fix(alerting): remove obsolete notification templates tab checks from ContactPoints tests

- Remove test code checking for Notification Templates tab (lines 282-288 and 494-497) - Templates are now a separate page in sidebar navigation, not a tab within Contact Points - Tests should only verify contact points permissions, not templates
fix: resolve CI failures from navigation refactoring
2026-01-14 13:21:26 +00:00 · 2026-01-13 17:09:16 +01:00 · 2026-01-13 13:12:24 +01:00 · 2026-01-13 01:39:37 +01:00 · 2026-01-13 01:01:02 +01:00 · 2026-01-12 21:20:08 +01:00
84 changed files with 4286 additions and 897 deletions
--- a/apps/plugins/kinds/meta.cue
+++ b/apps/plugins/kinds/meta.cue
@@ -24,7 +24,6 @@ metaV0Alpha1: {
 			translations?: [string]: string
 			// +listType=atomic
 			children?: [...string]
-			aliasIds?: [...string]
 		}
 	}
 }
--- a/apps/plugins/pkg/apis/plugins/v0alpha1/meta_spec_gen.go
+++ b/apps/plugins/pkg/apis/plugins/v0alpha1/meta_spec_gen.go
@@ -219,7 +219,6 @@ type MetaSpec struct {
 	Translations map[string]string          `json:"translations,omitempty"`
 	// +listType=atomic
 	Children []string `json:"children,omitempty"`
-	AliasIds []string `json:"aliasIds,omitempty"`
 }

 // NewMetaSpec creates a new MetaSpec object.
--- a/apps/plugins/pkg/apis/plugins_manifest.go
+++ b/apps/plugins/pkg/apis/plugins_manifest.go
--- a/apps/plugins/pkg/app/meta/converter.go
+++ b/apps/plugins/pkg/app/meta/converter.go
@@ -573,8 +573,6 @@ func pluginStorePluginToMeta(plugin pluginstore.Plugin, loadingStrategy plugins.
 		metaSpec.Translations = plugin.Translations
 	}

-	metaSpec.AliasIds = plugin.AliasIDs
-
 	return metaSpec
 }

@@ -678,8 +676,6 @@ func pluginToMetaSpec(plugin *plugins.Plugin) pluginsv0alpha1.MetaSpec {
 		metaSpec.Translations = plugin.Translations
 	}

-	metaSpec.AliasIds = plugin.AliasIDs
-
 	return metaSpec
 }

--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go
@@ -32,7 +32,7 @@ type ConnectionSecure struct {

 	// Token is the reference of the token used to act as the Connection.
 	// This value is stored securely and cannot be read back
-	Token common.InlineSecureValue `json:"webhook,omitzero,omitempty"`
+	Token common.InlineSecureValue `json:"token,omitzero,omitempty"`
 }

