member.outputs.is_grafana_org_member == 'true' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'OWNER'
+          run: gh issue edit "$NUMBER" --add-label "$LABELS"
+          env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            GH_REPO: ${{ github.repository }}
+            NUMBER: ${{ github.event.issue.number }}
+            LABELS: internal

.github/workflows/issue-opened.yml.disabled

@@ -1,169 +0,0 @@
-name: Run commands when issues are opened
-
-# important: this workflow uses a github app that is strictly limited
-# to issues. If you want to change the triggers for this workflow,
-# please review if the permissions are still sufficient.
-on:
-  issues:
-    types: [opened]
-
-concurrency:
-  group: issue-opened-${{ github.event.issue.number }}
-
-permissions: {}
-
-jobs:
-  main:
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-
-      - name: Checkout Actions
-        uses: actions/checkout@v5
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-
-      # give issue-openers a chance to add labels after submit
-      - name: Sleep for 2 minutes
-        run: sleep 2m
-        shell: bash
-
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.3.0 # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
-          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
-
-      - name: Generate token
-        id: generate_token
-        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-          permission-issues: write
-
-      - name: Run Commands
-        uses: ./actions/commands
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          configPath: "issue-opened"
-
-  auto-triage:
-    needs: [main]
-    permissions:
-      contents: read
-      id-token: write
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.3.0 # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
-          repo_secrets: |
-            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
-            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
-            GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
-            GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem
-
-      - name: Generate token
-        id: generate_token
-        uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-          permission-members: read
-          permission-issues: write
-      - name: Check if member of grafana org
-        id: check-if-grafana-org-member
-        continue-on-error: true
-        run: gh api https://api.github.com/orgs/grafana/members/${{ env.ACTOR }} >/dev/null 2>&1 && echo "is_grafana_org_member=true" >> "$GITHUB_OUTPUT"
-        env:
-            GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-            ACTOR: ${{ github.actor }}
-      - name: Checkout
-        if: steps.check-if-grafana-org-member.outputs.is_grafana_org_member != 'true' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-          sparse-checkout: |
-            .github/workflows/auto-triager
-      - name: Send issue to the auto triager action
-        id: auto_triage
-        if: steps.check-if-grafana-org-member.outputs.is_grafana_org_member != 'true' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
-        uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          issue_number: ${{ github.event.issue.number }}
-          openai_api_key: ${{ env.AUTOTRIAGER_OPENAI_API_KEY }}
-          add_labels: true
-          labels_file: ${{ github.workspace }}/.github/workflows/auto-triager/labels.txt
-          types_file: ${{ github.workspace }}/.github/workflows/auto-triager/types.txt
-          prompt_file: ${{ github.workspace }}/.github/workflows/auto-triager/prompt.txt
-
-      - name: "Send Slack notification"
-        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
-        with:
-          payload: >
-            {
-              "icon_emoji": ":robocto:",
-              "username": "Auto Triager",
-              "type": "mrkdwn",
-              "text": "Auto triager found the following labels: ${{ steps.auto_triage.outputs.triage_labels }} for issue ${{ github.event.issue.html_url }}",
-              "channel": "#triage-automation-ci"
-            }
-        env:
-          SLACK_WEBHOOK_URL:  ${{ env.AUTOTRIAGER_SLACK_WEBHOOK_URL }}
-  auto-label-internal-issues:
-    needs: [main]
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      id-token: write
-    steps:
-        - name: "Get vault secrets"
-          id: vault-secrets
-          uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets/v1.3.0 # zizmor: ignore[unpinned-uses]
-          with:
-            # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
-            repo_secrets: |
-              GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
-              GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem
-        - name: Generate token
-          id: generate_token
-          uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-          with:
-            app-id: ${{ env.GITHUB_APP_ID }}
-            private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-            permission-members: read
-        - name: Check if member of grafana org
-          id: check-if-grafana-org-member
-          continue-on-error: true
-          run: gh api https://api.github.com/orgs/grafana/members/${{ env.ACTOR }} >/dev/null 2>&1 && echo "is_grafana_org_member=true" >> "$GITHUB_OUTPUT"
-          env:
-              GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-              ACTOR: ${{ github.actor }}
-        - name: "Auto label internal issues"
-          if:  steps.check-if-grafana-org-member.outputs.is_grafana_org_member == 'true' || github.event.issue.author_association == 'MEMBER' || github.event.issue.author_association == 'OWNER'
-          run: gh issue edit "$NUMBER" --add-label "$LABELS"
-          env:
-            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            GH_REPO: ${{ github.repository }}
-            NUMBER: ${{ github.event.issue.number }}
-            LABELS: internal