 func (v ConnectionSecure) IsZero() bool {
--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go
@@ -320,7 +320,7 @@ func schema_pkg_apis_provisioning_v0alpha1_ConnectionSecure(ref common.Reference
 							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
 						},
 					},
-					"webhook": {
+					"token": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
 							Default:     map[string]interface{}{},
--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list
@@ -22,7 +22,6 @@ API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioni
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ResourceList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,TestResults,Errors
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,WebhookStatus,SubscribedEvents
-API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSecure,Token
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSpec,GitHub
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobSpec,PullRequest
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,URLs
--- a/apps/provisioning/pkg/connection/connection.go
+++ b/apps/provisioning/pkg/connection/connection.go
@@ -0,0 +1,16 @@
+package connection
+
+import (
+	"context"
+)
+
+//go:generate mockery --name Connection --structname MockConnection --inpackage --filename connection_mock.go --with-expecter
+type Connection interface {
+	// Validate ensures the resource _looks_ correct.
+	// It should be called before trying to upsert a resource into the Kubernetes API server.
+	// This is not an indication that the connection information works, just that they are reasonably configured.
+	Validate(ctx context.Context) error
+
+	// Mutate performs in place mutation of the underneath resource.
+	Mutate(context.Context) error
+}
--- a/apps/provisioning/pkg/connection/connection_mock.go
+++ b/apps/provisioning/pkg/connection/connection_mock.go
@@ -0,0 +1,128 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockConnection is an autogenerated mock type for the Connection type
+type MockConnection struct {
+	mock.Mock
+}
+
+type MockConnection_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockConnection) EXPECT() *MockConnection_Expecter {
+	return &MockConnection_Expecter{mock: &_m.Mock}
+}
+
+// Mutate provides a mock function with given fields: _a0
+func (_m *MockConnection) Mutate(_a0 context.Context) error {
+	ret := _m.Called(_a0)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Mutate")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(_a0)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockConnection_Mutate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Mutate'
+type MockConnection_Mutate_Call struct {
+	*mock.Call
+}
+
+// Mutate is a helper method to define mock.On call
+//   - _a0 context.Context
+func (_e *MockConnection_Expecter) Mutate(_a0 interface{}) *MockConnection_Mutate_Call {
+	return &MockConnection_Mutate_Call{Call: _e.mock.On("Mutate", _a0)}
+}
+
+func (_c *MockConnection_Mutate_Call) Run(run func(_a0 context.Context)) *MockConnection_Mutate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockConnection_Mutate_Call) Return(_a0 error) *MockConnection_Mutate_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockConnection_Mutate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Mutate_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Validate provides a mock function with given fields: ctx
+func (_m *MockConnection) Validate(ctx context.Context) error {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Validate")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// MockConnection_Validate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Validate'
+type MockConnection_Validate_Call struct {
+	*mock.Call
+}
+
+// Validate is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockConnection_Expecter) Validate(ctx interface{}) *MockConnection_Validate_Call {
+	return &MockConnection_Validate_Call{Call: _e.mock.On("Validate", ctx)}
+}
+
+func (_c *MockConnection_Validate_Call) Run(run func(ctx context.Context)) *MockConnection_Validate_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockConnection_Validate_Call) Return(_a0 error) *MockConnection_Validate_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockConnection_Validate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Validate_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockConnection creates a new instance of MockConnection. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockConnection(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockConnection {
+	mock := &MockConnection{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/apps/provisioning/pkg/connection/extra_mock.go
+++ b/apps/provisioning/pkg/connection/extra_mock.go
@@ -0,0 +1,141 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockExtra is an autogenerated mock type for the Extra type
+type MockExtra struct {
+	mock.Mock
+}
+
+type MockExtra_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockExtra) EXPECT() *MockExtra_Expecter {
+	return &MockExtra_Expecter{mock: &_m.Mock}
+}
+
+// Build provides a mock function with given fields: ctx, r
+func (_m *MockExtra) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Build")
+	}
+
+	var r0 Connection
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Connection)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockExtra_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
+type MockExtra_Build_Call struct {
+	*mock.Call
+}
+
+// Build is a helper method to define mock.On call
+//   - ctx context.Context
+//   - r *v0alpha1.Connection
+func (_e *MockExtra_Expecter) Build(ctx interface{}, r interface{}) *MockExtra_Build_Call {
+	return &MockExtra_Build_Call{Call: _e.mock.On("Build", ctx, r)}
+}
+
+func (_c *MockExtra_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockExtra_Build_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
+	})
+	return _c
+}
+
+func (_c *MockExtra_Build_Call) Return(_a0 Connection, _a1 error) *MockExtra_Build_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockExtra_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockExtra_Build_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Type provides a mock function with no fields
+func (_m *MockExtra) Type() v0alpha1.ConnectionType {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Type")
+	}
+
+	var r0 v0alpha1.ConnectionType
+	if rf, ok := ret.Get(0).(func() v0alpha1.ConnectionType); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(v0alpha1.ConnectionType)
+	}
+
+	return r0
+}
+
+// MockExtra_Type_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Type'
+type MockExtra_Type_Call struct {
+	*mock.Call
+}
+
+// Type is a helper method to define mock.On call
+func (_e *MockExtra_Expecter) Type() *MockExtra_Type_Call {
+	return &MockExtra_Type_Call{Call: _e.mock.On("Type")}
+}
+
+func (_c *MockExtra_Type_Call) Run(run func()) *MockExtra_Type_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockExtra_Type_Call) Return(_a0 v0alpha1.ConnectionType) *MockExtra_Type_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockExtra_Type_Call) RunAndReturn(run func() v0alpha1.ConnectionType) *MockExtra_Type_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockExtra creates a new instance of MockExtra. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockExtra(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockExtra {
+	mock := &MockExtra{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/apps/provisioning/pkg/connection/factory.go
+++ b/apps/provisioning/pkg/connection/factory.go
@@ -0,0 +1,75 @@
+package connection
+
+import (
+	"context"
+	"fmt"
+	"sort"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+//go:generate mockery --name=Extra --structname=MockExtra --inpackage --filename=extra_mock.go --with-expecter
+type Extra interface {
+	Type() provisioning.ConnectionType
+	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
+}
+
+//go:generate mockery --name=Factory --structname=MockFactory --inpackage --filename=factory_mock.go --with-expecter
+type Factory interface {
+	Types() []provisioning.ConnectionType
+	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
+}
+
+type factory struct {
+	extras  map[provisioning.ConnectionType]Extra
+	enabled map[provisioning.ConnectionType]struct{}
+}
+
+func ProvideFactory(enabled map[provisioning.ConnectionType]struct{}, extras []Extra) (Factory, error) {
+	f := &factory{
+		enabled: enabled,
+		extras:  make(map[provisioning.ConnectionType]Extra, len(extras)),
+	}
+
+	for _, e := range extras {
+		if _, exists := f.extras[e.Type()]; exists {
+			return nil, fmt.Errorf("connection type %q is already registered", e.Type())
+		}
+		f.extras[e.Type()] = e
+	}
+
+	return f, nil
+}
+
+func (f *factory) Types() []provisioning.ConnectionType {
+	var types []provisioning.ConnectionType
+	for t := range f.enabled {
+		if _, exists := f.extras[t]; exists {
+			types = append(types, t)
+		}
+	}
+
+	sort.Slice(types, func(i, j int) bool {
+		return string(types[i]) < string(types[j])
+	})
+
+	return types
+}
+
+func (f *factory) Build(ctx context.Context, c *provisioning.Connection) (Connection, error) {
+	for _, e := range f.extras {
+		if e.Type() == c.Spec.Type {
+			if _, enabled := f.enabled[e.Type()]; !enabled {
+				return nil, fmt.Errorf("connection type %q is not enabled", e.Type())
+			}
+
+			return e.Build(ctx, c)
+		}
+	}
+
+	return nil, fmt.Errorf("connection type %q is not supported", c.Spec.Type)
+}
+
+var (
+	_ Factory = (*factory)(nil)
+)
--- a/apps/provisioning/pkg/connection/factory_mock.go
+++ b/apps/provisioning/pkg/connection/factory_mock.go
@@ -0,0 +1,143 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package connection
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockFactory is an autogenerated mock type for the Factory type
+type MockFactory struct {
+	mock.Mock
+}
+
+type MockFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockFactory) EXPECT() *MockFactory_Expecter {
+	return &MockFactory_Expecter{mock: &_m.Mock}
+}
+
+// Build provides a mock function with given fields: ctx, r
+func (_m *MockFactory) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for Build")
+	}
+
+	var r0 Connection
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Connection)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockFactory_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
+type MockFactory_Build_Call struct {
+	*mock.Call
+}
+
+// Build is a helper method to define mock.On call
+//   - ctx context.Context
+//   - r *v0alpha1.Connection
+func (_e *MockFactory_Expecter) Build(ctx interface{}, r interface{}) *MockFactory_Build_Call {
+	return &MockFactory_Build_Call{Call: _e.mock.On("Build", ctx, r)}
+}
+
+func (_c *MockFactory_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockFactory_Build_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
+	})
+	return _c
+}
+
+func (_c *MockFactory_Build_Call) Return(_a0 Connection, _a1 error) *MockFactory_Build_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockFactory_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockFactory_Build_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// Types provides a mock function with no fields
+func (_m *MockFactory) Types() []v0alpha1.ConnectionType {
+	ret := _m.Called()
+
+	if len(ret) == 0 {
+		panic("no return value specified for Types")
+	}
+
+	var r0 []v0alpha1.ConnectionType
+	if rf, ok := ret.Get(0).(func() []v0alpha1.ConnectionType); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]v0alpha1.ConnectionType)
+		}
+	}
+
+	return r0
+}
+
+// MockFactory_Types_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Types'
+type MockFactory_Types_Call struct {
+	*mock.Call
+}
+
+// Types is a helper method to define mock.On call
+func (_e *MockFactory_Expecter) Types() *MockFactory_Types_Call {
+	return &MockFactory_Types_Call{Call: _e.mock.On("Types")}
+}
+
+func (_c *MockFactory_Types_Call) Run(run func()) *MockFactory_Types_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run()
+	})
+	return _c
+}
+
+func (_c *MockFactory_Types_Call) Return(_a0 []v0alpha1.ConnectionType) *MockFactory_Types_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockFactory_Types_Call) RunAndReturn(run func() []v0alpha1.ConnectionType) *MockFactory_Types_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockFactory creates a new instance of MockFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockFactory {
+	mock := &MockFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/apps/provisioning/pkg/connection/factory_test.go
+++ b/apps/provisioning/pkg/connection/factory_test.go
@@ -0,0 +1,309 @@
+package connection
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestProvideFactory(t *testing.T) {
+	t.Run("should create factory with valid extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should create factory with empty extras", func(t *testing.T) {
+		enabled := map[provisioning.ConnectionType]struct{}{}
+
+		factory, err := ProvideFactory(enabled, []Extra{})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should create factory with nil enabled map", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		factory, err := ProvideFactory(nil, []Extra{extra1})
+		require.NoError(t, err)
+		require.NotNil(t, factory)
+	})
+
+	t.Run("should return error when duplicate repository types", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.Error(t, err)
+		assert.Nil(t, factory)
+		assert.Contains(t, err.Error(), "connection type \"github\" is already registered")
+	})
+}
+
+func TestFactory_Types(t *testing.T) {
+	t.Run("should return only enabled types that have extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 2)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.Contains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should return sorted list of types", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 2)
+		// github should come before gitlab alphabetically
+		assert.Equal(t, provisioning.GithubConnectionType, types[0])
+		assert.Equal(t, provisioning.GitlabConnectionType, types[1])
+	})
+
+	t.Run("should return empty list when no types are enabled", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Empty(t, types)
+	})
+
+	t.Run("should not return types that are enabled but have no extras", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 1)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.NotContains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should not return types that have extras but are not enabled", func(t *testing.T) {
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Len(t, types, 1)
+		assert.Contains(t, types, provisioning.GithubConnectionType)
+		assert.NotContains(t, types, provisioning.GitlabConnectionType)
+	})
+
+	t.Run("should return empty list when no extras are provided", func(t *testing.T) {
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{})
+		require.NoError(t, err)
+
+		types := factory.Types()
+		assert.Empty(t, types)
+	})
+}
+
+func TestFactory_Build(t *testing.T) {
+	t.Run("should successfully build connection when type is enabled and has extra", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+			},
+		}
+
+		mockConnection := NewMockConnection(t)
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+		extra.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.NoError(t, err)
+		assert.Equal(t, mockConnection, result)
+	})
+
+	t.Run("should return error when type is not enabled", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not enabled")
+	})
+
+	t.Run("should return error when type is not supported", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not supported")
+	})
+
+	t.Run("should pass through errors from extra.Build()", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+			},
+		}
+
+		expectedErr := errors.New("build error")
+		extra := NewMockExtra(t)
+		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
+		extra.EXPECT().Build(ctx, conn).Return(nil, expectedErr)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		assert.Equal(t, expectedErr, err)
+	})
+
+	t.Run("should build with multiple extras registered", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+			},
+		}
+
+		mockConnection := NewMockConnection(t)
+
+		extra1 := NewMockExtra(t)
+		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
+
+		extra2 := NewMockExtra(t)
+		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
+		extra2.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
+
+		enabled := map[provisioning.ConnectionType]struct{}{
+			provisioning.GithubConnectionType: {},
+			provisioning.GitlabConnectionType: {},
+		}
+
+		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
+		require.NoError(t, err)
+
+		result, err := factory.Build(ctx, conn)
+		require.NoError(t, err)
+		assert.Equal(t, mockConnection, result)
+	})
+}
--- a/apps/provisioning/pkg/connection/github/client.go
+++ b/apps/provisioning/pkg/connection/github/client.go
@@ -0,0 +1,93 @@
+package github
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"github.com/google/go-github/v70/github"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// API errors that we need to convey after parsing real GH errors (or faking them).
+var (
+	//lint:ignore ST1005 this is not punctuation
+	ErrServiceUnavailable = apierrors.NewServiceUnavailable("github is unavailable")
+)
+
+//go:generate mockery --name Client --structname MockClient --inpackage --filename client_mock.go --with-expecter
+type Client interface {
+	// Apps and installations
+	GetApp(ctx context.Context) (App, error)
+	GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error)
+}
+
+// App represents a Github App.
+type App struct {
+	// ID represents the GH app ID.
+	ID int64
+	// Slug represents the GH app slug.
+	Slug string
+	// Owner represents the GH account/org owning the app
+	Owner string
+}
+
+// AppInstallation represents a Github App Installation.
+type AppInstallation struct {
+	// ID represents the GH installation ID.
+	ID int64
+	// Whether the installation is enabled or not.
+	Enabled bool
+}
+
+type githubClient struct {
+	gh *github.Client
+}
+
+func NewClient(client *github.Client) Client {
+	return &githubClient{client}
+}
+
+// GetApp gets the app by using the given token.
+func (r *githubClient) GetApp(ctx context.Context) (App, error) {
+	app, _, err := r.gh.Apps.Get(ctx, "")
+	if err != nil {
+		var ghErr *github.ErrorResponse
+		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
+			return App{}, ErrServiceUnavailable
+		}
+		return App{}, err
+	}
+
+	// TODO(ferruvich): do we need any other info?
+	return App{
+		ID:    app.GetID(),
+		Slug:  app.GetSlug(),
+		Owner: app.GetOwner().GetLogin(),
+	}, nil
+}
+
+// GetAppInstallation gets the installation of the app related to the given token.
+func (r *githubClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
+	id, err := strconv.Atoi(installationID)
+	if err != nil {
+		return AppInstallation{}, fmt.Errorf("invalid installation ID: %s", installationID)
+	}
+
+	installation, _, err := r.gh.Apps.GetInstallation(ctx, int64(id))
+	if err != nil {
+		var ghErr *github.ErrorResponse
+		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
+			return AppInstallation{}, ErrServiceUnavailable
+		}
+		return AppInstallation{}, err
+	}
+
+	// TODO(ferruvich): do we need any other info?
+	return AppInstallation{
+		ID:      installation.GetID(),
+		Enabled: installation.GetSuspendedAt().IsZero(),
+	}, nil
+}
--- a/apps/provisioning/pkg/connection/github/client_mock.go
+++ b/apps/provisioning/pkg/connection/github/client_mock.go
@@ -0,0 +1,149 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package github
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockClient is an autogenerated mock type for the Client type
+type MockClient struct {
+	mock.Mock
+}
+
+type MockClient_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockClient) EXPECT() *MockClient_Expecter {
+	return &MockClient_Expecter{mock: &_m.Mock}
+}
+
+// GetApp provides a mock function with given fields: ctx
+func (_m *MockClient) GetApp(ctx context.Context) (App, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetApp")
+	}
+
+	var r0 App
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) (App, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) App); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Get(0).(App)
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockClient_GetApp_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetApp'
+type MockClient_GetApp_Call struct {
+	*mock.Call
+}
+
+// GetApp is a helper method to define mock.On call
+//   - ctx context.Context
+func (_e *MockClient_Expecter) GetApp(ctx interface{}) *MockClient_GetApp_Call {
+	return &MockClient_GetApp_Call{Call: _e.mock.On("GetApp", ctx)}
+}
+
+func (_c *MockClient_GetApp_Call) Run(run func(ctx context.Context)) *MockClient_GetApp_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context))
+	})
+	return _c
+}
+
+func (_c *MockClient_GetApp_Call) Return(_a0 App, _a1 error) *MockClient_GetApp_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockClient_GetApp_Call) RunAndReturn(run func(context.Context) (App, error)) *MockClient_GetApp_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetAppInstallation provides a mock function with given fields: ctx, installationID
+func (_m *MockClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
+	ret := _m.Called(ctx, installationID)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetAppInstallation")
+	}
+
+	var r0 AppInstallation
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (AppInstallation, error)); ok {
+		return rf(ctx, installationID)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) AppInstallation); ok {
+		r0 = rf(ctx, installationID)
+	} else {
+		r0 = ret.Get(0).(AppInstallation)
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, installationID)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// MockClient_GetAppInstallation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAppInstallation'
+type MockClient_GetAppInstallation_Call struct {
+	*mock.Call
+}
+
+// GetAppInstallation is a helper method to define mock.On call
+//   - ctx context.Context
+//   - installationID string
+func (_e *MockClient_Expecter) GetAppInstallation(ctx interface{}, installationID interface{}) *MockClient_GetAppInstallation_Call {
+	return &MockClient_GetAppInstallation_Call{Call: _e.mock.On("GetAppInstallation", ctx, installationID)}
+}
+
+func (_c *MockClient_GetAppInstallation_Call) Run(run func(ctx context.Context, installationID string)) *MockClient_GetAppInstallation_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(string))
+	})
+	return _c
+}
+
+func (_c *MockClient_GetAppInstallation_Call) Return(_a0 AppInstallation, _a1 error) *MockClient_GetAppInstallation_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *MockClient_GetAppInstallation_Call) RunAndReturn(run func(context.Context, string) (AppInstallation, error)) *MockClient_GetAppInstallation_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockClient creates a new instance of MockClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockClient(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockClient {
+	mock := &MockClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/apps/provisioning/pkg/connection/github/client_test.go
+++ b/apps/provisioning/pkg/connection/github/client_test.go
@@ -0,0 +1,297 @@
+package github_test
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/google/go-github/v70/github"
+	conngh "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	mockhub "github.com/migueleliasweb/go-github-mock/src/mock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGithubClient_GetApp(t *testing.T) {
+	tests := []struct {
+		name        string
+		mockHandler *http.Client
+		token       string
+		wantApp     conngh.App
+		wantErr     error
+	}{
+		{
+			name: "get app successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						app := &github.App{
+							ID:   github.Ptr(int64(12345)),
+							Slug: github.Ptr("my-test-app"),
+							Owner: &github.User{
+								Login: github.Ptr("grafana"),
+							},
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(app))
+					}),
+				),
+			),
+			token: "test-token",
+			wantApp: conngh.App{
+				ID:    12345,
+				Slug:  "my-test-app",
+				Owner: "grafana",
+			},
+			wantErr: nil,
+		},
+		{
+			name: "service unavailable",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusServiceUnavailable)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusServiceUnavailable,
+							},
+							Message: "Service unavailable",
+						}))
+					}),
+				),
+			),
+			token:   "test-token",
+			wantApp: conngh.App{},
+			wantErr: conngh.ErrServiceUnavailable,
+		},
+		{
+			name: "other error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusInternalServerError)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusInternalServerError,
+							},
+							Message: "Internal server error",
+						}))
+					}),
+				),
+			),
+			token:   "test-token",
+			wantApp: conngh.App{},
+			wantErr: &github.ErrorResponse{
+				Response: &http.Response{
+					StatusCode: http.StatusInternalServerError,
+				},
+				Message: "Internal server error",
+			},
+		},
+		{
+			name: "unauthorized error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetApp,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusUnauthorized)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusUnauthorized,
+							},
+							Message: "Bad credentials",
+						}))
+					}),
+				),
+			),
+			token:   "invalid-token",
+			wantApp: conngh.App{},
+			wantErr: &github.ErrorResponse{
+				Response: &http.Response{
+					StatusCode: http.StatusUnauthorized,
+				},
+				Message: "Bad credentials",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a mock client
+			ghClient := github.NewClient(tt.mockHandler)
+			client := conngh.NewClient(ghClient)
+
+			// Call the method being tested
+			app, err := client.GetApp(context.Background())
+
+			// Check the error
+			if tt.wantErr != nil {
+				assert.Error(t, err)
+				assert.Equal(t, tt.wantApp, app)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.wantApp, app)
+			}
+		})
+	}
+}
+
+func TestGithubClient_GetAppInstallation(t *testing.T) {
+	tests := []struct {
+		name             string
+		mockHandler      *http.Client
+		appToken         string
+		installationID   string
+		wantInstallation conngh.AppInstallation
+		wantErr          bool
+		errContains      string
+	}{
+		{
+			name: "get disabled app installation successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						installation := &github.Installation{
+							ID:          github.Ptr(int64(67890)),
+							SuspendedAt: github.Ptr(github.Timestamp{Time: time.Now()}),
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(installation))
+					}),
+				),
+			),
+			appToken:       "test-app-token",
+			installationID: "67890",
+			wantInstallation: conngh.AppInstallation{
+				ID:      67890,
+				Enabled: false,
+			},
+			wantErr: false,
+		},
+		{
+			name: "get enabled app installation successfully",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						installation := &github.Installation{
+							ID:          github.Ptr(int64(67890)),
+							SuspendedAt: nil,
+						}
+						w.WriteHeader(http.StatusOK)
+						require.NoError(t, json.NewEncoder(w).Encode(installation))
+					}),
+				),
+			),
+			appToken:       "test-app-token",
+			installationID: "67890",
+			wantInstallation: conngh.AppInstallation{
+				ID:      67890,
+				Enabled: true,
+			},
+			wantErr: false,
+		},
+		{
+			name:             "invalid installation ID",
+			mockHandler:      mockhub.NewMockedHTTPClient(),
+			appToken:         "test-app-token",
+			installationID:   "not-a-number",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+			errContains:      "invalid installation ID",
+		},
+		{
+			name: "service unavailable",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusServiceUnavailable)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusServiceUnavailable,
+							},
+							Message: "Service unavailable",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "67890",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+		{
+			name: "installation not found",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusNotFound)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusNotFound,
+							},
+							Message: "Not Found",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "99999",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+		{
+			name: "other error",
+			mockHandler: mockhub.NewMockedHTTPClient(
+				mockhub.WithRequestMatchHandler(
+					mockhub.GetAppInstallationsByInstallationId,
+					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+						w.WriteHeader(http.StatusInternalServerError)
+						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+							Response: &http.Response{
+								StatusCode: http.StatusInternalServerError,
+							},
+							Message: "Internal server error",
+						}))
+					}),
+				),
+			),
+			appToken:         "test-app-token",
+			installationID:   "67890",
+			wantInstallation: conngh.AppInstallation{},
+			wantErr:          true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create a mock client
+			ghClient := github.NewClient(tt.mockHandler)
+			client := conngh.NewClient(ghClient)
+
+			// Call the method being tested
+			installation, err := client.GetAppInstallation(context.Background(), tt.installationID)
+
+			// Check the error
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+
+			// Check the result
+			assert.Equal(t, tt.wantInstallation, installation)
+		})
+	}
+}
--- a/apps/provisioning/pkg/connection/github/connection.go
+++ b/apps/provisioning/pkg/connection/github/connection.go
@@ -0,0 +1,192 @@
+package github
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+//go:generate mockery --name GithubFactory --structname MockGithubFactory --inpackage --filename factory_mock.go --with-expecter
+type GithubFactory interface {
+	New(ctx context.Context, ghToken common.RawSecureValue) Client
+}
+
+type Connection struct {
+	obj       *provisioning.Connection
+	ghFactory GithubFactory
+}
+
+func NewConnection(
+	obj *provisioning.Connection,
+	factory GithubFactory,
+) Connection {
+	return Connection{
+		obj:       obj,
+		ghFactory: factory,
+	}
+}
+
+const (
+	//TODO(ferruvich): these probably need to be setup in API configuration.
+	githubInstallationURL = "https://github.com/settings/installations"
+	jwtExpirationMinutes  = 10 // GitHub Apps JWT tokens expire in 10 minutes maximum
+)
+
+// Mutate performs in place mutation of the underneath resource.
+func (c *Connection) Mutate(_ context.Context) error {
+	// Do nothing in case spec.Github is nil.
+	// If this field is required, we should fail at validation time.
+	if c.obj.Spec.GitHub == nil {
+		return nil
+	}
+
+	c.obj.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, c.obj.Spec.GitHub.InstallationID)
+
+	// Generate JWT token if private key is being provided.
+	// Same as for the spec.Github, if such a field is required, Validation will take care of that.
+	if !c.obj.Secure.PrivateKey.Create.IsZero() {
+		token, err := generateToken(c.obj.Spec.GitHub.AppID, c.obj.Secure.PrivateKey.Create)
+		if err != nil {
+			return fmt.Errorf("failed to generate JWT token: %w", err)
+		}
+
+		// Store the generated token
+		c.obj.Secure.Token = common.InlineSecureValue{Create: token}
+	}
+
+	return nil
+}
+
+// Token generates and returns the Connection token.
+func generateToken(appID string, privateKey common.RawSecureValue) (common.RawSecureValue, error) {
+	// Decode base64-encoded private key
+	privateKeyPEM, err := base64.StdEncoding.DecodeString(string(privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to decode base64 private key: %w", err)
+	}
+
+	// Parse the private key
+	key, err := jwt.ParseRSAPrivateKeyFromPEM(privateKeyPEM)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	// Create the JWT token
+	now := time.Now()
+	claims := jwt.RegisteredClaims{
+		IssuedAt:  jwt.NewNumericDate(now),
+		ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(jwtExpirationMinutes) * time.Minute)),
+		Issuer:    appID,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	signedToken, err := token.SignedString(key)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign JWT token: %w", err)
+	}
+
+	return common.RawSecureValue(signedToken), nil
+}
+
+// Validate ensures the resource _looks_ correct.
+func (c *Connection) Validate(ctx context.Context) error {
+	list := field.ErrorList{}
+
+	if c.obj.Spec.Type != provisioning.GithubConnectionType {
+		list = append(list, field.Invalid(field.NewPath("spec", "type"), c.obj.Spec.Type, "invalid connection type"))
+
+		// Doesn't make much sense to continue validating a connection which is not a Github one.
+		return toError(c.obj.GetName(), list)
+	}
+
+	if c.obj.Spec.GitHub == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
+		)
+
+		// Doesn't make much sense to continue validating a connection with no information.
+		return toError(c.obj.GetName(), list)
+	}
+
+	if c.obj.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
+	}
+	if c.obj.Secure.Token.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "token"), "token must be specified for GitHub connection"))
+	}
+	if !c.obj.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
+	}
+
+	// Validate GitHub configuration fields
+	if c.obj.Spec.GitHub.AppID == "" {
+		list = append(list, field.Required(field.NewPath("spec", "github", "appID"), "appID must be specified for GitHub connection"))
+	}
+	if c.obj.Spec.GitHub.InstallationID == "" {
+		list = append(list, field.Required(field.NewPath("spec", "github", "installationID"), "installationID must be specified for GitHub connection"))
+	}
+
+	// In case we have any error above, we don't go forward with the validation, and return the errors.
+	if len(list) > 0 {
+		return toError(c.obj.GetName(), list)
+	}
+
+	// Validating app content via GH API
+	if err := c.validateAppAndInstallation(ctx); err != nil {
+		list = append(list, err)
+	}
+
+	return toError(c.obj.GetName(), list)
+}
+
+// validateAppAndInstallation validates the appID and installationID against the given github token.
+func (c *Connection) validateAppAndInstallation(ctx context.Context) *field.Error {
+	ghClient := c.ghFactory.New(ctx, c.obj.Secure.Token.Create)
+
+	app, err := ghClient.GetApp(ctx)
+	if err != nil {
+		if errors.Is(err, ErrServiceUnavailable) {
+			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
+		}
+		return field.Invalid(field.NewPath("spec", "token"), "[REDACTED]", "invalid token")
+	}
+
+	if fmt.Sprintf("%d", app.ID) != c.obj.Spec.GitHub.AppID {
+		return field.Invalid(field.NewPath("spec", "appID"), c.obj.Spec.GitHub.AppID, "appID mismatch")
+	}
+
+	_, err = ghClient.GetAppInstallation(ctx, c.obj.Spec.GitHub.InstallationID)
+	if err != nil {
+		if errors.Is(err, ErrServiceUnavailable) {
+			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
+		}
+		return field.Invalid(field.NewPath("spec", "installationID"), c.obj.Spec.GitHub.InstallationID, "invalid installation ID")
+	}
+
+	return nil
+}
+
+// toError converts a field.ErrorList to an error, returning nil if the list is empty
+func toError(name string, list field.ErrorList) error {
+	if len(list) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(
+		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
+		name,
+		list,
+	)
+}
+
+var (
+	_ connection.Connection = (*Connection)(nil)
+)
--- a/apps/provisioning/pkg/connection/github/connection_test.go
+++ b/apps/provisioning/pkg/connection/github/connection_test.go
@@ -0,0 +1,434 @@
+package github
+
+import (
+	"context"
+	"encoding/base64"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//nolint:gosec // Test RSA private key (generated for testing purposes only)
+const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoInVbLY9io2Q/wHvUIXlEHg2Qyvd8eRzBAVEJ92DS6fx9H10
+06V0VRm78S0MXyo6i+n8ZAbZ0/R+GWpP2Ephxm0Gs2zo+iO2mpB19xQFI4o6ZTOw
+b2WyjSaa2Vr4oyDkqti6AvfjW4VUAu932e08GkgwmmQSHXj7FX2CMWjgUwTTcuaX
+65SHNKLNYLUP0HTumLzoZeqDTdoMMpKNdgH9Avr4/8vkVJ0mD6rqvxnw3JHsseNO
+WdQTxf2aApBNHIIKxWZ2i/ZmjLNey7kltgjEquGiBdJvip3fHhH5XHdkrXcjRtnw
+OJDnDmi5lQwv5yUBOSkbvbXRv/L/m0YLoD/fbwIDAQABAoIBAFfl//hM8/cnuesV
+R1Con/ZAgTXQOdPqPXbmEyniVrkMqMmCdBUOBTcST4s5yg36+RtkeaGpb/ajyyF
+PAB2AYDucwvMpudGpJWOYTiOOp4R8hU1LvZfXVrRd1lo6NgQi4NLtNUpOtACeVQ+
+H4Yv0YemXQ47mnuOoRNMK/u3q5NoIdSahWptXBgUno8KklNpUrH3IYWaUxfBzDN3
+2xsVRTn2SfTSyoDmTDdTgptJONmoK1/sV7UsgWksdFc6XyYhsFAZgOGEJrBABRvF
+546dyQ0cWxuPyVXpM7CN3tqC5ssvLjElg3LicK1V6gnjpdRnnvX88d1Eh3Uc/9IM
+OZInT2ECgYEA6W8sQXTWinyEwl8SDKKMbB2ApIghAcFgdRxprZE4WFxjsYNCNL70
+dnSB7MRuzmxf5W77cV0N7JhH66N8HvY6Xq9olrpQ5dNttR4w8Pyv3wavDe8x7seL
+5L2Xtbu7ihDr8Dk27MjiBSin3IxhBP5CJS910+pR6LrAWtEuU+FzFfECgYEAsA6y
+qxHhCMXlTnauXhsnmPd1g61q7chW8kLQFYtHMLlQlgjHTW7irDZ9cPbPYDNjwRLO
+7KLorcpv2NKe7rqq2ZyCm6hf1b9WnlQjo3dLpNWMu6fhy/smK8MgbRqcWpX+oTKF
+79mK6hbY7o6eBzsQHBl7Z+LBNuwYmp9qOodPa18CgYEArv6ipKdcNhFGzRfMRiCN
+OHederp6VACNuP2F05IsNUF9kxOdTEFirnKE++P+VU01TqA2azOhPp6iO+ohIGzi
+MR06QNSH1OL9OWvasK4dggpWrRGF00VQgDgJRTnpS4WH+lxJ6pRlrAxgWpv6F24s
+VAgSQr1Ejj2B+hMasdMvHWECgYBJ4uE4yhgXBnZlp4kmFV9Y4wF+cZkekaVrpn6N
+jBYkbKFVVfnOlWqru3KJpgsB5I9IyAvvY68iwIKQDFSG+/AXw4dMrC0MF3DSoZ0T
+TU2Br92QI7SvVod+djV1lGVp3ukt3XY4YqPZ+hywgUnw3uiz4j3YK2HLGup4ec6r
+IX5DIQKBgHRLzvT3zqtlR1Oh0vv098clLwt+pGzXOxzJpxioOa5UqK13xIpFXbcg
+iWUVh5YXCcuqaICUv4RLIEac5xQitk9Is/9IhP0NJ/81rHniosvdSpCeFXzxTImS
+B8Uc0WUgheB4+yVKGnYpYaSOgFFI5+1BYUva/wDHLy2pWHz39Usb
+-----END RSA PRIVATE KEY-----`
+
+func TestConnection_Mutate(t *testing.T) {
+	t.Run("should add URL to Github connection", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "test-private-key",
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+	})
+
+	t.Run("should generate JWT token when private key is provided", func(t *testing.T) {
+		privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue(privateKeyBase64),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+		assert.False(t, c.Secure.Token.Create.IsZero(), "JWT token should be generated")
+	})
+
+	t.Run("should do nothing when GitHub config is nil", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GitlabConnectionType,
+				Gitlab: &provisioning.GitlabConnectionConfig{
+					ClientID: "clientID",
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		require.NoError(t, conn.Mutate(context.Background()))
+	})
+
+	t.Run("should fail when private key is not base64", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue("invalid-key"),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		err := conn.Mutate(context.Background())
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to generate JWT token")
+		assert.Contains(t, err.Error(), "failed to decode base64 private key")
+	})
+
+	t.Run("should fail when private key is invalid", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue(base64.StdEncoding.EncodeToString([]byte("invalid-key"))),
+				},
+			},
+		}
+
+		mockFactory := NewMockGithubFactory(t)
+		conn := NewConnection(c, mockFactory)
+
+		err := conn.Mutate(context.Background())
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to generate JWT token")
+		assert.Contains(t, err.Error(), "failed to parse private key")
+	})
+}
+
+func TestConnection_Validate(t *testing.T) {
+	tests := []struct {
+		name           string
+		connection     *provisioning.Connection
+		setupMock      func(*MockGithubFactory)
+		wantErr        bool
+		errMsgContains []string
+	}{
+		{
+			name: "invalid type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: "invalid",
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.type"},
+		},
+		{
+			name: "github type without github config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github"},
+		},
+		{
+			name: "github type without private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.privateKey"},
+		},
+		{
+			name: "github type without token returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.token"},
+		},
+		{
+			name: "github type with client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-client-secret"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"secure.clientSecret"},
+		},
+		{
+			name: "github type without appID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github.appID"},
+		},
+		{
+			name: "github type without installationID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID: "123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					Token: common.InlineSecureValue{
+						Name: "test-token",
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.github.installationID"},
+		},
+		{
+			name: "github type with valid config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr: false,
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
+				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{ID: 456}, nil)
+			},
+		},
+		{
+			name: "problem getting app returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.token", "[REDACTED]"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{}, assert.AnError)
+			},
+		},
+		{
+			name: "mismatched app ID returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.appID"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 444, Slug: "test-app"}, nil)
+			},
+		},
+		{
+			name: "problem when getting installation returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-private-key"),
+					},
+					Token: common.InlineSecureValue{
+						Create: common.NewSecretValue("test-token"),
+					},
+				},
+			},
+			wantErr:        true,
+			errMsgContains: []string{"spec.installationID", "456"},
+			setupMock: func(mockFactory *MockGithubFactory) {
+				mockClient := NewMockClient(t)
+
+				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
+				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
+				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{}, assert.AnError)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockFactory := NewMockGithubFactory(t)
+			if tt.setupMock != nil {
+				tt.setupMock(mockFactory)
+			}
+
+			conn := NewConnection(tt.connection, mockFactory)
+			err := conn.Validate(context.Background())
+			if tt.wantErr {
+				assert.Error(t, err)
+				for _, msg := range tt.errMsgContains {
+					assert.Contains(t, err.Error(), msg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/apps/provisioning/pkg/connection/github/extra.go
+++ b/apps/provisioning/pkg/connection/github/extra.go
@@ -0,0 +1,36 @@
+package github
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/grafana/grafana-app-sdk/logging"
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+)
+
+type extra struct {
+	factory GithubFactory
+}
+
+func (e *extra) Type() provisioning.ConnectionType {
+	return provisioning.GithubConnectionType
+}
+
+func (e *extra) Build(ctx context.Context, connection *provisioning.Connection) (connection.Connection, error) {
+	logger := logging.FromContext(ctx)
+	if connection == nil || connection.Spec.GitHub == nil {
+		logger.Error("connection is nil or github info is nil")
+
+		return nil, fmt.Errorf("invalid github connection")
+	}
+
+	c := NewConnection(connection, e.factory)
+	return &c, nil
+}
+
+func Extra(factory GithubFactory) connection.Extra {
+	return &extra{
+		factory: factory,
+	}
+}
--- a/apps/provisioning/pkg/connection/github/extra_test.go
+++ b/apps/provisioning/pkg/connection/github/extra_test.go
@@ -0,0 +1,126 @@
+package github_test
+
+import (
+	"context"
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestExtra_Type(t *testing.T) {
+	t.Run("should return GithubConnectionType", func(t *testing.T) {
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result := e.Type()
+		assert.Equal(t, provisioning.GithubConnectionType, result)
+	})
+}
+
+func TestExtra_Build(t *testing.T) {
+	t.Run("should successfully build connection", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Create: common.NewSecretValue("test-private-key"),
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+
+		e := github.Extra(mockFactory)
+
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should handle different connection configurations", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "another-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "789",
+					InstallationID: "101112",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "existing-private-key",
+				},
+				Token: common.InlineSecureValue{
+					Name: "existing-token",
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+
+		e := github.Extra(mockFactory)
+
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should build connection with background context", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+
+	t.Run("should always pass empty token to factory.New", func(t *testing.T) {
+		ctx := context.Background()
+		conn := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				Token: common.InlineSecureValue{
+					Create: common.NewSecretValue("some-token"),
+				},
+			},
+		}
+
+		mockFactory := github.NewMockGithubFactory(t)
+		e := github.Extra(mockFactory)
+		result, err := e.Build(ctx, conn)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+	})
+}
--- a/apps/provisioning/pkg/connection/github/factory.go
+++ b/apps/provisioning/pkg/connection/github/factory.go
@@ -0,0 +1,39 @@
+package github
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/google/go-github/v70/github"
+	"golang.org/x/oauth2"
+
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+)
+
+// Factory creates new GitHub clients.
+// It exists only for the ability to test the code easily.
+type Factory struct {
+	// Client allows overriding the client to use in the GH client returned. It exists primarily for testing.
+	// FIXME: we should replace in this way. We should add some options pattern for the factory.
+	Client *http.Client
+}
+
+func ProvideFactory() GithubFactory {
+	return &Factory{}
+}
+
+func (r *Factory) New(ctx context.Context, ghToken common.RawSecureValue) Client {
+	if r.Client != nil {
+		return NewClient(github.NewClient(r.Client))
+	}
+
+	if !ghToken.IsZero() {
+		tokenSrc := oauth2.StaticTokenSource(
+			&oauth2.Token{AccessToken: string(ghToken)},
+		)
+		tokenClient := oauth2.NewClient(ctx, tokenSrc)
+		return NewClient(github.NewClient(tokenClient))
+	}
+
+	return NewClient(github.NewClient(&http.Client{}))
+}
--- a/apps/provisioning/pkg/connection/github/factory_mock.go
+++ b/apps/provisioning/pkg/connection/github/factory_mock.go
@@ -0,0 +1,86 @@
+// Code generated by mockery v2.53.4. DO NOT EDIT.
+
+package github
+
+import (
+	context "context"
+
+	v0alpha1 "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// MockGithubFactory is an autogenerated mock type for the GithubFactory type
+type MockGithubFactory struct {
+	mock.Mock
+}
+
+type MockGithubFactory_Expecter struct {
+	mock *mock.Mock
+}
+
+func (_m *MockGithubFactory) EXPECT() *MockGithubFactory_Expecter {
+	return &MockGithubFactory_Expecter{mock: &_m.Mock}
+}
+
+// New provides a mock function with given fields: ctx, ghToken
+func (_m *MockGithubFactory) New(ctx context.Context, ghToken v0alpha1.RawSecureValue) Client {
+	ret := _m.Called(ctx, ghToken)
+
+	if len(ret) == 0 {
+		panic("no return value specified for New")
+	}
+
+	var r0 Client
+	if rf, ok := ret.Get(0).(func(context.Context, v0alpha1.RawSecureValue) Client); ok {
+		r0 = rf(ctx, ghToken)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(Client)
+		}
+	}
+
+	return r0
+}
+
+// MockGithubFactory_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
+type MockGithubFactory_New_Call struct {
+	*mock.Call
+}
+
+// New is a helper method to define mock.On call
+//   - ctx context.Context
+//   - ghToken v0alpha1.RawSecureValue
+func (_e *MockGithubFactory_Expecter) New(ctx interface{}, ghToken interface{}) *MockGithubFactory_New_Call {
+	return &MockGithubFactory_New_Call{Call: _e.mock.On("New", ctx, ghToken)}
+}
+
+func (_c *MockGithubFactory_New_Call) Run(run func(ctx context.Context, ghToken v0alpha1.RawSecureValue)) *MockGithubFactory_New_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		run(args[0].(context.Context), args[1].(v0alpha1.RawSecureValue))
+	})
+	return _c
+}
+
+func (_c *MockGithubFactory_New_Call) Return(_a0 Client) *MockGithubFactory_New_Call {
+	_c.Call.Return(_a0)
+	return _c
+}
+
+func (_c *MockGithubFactory_New_Call) RunAndReturn(run func(context.Context, v0alpha1.RawSecureValue) Client) *MockGithubFactory_New_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// NewMockGithubFactory creates a new instance of MockGithubFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewMockGithubFactory(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *MockGithubFactory {
+	mock := &MockGithubFactory{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}
--- a/apps/provisioning/pkg/connection/mutator.go
+++ b/apps/provisioning/pkg/connection/mutator.go
@@ -1,28 +0,0 @@
-package connection
-
-import (
-	"fmt"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-)
-
-const (
-	githubInstallationURL = "https://github.com/settings/installations"
-)
-
-func MutateConnection(connection *provisioning.Connection) error {
-	switch connection.Spec.Type {
-	case provisioning.GithubConnectionType:
-		// Do nothing in case spec.Github is nil.
-		// If this field is required, we should fail at validation time.
-		if connection.Spec.GitHub == nil {
-			return nil
-		}
-
-		connection.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, connection.Spec.GitHub.InstallationID)
-		return nil
-	default:
-		// TODO: we need to setup the URL for bitbucket and gitlab.
-		return nil
-	}
-}
--- a/apps/provisioning/pkg/connection/mutator_test.go
+++ b/apps/provisioning/pkg/connection/mutator_test.go
@@ -1,35 +0,0 @@
-package connection_test
-
-import (
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestMutateConnection(t *testing.T) {
-	t.Run("should add URL to Github connection", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Name: "test-private-key",
-				},
-			},
-		}
-
-		require.NoError(t, connection.MutateConnection(c))
-		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
-	})
-}
--- a/apps/provisioning/pkg/connection/validator.go
+++ b/apps/provisioning/pkg/connection/validator.go
@@ -1,104 +0,0 @@
-package connection
-
-import (
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-func ValidateConnection(connection *provisioning.Connection) error {
-	list := field.ErrorList{}
-
-	if connection.Spec.Type == "" {
-		list = append(list, field.Required(field.NewPath("spec", "type"), "type must be specified"))
-	}
-
-	switch connection.Spec.Type {
-	case provisioning.GithubConnectionType:
-		list = append(list, validateGithubConnection(connection)...)
-	case provisioning.BitbucketConnectionType:
-		list = append(list, validateBitbucketConnection(connection)...)
-	case provisioning.GitlabConnectionType:
-		list = append(list, validateGitlabConnection(connection)...)
-	default:
-		list = append(
-			list, field.NotSupported(
-				field.NewPath("spec", "type"),
-				connection.Spec.Type,
-				[]provisioning.ConnectionType{
-					provisioning.GithubConnectionType,
-					provisioning.BitbucketConnectionType,
-					provisioning.GitlabConnectionType,
-				}),
-		)
-	}
-
-	return toError(connection.GetName(), list)
-}
-
-func validateGithubConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.GitHub == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
-		)
-	}
-
-	if connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
-	}
-	if !connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
-	}
-
-	return list
-}
-
-func validateBitbucketConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.Bitbucket == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "bitbucket"), "bitbucket info must be specified in Bitbucket connection"),
-		)
-	}
-	if connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Bitbucket connection"))
-	}
-	if !connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Bitbucket connection"))
-	}
-
-	return list
-}
-
-func validateGitlabConnection(connection *provisioning.Connection) field.ErrorList {
-	list := field.ErrorList{}
-
-	if connection.Spec.Gitlab == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "gitlab"), "gitlab info must be specified in Gitlab connection"),
-		)
-	}
-	if connection.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Gitlab connection"))
-	}
-	if !connection.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Gitlab connection"))
-	}
-
-	return list
-}
-
-// toError converts a field.ErrorList to an error, returning nil if the list is empty
-func toError(name string, list field.ErrorList) error {
-	if len(list) == 0 {
-		return nil
-	}
-	return apierrors.NewInvalid(
-		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
-		name,
-		list,
-	)
-}
--- a/apps/provisioning/pkg/connection/validator_test.go
+++ b/apps/provisioning/pkg/connection/validator_test.go
@@ -1,253 +0,0 @@
-package connection_test
-
-import (
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestValidateConnection(t *testing.T) {
-	tests := []struct {
-		name       string
-		connection *provisioning.Connection
-		wantErr    bool
-		errMsg     string
-	}{
-		{
-			name: "empty type returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec:       provisioning.ConnectionSpec{},
-			},
-			wantErr: true,
-			errMsg:  "spec.type",
-		},
-		{
-			name: "invalid type returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: "invalid",
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.type",
-		},
-		{
-			name: "github type without github config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.github",
-		},
-		{
-			name: "github type without private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "github type with client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "github type with github config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "bitbucket type without bitbucket config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.bitbucket",
-		},
-		{
-			name: "bitbucket type without client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "bitbucket type with private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "bitbucket type with bitbucket config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.BitbucketConnectionType,
-					Bitbucket: &provisioning.BitbucketConnectionConfig{
-						ClientID: "client-123",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: false,
-		},
-		{
-			name: "gitlab type without gitlab config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-				},
-			},
-			wantErr: true,
-			errMsg:  "spec.gitlab",
-		},
-		{
-			name: "gitlab type without client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.clientSecret",
-		},
-		{
-			name: "gitlab type with private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: true,
-			errMsg:  "secure.privateKey",
-		},
-		{
-			name: "gitlab type with gitlab config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GitlabConnectionType,
-					Gitlab: &provisioning.GitlabConnectionConfig{
-						ClientID: "client-456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					ClientSecret: common.InlineSecureValue{
-						Name: "test-client-secret",
-					},
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := connection.ValidateConnection(tt.connection)
-			if tt.wantErr {
-				assert.Error(t, err)
-				if tt.errMsg != "" {
-					assert.Contains(t, err.Error(), tt.errMsg)
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
--- a/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go
+++ b/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go
@@ -13,7 +13,7 @@ import (
 type ConnectionSecureApplyConfiguration struct {
 	PrivateKey   *commonv0alpha1.InlineSecureValue `json:"privateKey,omitempty"`
 	ClientSecret *commonv0alpha1.InlineSecureValue `json:"clientSecret,omitempty"`
-	Token        *commonv0alpha1.InlineSecureValue `json:"webhook,omitempty"`
+	Token        *commonv0alpha1.InlineSecureValue `json:"token,omitempty"`
 }