.github/workflows/lint-build-docs.yml

@@ -0,0 +1,70 @@
+name: Documentation
+
+on:
+  pull_request:
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+
+permissions: {}
+
+jobs:
+  docs:
+    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
+    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
+    name: Build & Verify Docs
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Lint docs
+        run: yarn run prettier:checkDocs
+        env:
+          # Increase memory for prettier due to large number of files
+          NODE_OPTIONS: --max_old_space_size=8192
+
+      - name: Build docs website
+        run: |
+          # Create and start a container from the docs-base image in detached mode
+          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
+
+          # Create the directory structure inside the container
+          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
+
+          # Create the _index.md file
+          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
+
+          # Copy the docs sources from the host to the container
+          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
+
+          # Run the make prod command inside the container
+          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
+
+          # Clean up the container
+          docker rm -f docs-builder

.github/workflows/lint-build-docs.yml.disabled

@@ -1,70 +0,0 @@
-name: Documentation
-
-on:
-  pull_request:
-    paths:
-      - '*.md'
-      - 'docs/**'
-      - 'packages/**/*.md'
-      - 'latest.json'
-  push:
-    branches:
-      - main
-    paths:
-      - '*.md'
-      - 'docs/**'
-      - 'packages/**/*.md'
-      - 'latest.json'
-
-permissions: {}
-
-jobs:
-  docs:
-    # Run on `grafana/grafana` main branch, or on pull requests to prevent double-running on mirrors
-    if: (github.event_name == 'pull_request' || (github.event_name == 'push' && github.repository == 'grafana/grafana'))
-    name: Build & Verify Docs
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v6
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Lint docs
-        run: yarn run prettier:checkDocs
-        env:
-          # Increase memory for prettier due to large number of files
-          NODE_OPTIONS: --max_old_space_size=8192
-
-      - name: Build docs website
-        run: |
-          # Create and start a container from the docs-base image in detached mode
-          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
-
-          # Create the directory structure inside the container
-          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
-
-          # Create the _index.md file
-          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
-
-          # Copy the docs sources from the host to the container
-          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
-
-          # Run the make prod command inside the container
-          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
-
-          # Clean up the container
-          docker rm -f docs-builder

.github/workflows/pr-checks.yml

@@ -0,0 +1,46 @@
+name: PR Checks
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+      - labeled
+      - unlabeled
+      - edited
+      - auto_merge_enabled
+  issues:
+    types:
+      - milestoned
+      - demilestoned
+
+concurrency:
+  group: pr-checks-${{ github.event.number }}
+
+permissions:
+  statuses: write
+  checks: write
+  actions: write
+  contents: read
+  pull-requests: read
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: Run PR Checks
+        uses: ./actions/pr-checks
+        with:
+          token: ${{secrets.GITHUB_TOKEN}}
+          configPath: pr-checks

.github/workflows/pr-checks.yml.disabled

@@ -1,46 +0,0 @@
-name: PR Checks
-on:
-  pull_request_target:
-    types:
-      - opened
-      - reopened
-      - synchronize
-      - ready_for_review
-      - labeled
-      - unlabeled
-      - edited
-      - auto_merge_enabled
-  issues:
-    types:
-      - milestoned
-      - demilestoned
-
-concurrency:
-  group: pr-checks-${{ github.event.number }}
-
-permissions:
-  statuses: write
-  checks: write
-  actions: write
-  contents: read
-  pull-requests: read
-
-jobs:
-  main:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v5
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: Run PR Checks
-        uses: ./actions/pr-checks
-        with:
-          token: ${{secrets.GITHUB_TOKEN}}
-          configPath: pr-checks

.github/workflows/pr-codeql-analysis-javascript.yml

@@ -0,0 +1,37 @@
+name: "CodeQL for PR / javascript"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+    paths:
+      - '**/*.js'
+      - '**/*.ts'
+      - '**/*.tsx'
+
+permissions:
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+        persist-credentials: false
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: "javascript"
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-codeql-analysis-javascript.yml.disabled

@@ -1,37 +0,0 @@
-name: "CodeQL for PR / javascript"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-    paths:
-      - '**/*.js'
-      - '**/*.ts'
-      - '**/*.tsx'
-
-permissions:
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v5
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        persist-credentials: false
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
-      with:
-        languages: "javascript"
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4

.github/workflows/pr-codeql-analysis-python.yml

@@ -0,0 +1,48 @@
+name: "CodeQL for PR / python"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+    paths:
+      - '**/*.py'
+
+permissions:
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+        persist-credentials: false
+
+    - name: Check for Python files
+      id: check-python
+      run: |
+        if [ -z "$(find . -name '*.py' -type f)" ]; then
+          echo "No Python files found, skipping analysis"
+          echo "skip=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Python files found, proceeding with analysis"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+        fi
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      if: steps.check-python.outputs.skip != 'true'
+      uses: github/codeql-action/init@v3
+      with:
+        languages: "python"
+
+    - name: Perform CodeQL Analysis
+      if: steps.check-python.outputs.skip != 'true'
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-codeql-analysis-python.yml.disabled