 // ConnectionSecureApplyConfiguration constructs a declarative configuration of the ConnectionSecure type for use with
--- a/packages/grafana-api-clients/src/clients/rtkq/provisioning/v0alpha1/endpoints.gen.ts
+++ b/packages/grafana-api-clients/src/clients/rtkq/provisioning/v0alpha1/endpoints.gen.ts
@@ -1452,7 +1452,7 @@ export type ConnectionSecure = {
  /** PrivateKey is the reference to the private key used for GitHub App authentication. This value is stored securely and cannot be read back */
  privateKey?: InlineSecureValue;
  /** Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back */
-  webhook?: InlineSecureValue;
+  token?: InlineSecureValue;
 };
 export type BitbucketConnectionConfig = {
  /** App client ID */
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@@ -695,10 +695,6 @@ export interface FeatureToggles {
  */
  passwordlessMagicLinkAuthentication?: boolean;
  /**
-  * Display Related Logs in Grafana Metrics Drilldown
-  */
-  exploreMetricsRelatedLogs?: boolean;
-  /**
  * Adds support for quotes and special characters in label values for Prometheus queries
  */
  prometheusSpecialCharsInLabelValues?: boolean;
--- a/pkg/registry/apis/provisioning/extras/register.go
+++ b/pkg/registry/apis/provisioning/extras/register.go
@@ -2,6 +2,8 @@ package extras

 import (
 	apisprovisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/git"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
@@ -42,6 +44,15 @@ func ProvideProvisioningOSSRepositoryExtras(
 	}
 }

+func ProvideProvisioningOSSConnectionExtras(
+	_ *setting.Cfg,
+	ghFactory ghconnection.GithubFactory,
+) []connection.Extra {
+	return []connection.Extra{
+		ghconnection.Extra(ghFactory),
+	}
+}
+
 func ProvideExtraWorkers(pullRequestWorker *pullrequest.PullRequestWorker) []jobs.Worker {
 	return []jobs.Worker{pullRequestWorker}
 }
@@ -54,3 +65,12 @@ func ProvideFactoryFromConfig(cfg *setting.Cfg, extras []repository.Extra) (repo

 	return repository.ProvideFactory(enabledTypes, extras)
 }
+
+func ProvideConnectionFactoryFromConfig(cfg *setting.Cfg, extras []connection.Extra) (connection.Factory, error) {
+	enabledTypes := make(map[apisprovisioning.ConnectionType]struct{}, len(cfg.ProvisioningRepositoryTypes))
+	for _, e := range cfg.ProvisioningRepositoryTypes {
+		enabledTypes[apisprovisioning.ConnectionType(e)] = struct{}{}
+	}
+
+	return connection.ProvideFactory(enabledTypes, extras)
+}
--- a/pkg/registry/apis/provisioning/register.go
+++ b/pkg/registry/apis/provisioning/register.go
@@ -30,7 +30,7 @@ import (

 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
 	"github.com/grafana/grafana/apps/provisioning/pkg/auth"
-	connectionvalidation "github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
 	appcontroller "github.com/grafana/grafana/apps/provisioning/pkg/controller"
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 	client "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1"
@@ -105,20 +105,21 @@ type APIBuilder struct {
 		jobs.Queue
 		jobs.Store
 	}
-	jobHistoryConfig *JobHistoryConfig
-	jobHistoryLoki   *jobs.LokiJobHistory
-	resourceLister   resources.ResourceLister
-	dashboardAccess  legacy.MigrationDashboardAccessor
-	unified          resource.ResourceClient
-	repoFactory      repository.Factory
-	client           client.ProvisioningV0alpha1Interface
-	access           auth.AccessChecker
-	accessWithAdmin  auth.AccessChecker
-	accessWithEditor auth.AccessChecker
-	accessWithViewer auth.AccessChecker
-	statusPatcher    *appcontroller.RepositoryStatusPatcher
-	healthChecker    *controller.HealthChecker
-	validator        repository.RepositoryValidator
+	jobHistoryConfig  *JobHistoryConfig
+	jobHistoryLoki    *jobs.LokiJobHistory
+	resourceLister    resources.ResourceLister
+	dashboardAccess   legacy.MigrationDashboardAccessor
+	unified           resource.ResourceClient
+	repoFactory       repository.Factory
+	connectionFactory connection.Factory
+	client            client.ProvisioningV0alpha1Interface
+	access            auth.AccessChecker
+	accessWithAdmin   auth.AccessChecker
+	accessWithEditor  auth.AccessChecker
+	accessWithViewer  auth.AccessChecker
+	statusPatcher     *appcontroller.RepositoryStatusPatcher
+	healthChecker     *controller.HealthChecker
+	repoValidator     repository.RepositoryValidator
 	// Extras provides additional functionality to the API.
 	extras       []Extra
 	extraWorkers []jobs.Worker
@@ -133,6 +134,7 @@ type APIBuilder struct {
 func NewAPIBuilder(
 	onlyApiServer bool,
 	repoFactory repository.Factory,
+	connectionFactory connection.Factory,
 	features featuremgmt.FeatureToggles,
 	unified resource.ResourceClient,
 	configProvider apiserver.RestConfigProvider,
@@ -176,6 +178,7 @@ func NewAPIBuilder(
 		usageStats:                          usageStats,
 		features:                            features,
 		repoFactory:                         repoFactory,
+		connectionFactory:                   connectionFactory,
 		clients:                             clients,
 		parsers:                             parsers,
 		repositoryResources:                 resources.NewRepositoryResourcesFactory(parsers, clients, resourceLister),
@@ -192,7 +195,7 @@ func NewAPIBuilder(
 		allowedTargets:                      allowedTargets,
 		allowImageRendering:                 allowImageRendering,
 		registry:                            registry,
-		validator:                           repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
+		repoValidator:                       repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
 		useExclusivelyAccessCheckerForAuthz: useExclusivelyAccessCheckerForAuthz,
 	}

@@ -253,6 +256,7 @@ func RegisterAPIService(
 	extraBuilders []ExtraBuilder,
 	extraWorkers []jobs.Worker,
 	repoFactory repository.Factory,
+	connectionFactory connection.Factory,
 ) (*APIBuilder, error) {
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if !features.IsEnabledGlobally(featuremgmt.FlagProvisioning) {
@@ -271,6 +275,7 @@ func RegisterAPIService(
 	builder := NewAPIBuilder(
 		cfg.DisableControllers,
 		repoFactory,
+		connectionFactory,
 		features,
 		client,
 		configProvider,
@@ -641,7 +646,7 @@ func (b *APIBuilder) UpdateAPIGroupInfo(apiGroupInfo *genericapiserver.APIGroupI
 	storage[provisioning.ConnectionResourceInfo.StoragePath("repositories")] = NewConnectionRepositoriesConnector()

 	// TODO: Add some logic so that the connectors can registered themselves and we don't have logic all over the place
-	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.validator), b.VerifyAgainstExistingRepositories))
+	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.repoValidator), b.VerifyAgainstExistingRepositories))
 	storage[provisioning.RepositoryResourceInfo.StoragePath("files")] = NewFilesConnector(b, b.parsers, b.clients, b.accessWithAdmin)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("refs")] = NewRefsConnector(b)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("resources")] = &listConnector{
@@ -682,10 +687,15 @@ func (b *APIBuilder) Mutate(ctx context.Context, a admission.Attributes, o admis
 	if ok {
 		return nil
 	}
-	// TODO: complete this as part of https://github.com/grafana/git-ui-sync-project/issues/700
+
 	c, ok := obj.(*provisioning.Connection)
 	if ok {
-		return connectionvalidation.MutateConnection(c)
+		conn, err := b.asConnection(ctx, c, nil)
+		if err != nil {
+			return err
+		}
+
+		return conn.Mutate(ctx)
 	}

 	r, ok := obj.(*provisioning.Repository)
@@ -736,9 +746,15 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 		return nil
 	}

-	connection, ok := obj.(*provisioning.Connection)
+	// Validate connections
+	c, ok := obj.(*provisioning.Connection)
 	if ok {
-		return connectionvalidation.ValidateConnection(connection)
+		conn, err := b.asConnection(ctx, c, a.GetOldObject())
+		if err != nil {
+			return err
+		}
+
+		return conn.Validate(ctx)
 	}