@@ -1,48 +0,0 @@
-name: "CodeQL for PR / python"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-    paths:
-      - '**/*.py'
-
-permissions:
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v5
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        persist-credentials: false
-
-    - name: Check for Python files
-      id: check-python
-      run: |
-        if [ -z "$(find . -name '*.py' -type f)" ]; then
-          echo "No Python files found, skipping analysis"
-          echo "skip=true" >> "$GITHUB_OUTPUT"
-        else
-          echo "Python files found, proceeding with analysis"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-        fi
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      if: steps.check-python.outputs.skip != 'true'
-      uses: github/codeql-action/init@v4
-      with:
-        languages: "python"
-
-    - name: Perform CodeQL Analysis
-      if: steps.check-python.outputs.skip != 'true'
-      uses: github/codeql-action/analyze@v4

.github/workflows/pr-commands.yml

@@ -0,0 +1,31 @@
+name: PR automation
+on:
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - synchronize
+permissions: {}
+concurrency:
+  group: pr-commands-${{ github.event.number }}
+jobs:
+  main:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: Run Commands
+        uses: ./actions/commands
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          configPath: pr-commands

.github/workflows/pr-commands.yml.disabled

@@ -1,31 +0,0 @@
-name: PR automation
-on:
-  pull_request_target:
-    types:
-      - labeled
-      - opened
-      - synchronize
-permissions: {}
-concurrency:
-  group: pr-commands-${{ github.event.number }}
-jobs:
-  main:
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v5
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: Run Commands
-        uses: ./actions/commands
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          configPath: pr-commands

.github/workflows/pr-dependabot-update-go-workspace.yml

@@ -0,0 +1,69 @@
+name: "Update Go Workspace for Dependabot PRs"
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - .github/workflows/pr-dependabot-update-go-workspace.yml
+      - go.mod
+      - go.sum
+      - go.work
+      - go.work.sum
+      - '**/go.mod'
+      - '**/go.sum'
+      - '**.go'
+permissions:
+  contents: write
+  id-token: write
+jobs:
+  update:
+    runs-on: "ubuntu-latest"
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
+    continue-on-error: true
+    steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=grafana-go-workspace-bot:app-id
+          APP_INSTALLATION_ID=grafana-go-workspace-bot:app-installation-id
+          PRIVATE_KEY=grafana-go-workspace-bot:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+        ref: ${{ github.event.pull_request.head.ref }}
+        token: ${{ steps.generate_token.outputs.token }}
+        persist-credentials: false
+
+    - name: Set go version
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5
+      with:
+        go-version-file: go.mod
+
+    - name: Configure Git
+      run: |
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local --add --bool push.autoSetupRemote true
+
+    - name: Update workspace
+      run: make update-workspace
+
+    - name: Commit and push workspace changes
+      env:
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+      run: |
+        if ! git diff --exit-code --quiet; then
+          echo "Committing and pushing workspace changes"
+          git commit -a -m "update workspace"
+          git push origin "$BRANCH_NAME"
+        fi

.github/workflows/pr-dependabot-update-go-workspace.yml.disabled

@@ -1,69 +0,0 @@
-name: "Update Go Workspace for Dependabot PRs"
-on:
-  pull_request:
-    branches: [main]
-    paths:
-      - .github/workflows/pr-dependabot-update-go-workspace.yml
-      - go.mod
-      - go.sum
-      - go.work
-      - go.work.sum
-      - '**/go.mod'
-      - '**/go.sum'
-      - '**.go'
-permissions:
-  contents: write
-  id-token: write
-jobs:
-  update:
-    runs-on: "ubuntu-latest"
-    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
-    continue-on-error: true
-    steps:
-    - name: Retrieve GitHub App secrets
-      id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
-      with:
-        repo_secrets: |
-          APP_ID=grafana-go-workspace-bot:app-id
-          APP_INSTALLATION_ID=grafana-go-workspace-bot:app-installation-id
-          PRIVATE_KEY=grafana-go-workspace-bot:private-key
-
-    - name: Generate GitHub App token
-      id: generate_token
-      uses: actions/create-github-app-token@v1
-      with:
-        app-id: ${{ env.APP_ID }}
-        private-key: ${{ env.PRIVATE_KEY }}
-
-    - name: Checkout repository
-      uses: actions/checkout@v5
-      with:
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
-        ref: ${{ github.event.pull_request.head.ref }}
-        token: ${{ steps.generate_token.outputs.token }}
-        persist-credentials: false
-
-    - name: Set go version
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
-      with:
-        go-version-file: go.mod
-
-    - name: Configure Git
-      run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git config --local --add --bool push.autoSetupRemote true
-
-    - name: Update workspace
-      run: make update-workspace
-
-    - name: Commit and push workspace changes
-      env:
-        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
-      run: |
-        if ! git diff --exit-code --quiet; then
-          echo "Committing and pushing workspace changes"
-          git commit -a -m "update workspace"
-          git push origin "$BRANCH_NAME"
-        fi