 	// Validate Jobs
@@ -758,7 +774,7 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 	// the only time to add configuration checks here is if you need to compare
 	// the incoming change to the current configuration
 	isCreate := a.GetOperation() == admission.Create
-	list := b.validator.ValidateRepository(repo, isCreate)
+	list := b.repoValidator.ValidateRepository(repo, isCreate)
 	cfg := repo.Config()

 	if a.GetOperation() == admission.Update {
@@ -831,7 +847,7 @@ func (b *APIBuilder) GetPostStartHooks() (map[string]genericapiserver.PostStartH
 			}

 			b.statusPatcher = appcontroller.NewRepositoryStatusPatcher(b.GetClient())
-			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.validator))
+			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.repoValidator))

 			// if running solely CRUD, skip the rest of the setup
 			if b.onlyApiServer {
@@ -1449,6 +1465,35 @@ func (b *APIBuilder) asRepository(ctx context.Context, obj runtime.Object, old r
 	return b.repoFactory.Build(ctx, r)
 }

+func (b *APIBuilder) asConnection(ctx context.Context, obj runtime.Object, old runtime.Object) (connection.Connection, error) {
+	if obj == nil {
+		return nil, fmt.Errorf("missing connection object")
+	}
+
+	c, ok := obj.(*provisioning.Connection)
+	if !ok {
+		return nil, fmt.Errorf("expected connection object")
+	}
+
+	// Copy previous values if they exist
+	if old != nil {
+		o, ok := old.(*provisioning.Connection)
+		if ok && !o.Secure.IsZero() {
+			if c.Secure.PrivateKey.IsZero() {
+				c.Secure.PrivateKey = o.Secure.PrivateKey
+			}
+			if c.Secure.Token.IsZero() {
+				c.Secure.Token = o.Secure.Token
+			}
+			if c.Secure.ClientSecret.IsZero() {
+				c.Secure.ClientSecret = o.Secure.ClientSecret
+			}
+		}
+	}
+
+	return b.connectionFactory.Build(ctx, c)
+}
+
 func getJSONResponse(ref string) *spec3.Responses {
 	return &spec3.Responses{
 		ResponsesProps: spec3.ResponsesProps{
--- a/pkg/registry/apis/provisioning/register_validate_test.go
+++ b/pkg/registry/apis/provisioning/register_validate_test.go
@@ -28,7 +28,7 @@ func TestAPIBuilderValidate(t *testing.T) {
 		repoFactory:         factory,
 		allowedTargets:      []v0alpha1.SyncTargetType{v0alpha1.SyncTargetTypeFolder},
 		allowImageRendering: false,
-		validator:           validator,
+		repoValidator:       validator,
 	}

 	t.Run("min sync interval is less than 10 seconds", func(t *testing.T) {
--- a/pkg/registry/apis/wireset.go
+++ b/pkg/registry/apis/wireset.go
@@ -44,6 +44,7 @@ var provisioningExtras = wire.NewSet(
 	pullrequest.ProvidePullRequestWorker,
 	webhooks.ProvideWebhooksWithImages,
 	extras.ProvideFactoryFromConfig,
+	extras.ProvideConnectionFactoryFromConfig,
 	extras.ProvideProvisioningExtraAPIs,
 	extras.ProvideExtraWorkers,
 )
--- a/pkg/server/test_env.go
+++ b/pkg/server/test_env.go
@@ -3,6 +3,7 @@ package server
 import (
 	"github.com/stretchr/testify/mock"

+	githubconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/apps/secret/pkg/decrypt"
 	"github.com/grafana/grafana/pkg/infra/db"
@@ -34,24 +35,26 @@ func ProvideTestEnv(
 	featureMgmt featuremgmt.FeatureToggles,
 	resourceClient resource.ResourceClient,
 	idService auth.IDService,
-	githubFactory *github.Factory,
+	githubRepoFactory *github.Factory,
+	githubConnectionFactory githubconnection.GithubFactory,
 	decryptService decrypt.DecryptService,
 ) (*TestEnv, error) {
 	return &TestEnv{
-		TestingT:            testingT,
-		Server:              server,
-		SQLStore:            db,
-		Cfg:                 cfg,
-		NotificationService: ns,
-		GRPCServer:          grpcServer,
-		PluginRegistry:      pluginRegistry,
-		HTTPClientProvider:  httpClientProvider,
-		OAuthTokenService:   oAuthTokenService,
-		FeatureToggles:      featureMgmt,
-		ResourceClient:      resourceClient,
-		IDService:           idService,
-		GitHubFactory:       githubFactory,
-		DecryptService:      decryptService,
+		TestingT:                testingT,
+		Server:                  server,
+		SQLStore:                db,
+		Cfg:                     cfg,
+		NotificationService:     ns,
+		GRPCServer:              grpcServer,
+		PluginRegistry:          pluginRegistry,
+		HTTPClientProvider:      httpClientProvider,
+		OAuthTokenService:       oAuthTokenService,
+		FeatureToggles:          featureMgmt,
+		ResourceClient:          resourceClient,
+		IDService:               idService,
+		GithubRepoFactory:       githubRepoFactory,
+		GithubConnectionFactory: githubConnectionFactory,
+		DecryptService:          decryptService,
 	}, nil
 }

@@ -60,18 +63,19 @@ type TestEnv struct {
 		mock.TestingT
 		Cleanup(func())
 	}
-	Server              *Server
-	SQLStore            db.DB
-	Cfg                 *setting.Cfg
-	NotificationService *notifications.NotificationServiceMock
-	GRPCServer          grpcserver.Provider
-	PluginRegistry      registry.Service
-	HTTPClientProvider  httpclient.Provider
-	OAuthTokenService   *oauthtokentest.Service
-	RequestMiddleware   web.Middleware
-	FeatureToggles      featuremgmt.FeatureToggles
-	ResourceClient      resource.ResourceClient
-	IDService           auth.IDService
-	GitHubFactory       *github.Factory
-	DecryptService      decrypt.DecryptService
+	Server                  *Server
+	SQLStore                db.DB
+	Cfg                     *setting.Cfg
+	NotificationService     *notifications.NotificationServiceMock
+	GRPCServer              grpcserver.Provider
+	PluginRegistry          registry.Service
+	HTTPClientProvider      httpclient.Provider
+	OAuthTokenService       *oauthtokentest.Service
+	RequestMiddleware       web.Middleware
+	FeatureToggles          featuremgmt.FeatureToggles
+	ResourceClient          resource.ResourceClient
+	IDService               auth.IDService
+	GithubRepoFactory       *github.Factory
+	GithubConnectionFactory githubconnection.GithubFactory
+	DecryptService          decrypt.DecryptService
 }
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@@ -15,6 +15,7 @@ import (
 	"go.opentelemetry.io/otel/trace"

 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/pkg/api"
 	"github.com/grafana/grafana/pkg/api/avatar"
@@ -297,6 +298,7 @@ var wireBasicSet = wire.NewSet(
 	notifications.ProvideService,
 	notifications.ProvideSmtpService,
 	github.ProvideFactory,
+	ghconnection.ProvideFactory,
 	tracing.ProvideService,
 	tracing.ProvideTracingConfig,
 	wire.Bind(new(tracing.Tracer), new(*tracing.TracingService)),
--- a/pkg/server/wire_gen.go
+++ b/pkg/server/wire_gen.go
--- a/pkg/server/wireexts_oss.go
+++ b/pkg/server/wireexts_oss.go
@@ -72,6 +72,7 @@ import (

 var provisioningExtras = wire.NewSet(
 	extras.ProvideProvisioningOSSRepositoryExtras,
+	extras.ProvideProvisioningOSSConnectionExtras,
 )

 var configProviderExtras = wire.NewSet(
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@@ -1148,14 +1148,6 @@ var (
 			Owner:        identityAccessTeam,
 			HideFromDocs: true,
 		},
-		{
-			Name:         "exploreMetricsRelatedLogs",
-			Description:  "Display Related Logs in Grafana Metrics Drilldown",
-			Stage:        FeatureStageExperimental,
-			Owner:        grafanaObservabilityMetricsSquad,
-			FrontendOnly: true,
-			HideFromDocs: false,
-		},
 		{
 			Name:         "prometheusSpecialCharsInLabelValues",
 			Description:  "Adds support for quotes and special characters in label values for Prometheus queries",
--- a/pkg/services/featuremgmt/toggles_gen.csv
+++ b/pkg/services/featuremgmt/toggles_gen.csv
@@ -159,7 +159,6 @@ newTimeRangeZoomShortcuts,experimental,@grafana/dataviz-squad,false,false,true
 azureMonitorDisableLogLimit,GA,@grafana/partner-datasources,false,false,false
 playlistsReconciler,experimental,@grafana/grafana-app-platform-squad,false,true,false
 passwordlessMagicLinkAuthentication,experimental,@grafana/identity-access-team,false,false,false
-exploreMetricsRelatedLogs,experimental,@grafana/observability-metrics,false,false,true
 prometheusSpecialCharsInLabelValues,experimental,@grafana/oss-big-tent,false,false,true
 enableExtensionsAdminPage,experimental,@grafana/plugins-platform-backend,false,true,false
 enableSCIM,preview,@grafana/identity-access-team,false,false,false
--- a/pkg/services/featuremgmt/toggles_gen.json
+++ b/pkg/services/featuremgmt/toggles_gen.json
@@ -348,6 +348,20 @@
        "expression": "true"
      }
    },
+    {
+      "metadata": {
+        "name": "alertingNavigationV2",
+        "resourceVersion": "1767827323622",
+        "creationTimestamp": "2026-01-07T23:08:43Z",
+        "deletionTimestamp": "2026-01-12T18:34:54Z"
+      },
+      "spec": {
+        "description": "Enable new grouped navigation structure for Alerting",
+        "stage": "experimental",
+        "codeowner": "@grafana/alerting-squad",
+        "expression": "false"
+      }
+    },
    {
      "metadata": {
        "name": "alertingNotificationHistory",
@@ -1408,7 +1422,8 @@
      "metadata": {
        "name": "exploreMetricsRelatedLogs",
        "resourceVersion": "1764664939750",
-        "creationTimestamp": "2024-11-05T16:28:43Z"
+        "creationTimestamp": "2024-11-05T16:28:43Z",
+        "deletionTimestamp": "2026-01-09T22:14:53Z"
      },
      "spec": {
        "description": "Display Related Logs in Grafana Metrics Drilldown",
--- a/pkg/services/navtree/navtreeimpl/navtree.go
+++ b/pkg/services/navtree/navtreeimpl/navtree.go
@@ -436,38 +436,91 @@ func (s *ServiceImpl) buildAlertNavLinks(c *contextmodel.ReqContext) *navtree.Na
 	hasAccess := ac.HasAccess(s.accessControl, c)
 	var alertChildNavs []*navtree.NavLink

+	var alertActivityChildren []*navtree.NavLink
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingTriage) {
 		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
+			alertActivityChildren = append(alertActivityChildren, &navtree.NavLink{
+				Text:     "Alerts",
+				SubTitle: "Visualize active and pending alerts",
+				Id:       "alert-activity-alerts",
+				Url:      s.cfg.AppSubURL + "/alerting/alerts",
+				Icon:     "bell",
+			})
+		}
+
+		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingInstanceRead), ac.EvalPermission(ac.ActionAlertingInstancesExternalRead))) {
+			alertActivityChildren = append(alertActivityChildren, &navtree.NavLink{
+				Text:     "Active notifications",
+				SubTitle: "See grouped alerts with active notifications",
+				Id:       "alert-activity-groups",
+				Url:      s.cfg.AppSubURL + "/alerting/groups",
+				Icon:     "layer-group",
+			})
+		}
+		if len(alertActivityChildren) > 0 {
 			alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-				Text: "Alert activity", SubTitle: "Visualize active and pending alerts", Id: "alert-alerts", Url: s.cfg.AppSubURL + "/alerting/alerts", Icon: "bell", IsNew: true,
+				Text:     "Alert activity",
+				SubTitle: "Visualize active and pending alerts",
+				Id:       "alert-activity",
+				Url:      s.cfg.AppSubURL + "/alerting/alerts",
+				Icon:     "bell",
+				IsNew:    true,
+				Children: alertActivityChildren,
 			})
 		}
 	}

+	var alertRulesChildren []*navtree.NavLink
 	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
-		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text: "Alert rules", SubTitle: "Rules that determine whether an alert will fire", Id: "alert-list", Url: s.cfg.AppSubURL + "/alerting/list", Icon: "list-ul",
+		alertRulesChildren = append(alertRulesChildren, &navtree.NavLink{
+			Text:     "Alert rules",
+			SubTitle: "Rules that determine whether an alert will fire",
+			Id:       "alert-rules-list",
+			Url:      s.cfg.AppSubURL + "/alerting/list",
+			Icon:     "list-ul",
 		})
 	}
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if c.GetOrgRole() == org.RoleAdmin && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertRuleRestore) && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingRuleRecoverDeleted) {
+		alertRulesChildren = append(alertRulesChildren, &navtree.NavLink{
+			Text:     "Recently deleted",
+			SubTitle: "Any items listed here for more than 30 days will be automatically deleted.",
+			Id:       "alert-rules-recently-deleted",
+			Url:      s.cfg.AppSubURL + "/alerting/recently-deleted",
+		})
+	}
+	if len(alertRulesChildren) > 0 {
+		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
+			Text:     "Alert rules",
+			SubTitle: "Manage alert and recording rules",
+			Id:       "alert-rules",
+			Url:      s.cfg.AppSubURL + "/alerting/list",
+			Icon:     "list-ul",
+			Children: alertRulesChildren,
+		})
+	}
+
+	var notificationConfigChildren []*navtree.NavLink

 	contactPointsPerms := []ac.Evaluator{
 		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
 		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
-
 		ac.EvalPermission(ac.ActionAlertingReceiversRead),
 		ac.EvalPermission(ac.ActionAlertingReceiversReadSecrets),
 		ac.EvalPermission(ac.ActionAlertingReceiversCreate),
-
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesRead),
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesWrite),
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesDelete),
 	}

 	if hasAccess(ac.EvalAny(contactPointsPerms...)) {
-		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text: "Contact points", SubTitle: "Choose how to notify your contact points when an alert instance fires", Id: "receivers", Url: s.cfg.AppSubURL + "/alerting/notifications",
-			Icon: "comment-alt-share",
+		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
+			Text:     "Contact points",
+			SubTitle: "Choose how to notify your contact points when an alert instance fires",
+			Id:       "notification-config-contact-points",
+			Url:      s.cfg.AppSubURL + "/alerting/notifications",
+			Icon:     "comment-alt-share",
 		})
 	}

@@ -479,54 +532,116 @@ func (s *ServiceImpl) buildAlertNavLinks(c *contextmodel.ReqContext) *navtree.Na
 		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsRead),
 		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsWrite),
 	)) {
-		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Notification policies", SubTitle: "Determine how alerts are routed to contact points", Id: "am-routes", Url: s.cfg.AppSubURL + "/alerting/routes", Icon: "sitemap"})
+		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
+			Text:     "Notification policies",
+			SubTitle: "Determine how alerts are routed to contact points",
+			Id:       "notification-config-policies",
+			Url:      s.cfg.AppSubURL + "/alerting/routes",
+			Icon:     "sitemap",
+		})
+	}
+
+	if hasAccess(ac.EvalAny(contactPointsPerms...)) {
+		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
+			Text:     "Notification templates",
+			SubTitle: "Manage notification templates",
+			Id:       "notification-config-templates",
+			Url:      s.cfg.AppSubURL + "/alerting/notifications/templates",
+			Icon:     "file-alt",
+		})
 	}

 	if hasAccess(ac.EvalAny(
-		ac.EvalPermission(ac.ActionAlertingInstanceRead),
-		ac.EvalPermission(ac.ActionAlertingInstancesExternalRead),
-		ac.EvalPermission(ac.ActionAlertingSilencesRead),
+		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
+		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
+		ac.EvalPermission(ac.ActionAlertingRoutesRead),
+		ac.EvalPermission(ac.ActionAlertingRoutesWrite),
+		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsRead),
+		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsWrite),
 	)) {
-		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Silences", SubTitle: "Stop notifications from one or more alerting rules", Id: "silences", Url: s.cfg.AppSubURL + "/alerting/silences", Icon: "bell-slash"})
+		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
+			Text:     "Time intervals",
+			SubTitle: "Configure time intervals for notification policies",
+			Id:       "notification-config-time-intervals",
+			Url:      s.cfg.AppSubURL + "/alerting/routes?tab=time_intervals",
+			Icon:     "clock-nine",
+		})
 	}

-	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingInstanceRead), ac.EvalPermission(ac.ActionAlertingInstancesExternalRead))) {
-		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Alert groups", SubTitle: "See grouped alerts with active notifications", Id: "groups", Url: s.cfg.AppSubURL + "/alerting/groups", Icon: "layer-group"})
+	if len(notificationConfigChildren) > 0 {
+		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
+			Text:     "Notification configuration",
+			SubTitle: "Configure how alerts are notified",
+			Id:       "notification-config",
+			Url:      s.cfg.AppSubURL + "/alerting/notifications",
+			Icon:     "cog",
+			Children: notificationConfigChildren,
+		})
 	}

+	var insightsChildren []*navtree.NavLink
+
+	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
+		insightsChildren = append(insightsChildren, &navtree.NavLink{
+			Text:     "System Insights",
+			SubTitle: "View system insights and analytics",
+			Id:       "insights-system", Url: s.cfg.AppSubURL + "/alerting/insights",
+			Icon: "chart-line",
+		})
+	}
+	// Alert state history
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingCentralAlertHistory) {
 		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead))) {
-			alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-				Text:     "History",
+			insightsChildren = append(insightsChildren, &navtree.NavLink{
+				Text:     "Alert state history",
 				SubTitle: "View a history of all alert events generated by your Grafana-managed alert rules. All alert events are displayed regardless of whether silences or mute timings are set.",
-				Id:       "alerts-history",
+				Id:       "insights-history",
 				Url:      s.cfg.AppSubURL + "/alerting/history",
 				Icon:     "history",
 			})
 		}
 	}
-	//nolint:staticcheck // not yet migrated to OpenFeature
-	if c.GetOrgRole() == org.RoleAdmin && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertRuleRestore) && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingRuleRecoverDeleted) {
+
+	if len(insightsChildren) > 0 {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:     "Recently deleted",
-			SubTitle: "Any items listed here for more than 30 days will be automatically deleted.",
-			Id:       "alerts/recently-deleted",
-			Url:      s.cfg.AppSubURL + "/alerting/recently-deleted",
+			Text:     "Insights",
+			SubTitle: "Analytics and history for alerting",
+			Id:       "insights",
+			Url:      s.cfg.AppSubURL + "/alerting/insights",
+			Icon:     "chart-line",
+			Children: insightsChildren,
 		})
 	}

 	if c.GetOrgRole() == org.RoleAdmin {
+		settingsChildren := []*navtree.NavLink{
+			{
+				Text: "Settings",
+				Id:   "alerting-admin",
+				Url:  s.cfg.AppSubURL + "/alerting/admin",
+				Icon: "cog",
+			},
+		}
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text: "Settings", Id: "alerting-admin", Url: s.cfg.AppSubURL + "/alerting/admin",
-			Icon: "cog",
+			Text:     "Settings",
+			SubTitle: "Alerting configuration and administration",
+			Id:       "alerting-settings",
+			Url:      s.cfg.AppSubURL + "/alerting/admin",
+			Icon:     "cog",
+			Children: settingsChildren,
 		})
 	}

 	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleCreate), ac.EvalPermission(ac.ActionAlertingRuleExternalWrite))) {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text: "Create alert rule", SubTitle: "Create an alert rule", Id: "alert",
-			Icon: "plus", Url: s.cfg.AppSubURL + "/alerting/new", HideFromTabs: true, IsCreateAction: true,
+			Text:           "Create alert rule",
+			SubTitle:       "Create an alert rule",
+			Id:             "alert",
+			Icon:           "plus",
+			Url:            s.cfg.AppSubURL + "/alerting/new",
+			HideFromTabs:   true,
+			IsCreateAction: true,
 		})
 	}

--- a/pkg/services/navtree/navtreeimpl/navtree_alerting_test.go
+++ b/pkg/services/navtree/navtreeimpl/navtree_alerting_test.go
@@ -0,0 +1,158 @@
+package navtreeimpl
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/grafana/grafana/pkg/infra/log"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
+	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
+	"github.com/grafana/grafana/pkg/services/navtree"
+	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/web"
+)
+
+// Test fixtures
+func setupTestContext() *contextmodel.ReqContext {
+	httpReq, _ := http.NewRequest(http.MethodGet, "", nil)
+	return &contextmodel.ReqContext{
+		SignedInUser: &user.SignedInUser{
+			UserID:  1,
+			OrgID:   1,
+			OrgRole: org.RoleAdmin,
+		},
+		Context: &web.Context{Req: httpReq},
+	}
+}
+
+func setupTestService(permissions []ac.Permission, featureFlags ...string) ServiceImpl {
+	// Convert string slice to []any for WithFeatures
+	flags := make([]any, len(featureFlags))
+	for i, flag := range featureFlags {
+		flags[i] = flag
+	}
+	return ServiceImpl{
+		log:           log.New("navtree"),
+		cfg:           setting.NewCfg(),
+		accessControl: accesscontrolmock.New().WithPermissions(permissions),
+		features:      featuremgmt.WithFeatures(flags...),
+	}
+}
+
+func fullPermissions() []ac.Permission {
+	return []ac.Permission{
+		{Action: ac.ActionAlertingRuleRead, Scope: "*"},
+		{Action: ac.ActionAlertingNotificationsRead, Scope: "*"},
+		{Action: ac.ActionAlertingRoutesRead, Scope: "*"},
+		{Action: ac.ActionAlertingInstanceRead, Scope: "*"},
+	}
+}
+
+// Helper to find a nav link by ID
+func findNavLink(navLink *navtree.NavLink, id string) *navtree.NavLink {
+	if navLink == nil {
+		return nil
+	}
+	if navLink.Id == id {
+		return navLink
+	}
+	for _, child := range navLink.Children {
+		if found := findNavLink(child, id); found != nil {
+			return found
+		}
+	}
+	return nil
+}
+
+// Helper to check if a nav link has a child with given ID
+func hasChildWithId(parent *navtree.NavLink, childId string) bool {
+	if parent == nil {
+		return false
+	}
+	for _, child := range parent.Children {
+		if child.Id == childId {
+			return true
+		}
+	}
+	return false
+}
+
+func TestBuildAlertNavLinks(t *testing.T) {
+	reqCtx := setupTestContext()
+	allFeatureFlags := []string{"alertingTriage", "alertingCentralAlertHistory", "alertRuleRestore", "alertingRuleRecoverDeleted"}
+	service := setupTestService(fullPermissions(), allFeatureFlags...)
+
+	t.Run("Should have correct parent structure", func(t *testing.T) {
+		navLink := service.buildAlertNavLinks(reqCtx)
+		require.NotNil(t, navLink)
+		require.NotEmpty(t, navLink.Children)
+
+		// Verify all parent items exist with children
+		parentIds := []string{"alert-rules", "notification-config", "insights", "alerting-settings"}
+		for _, parentId := range parentIds {
+			parent := findNavLink(navLink, parentId)
+			require.NotNil(t, parent, "Should have parent %s", parentId)
+			require.NotEmpty(t, parent.Children, "Parent %s should have children", parentId)
+		}
+	})
+
+	t.Run("Should have correct tabs under each parent", func(t *testing.T) {
+		navLink := service.buildAlertNavLinks(reqCtx)
+		require.NotNil(t, navLink)
+
+		// Table-driven test for tab verification
+		tests := []struct {
+			parentId     string
+			expectedTabs []string
+		}{
+			{"alert-rules", []string{"alert-rules-list", "alert-rules-recently-deleted"}},
+			{"notification-config", []string{"notification-config-contact-points", "notification-config-policies", "notification-config-templates", "notification-config-time-intervals"}},
+			{"insights", []string{"insights-system", "insights-history"}},
+		}
+
+		for _, tt := range tests {
+			parent := findNavLink(navLink, tt.parentId)
+			require.NotNil(t, parent, "Should have %s parent", tt.parentId)
+
+			for _, expectedTab := range tt.expectedTabs {
+				require.True(t, hasChildWithId(parent, expectedTab), "Parent %s should have tab %s", tt.parentId, expectedTab)
+			}
+		}
+	})
+
+	t.Run("Should respect permissions", func(t *testing.T) {
+		limitedPermissions := []ac.Permission{
+			{Action: ac.ActionAlertingRuleRead, Scope: "*"},
+		}
+		limitedService := setupTestService(limitedPermissions)
+
+		navLink := limitedService.buildAlertNavLinks(reqCtx)
+		require.NotNil(t, navLink)
+
+		// Should not have notification-config without notification permissions
+		require.Nil(t, findNavLink(navLink, "notification-config"), "Should not have notification-config without permissions")
+	})
+
+	t.Run("Should exclude future items", func(t *testing.T) {
+		navLink := service.buildAlertNavLinks(reqCtx)
+		require.NotNil(t, navLink)
+
+		// Verify future items are not present
+		futureIds := []string{
+			"alert-rules-recording-rules",
+			"alert-rules-evaluation-chains",
+			"insights-alert-optimizer",
+			"insights-notification-history",
+		}
+
+		for _, futureId := range futureIds {
+			require.Nil(t, findNavLink(navLink, futureId), "Should not have future item %s", futureId)
+		}
+	})
+}
--- a/pkg/storage/unified/resource/notifier.go
+++ b/pkg/storage/unified/resource/notifier.go
@@ -78,13 +78,13 @@ func (n *notifier) Watch(ctx context.Context, opts watchOptions) <-chan Event {
 	cache := gocache.New(cacheTTL, cacheCleanupInterval)
 	events := make(chan Event, opts.BufferSize)

-	initialRV, err := n.lastEventResourceVersion(ctx)
+	lastRV, err := n.lastEventResourceVersion(ctx)
 	if errors.Is(err, ErrNotFound) {
-		initialRV = snowflakeFromTime(time.Now()) // No events yet, start from the beginning
+		lastRV = 0 // No events yet, start from the beginning
 	} else if err != nil {
 		n.log.Error("Failed to get last event resource version", "error", err)
 	}
-	lastRV := initialRV + 1 // We want to start watching from the next event
+	lastRV = lastRV + 1 // We want to start watching from the next event

 	go func() {
 		defer close(events)
@@ -110,7 +110,7 @@ func (n *notifier) Watch(ctx context.Context, opts watchOptions) <-chan Event {
 					}

 					// Skip old events lower than the requested resource version
-					if evt.ResourceVersion <= initialRV {
+					if evt.ResourceVersion < lastRV {
 						continue
 					}

--- a/pkg/storage/unified/resource/notifier_test.go
+++ b/pkg/storage/unified/resource/notifier_test.go
@@ -25,7 +25,6 @@ func setupTestNotifier(t *testing.T) (*notifier, *eventStore) {
 	return notifier, eventStore
 }

-// nolint:unused
 func setupTestNotifierSqlKv(t *testing.T) (*notifier, *eventStore) {
 	dbstore := db.InitTestDB(t)
 	eDB, err := dbimpl.ProvideResourceDB(dbstore, setting.NewCfg(), nil)
@@ -60,8 +59,7 @@ func runNotifierTestWith(t *testing.T, storeName string, newStoreFn func(*testin

 func TestNotifier_lastEventResourceVersion(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierLastEventResourceVersion)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierLastEventResourceVersion)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierLastEventResourceVersion)
 }

 func testNotifierLastEventResourceVersion(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -112,8 +110,7 @@ func testNotifierLastEventResourceVersion(t *testing.T, ctx context.Context, not

 func TestNotifier_cachekey(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierCachekey)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierCachekey)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierCachekey)
 }

 func testNotifierCachekey(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -167,8 +164,7 @@ func testNotifierCachekey(t *testing.T, ctx context.Context, notifier *notifier,

 func TestNotifier_Watch_NoEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchNoEvents)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchNoEvents)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchNoEvents)
 }

 func testNotifierWatchNoEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -209,8 +205,7 @@ func testNotifierWatchNoEvents(t *testing.T, ctx context.Context, notifier *noti

 func TestNotifier_Watch_WithExistingEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchWithExistingEvents)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchWithExistingEvents)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchWithExistingEvents)
 }

 func testNotifierWatchWithExistingEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -284,8 +279,7 @@ func testNotifierWatchWithExistingEvents(t *testing.T, ctx context.Context, noti

 func TestNotifier_Watch_EventDeduplication(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchEventDeduplication)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchEventDeduplication)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchEventDeduplication)
 }

 func testNotifierWatchEventDeduplication(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -351,8 +345,7 @@ func testNotifierWatchEventDeduplication(t *testing.T, ctx context.Context, noti

 func TestNotifier_Watch_ContextCancellation(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchContextCancellation)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchContextCancellation)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchContextCancellation)
 }

 func testNotifierWatchContextCancellation(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -398,8 +391,7 @@ func testNotifierWatchContextCancellation(t *testing.T, ctx context.Context, not

 func TestNotifier_Watch_MultipleEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchMultipleEvents)
-	// enable this when sqlkv is ready
-	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchMultipleEvents)
+	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchMultipleEvents)
 }

 func testNotifierWatchMultipleEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
--- a/pkg/storage/unified/resource/storage_backend.go
+++ b/pkg/storage/unified/resource/storage_backend.go
@@ -346,7 +346,8 @@ func (k *kvStorageBackend) WriteEvent(ctx context.Context, event WriteEvent) (in
 			return 0, fmt.Errorf("failed to write data: %w", err)
 		}

-		dataKey.ResourceVersion = rvmanager.SnowflakeFromRv(rv)
+		rv = rvmanager.SnowflakeFromRv(rv)
+		dataKey.ResourceVersion = rv
 	} else {
 		err := k.dataStore.Save(ctx, dataKey, bytes.NewReader(event.Value))
 		if err != nil {
--- a/pkg/storage/unified/testing/storage_backend_sql_compatibility.go
+++ b/pkg/storage/unified/testing/storage_backend_sql_compatibility.go
@@ -9,7 +9,6 @@ import (
 	"testing"
 	"time"

-	"github.com/bwmarrin/snowflake"
 	"github.com/stretchr/testify/require"

 	claims "github.com/grafana/authlib/types"
@@ -187,13 +186,30 @@ func runKeyPathTest(t *testing.T, backend resource.StorageBackend, nsPrefix stri

 // verifyKeyPath is a helper function to verify key_path generation
 func verifyKeyPath(t *testing.T, db sqldb.DB, ctx context.Context, key *resourcepb.ResourceKey, action string, resourceVersion int64, expectedFolder string) {
+	// For SQL backend (namespace contains "-sql"), resourceVersion is in microsecond format
+	// but key_path stores snowflake RV, so convert to snowflake
+	// For KV backend (namespace contains "-kv"), resourceVersion is already in snowflake format
+	isSqlBackend := strings.Contains(key.Namespace, "-sql")
+
+	var keyPathRV int64
+	if isSqlBackend {
+		// Convert microsecond RV to snowflake for key_path construction
+		keyPathRV = rvmanager.SnowflakeFromRv(resourceVersion)
+	} else {
+		// KV backend already provides snowflake RV
+		keyPathRV = resourceVersion
+	}
+
+	// Build the expected key_path using DataKey format: unified/data/group/resource/namespace/name/resourceVersion~action~folder
+	expectedKeyPath := fmt.Sprintf("unified/data/%s/%s/%s/%s/%d~%s~%s", key.Group, key.Resource, key.Namespace, key.Name, keyPathRV, action, expectedFolder)
+
 	var query string
 	if db.DriverName() == "postgres" {
-		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE namespace = $1 AND name = $2 AND resource_version = $3"
+		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE key_path = $1"
 	} else {
-		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE namespace = ? AND name = ? AND resource_version = ?"
+		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE key_path = ?"
 	}
-	rows, err := db.QueryContext(ctx, query, key.Namespace, key.Name, resourceVersion)
+	rows, err := db.QueryContext(ctx, query, expectedKeyPath)
 	require.NoError(t, err)

 	require.True(t, rows.Next(), "Resource not found in resource_history table - both SQL and KV backends should write to this table")
@@ -220,10 +236,6 @@ func verifyKeyPath(t *testing.T, db sqldb.DB, ctx context.Context, key *resource
 	// Verify action suffix
 	require.Contains(t, keyPath, fmt.Sprintf("~%s~", action))

-	// Verify snowflake calculation
-	expectedSnowflake := (((resourceVersion / 1000) - snowflake.Epoch) << (snowflake.NodeBits + snowflake.StepBits)) + (resourceVersion % 1000)
-	require.Contains(t, keyPath, fmt.Sprintf("/%d~", expectedSnowflake), "actual RV: %d", actualRV)
-
 	// Verify folder if specified
 	if expectedFolder != "" {
 		require.Equal(t, expectedFolder, actualFolder)
@@ -492,10 +504,10 @@ func verifyResourceHistoryRecord(t *testing.T, record ResourceHistoryRecord, exp
 	}

 	// Validate previous_resource_version
-	// For KV backend operations, resource versions are stored as snowflake format
-	// but expectedPrevRV is in microsecond format, so we need to use IsRvEqual for comparison
+	// For KV backend operations, expectedPrevRV is now in snowflake format (returned by KV backend)
+	// but resource_history table stores microsecond RV, so we need to use IsRvEqual for comparison
 	if strings.Contains(record.Namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(record.PreviousResourceVersion, expectedPrevRV),
+		require.True(t, rvmanager.IsRvEqual(expectedPrevRV, record.PreviousResourceVersion),
 			"Previous resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedPrevRV, record.PreviousResourceVersion)
@@ -505,9 +517,10 @@ func verifyResourceHistoryRecord(t *testing.T, record ResourceHistoryRecord, exp
 	require.Equal(t, expectedGeneration, record.Generation)

 	// Validate resource_version
-	// For KV backend operations, resource versions are stored as snowflake format
+	// For KV backend operations, expectedRV is now in snowflake format (returned by KV backend)
+	// but resource_history table stores microsecond RV, so we need to use IsRvEqual for comparison
 	if strings.Contains(record.Namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(record.ResourceVersion, expectedRV),
+		require.True(t, rvmanager.IsRvEqual(expectedRV, record.ResourceVersion),
 			"Resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedRV, record.ResourceVersion)
@@ -574,7 +587,7 @@ func verifyResourceTable(t *testing.T, db sqldb.DB, namespace string, resources
 	// Resource version should match the expected version for test-resource-3 (updated version)
 	expectedRV := resourceVersions[2][1] // test-resource-3's update version
 	if strings.Contains(namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(record.ResourceVersion, expectedRV),
+		require.True(t, rvmanager.IsRvEqual(expectedRV, record.ResourceVersion),
 			"Resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedRV, record.ResourceVersion)
@@ -625,9 +638,16 @@ func verifyResourceVersionTable(t *testing.T, db sqldb.DB, namespace string, res

 	// The resource_version table should contain the latest RV for the group+resource
 	// It might be slightly higher due to RV manager operations, so check it's at least our max
-	require.GreaterOrEqual(t, record.ResourceVersion, maxRV, "resource_version should be at least the latest RV we tracked")
-	// But it shouldn't be too much higher (within a reasonable range)
-	require.LessOrEqual(t, record.ResourceVersion, maxRV+100, "resource_version shouldn't be much higher than expected")
+	// For KV backend, maxRV is in snowflake format but record.ResourceVersion is in microsecond format
+	// Use IsRvEqual for proper comparison between different RV formats
+	isKvBackend := strings.Contains(namespace, "-kv")
+	recordResourceVersion := record.ResourceVersion
+	if isKvBackend {
+		recordResourceVersion = rvmanager.SnowflakeFromRv(record.ResourceVersion)
+	}
+
+	require.Less(t, recordResourceVersion, int64(9223372036854775807), "resource_version should be reasonable")
+	require.Greater(t, recordResourceVersion, maxRV, "resource_version should be at least the latest RV we tracked")
 }

 // runTestCrossBackendConsistency tests basic consistency between SQL and KV backends (lightweight)
--- a/pkg/storage/unified/testing/storage_backend_test.go
+++ b/pkg/storage/unified/testing/storage_backend_test.go
@@ -38,7 +38,6 @@ func TestBadgerKVStorageBackend(t *testing.T) {

 func TestSQLKVStorageBackend(t *testing.T) {
 	skipTests := map[string]bool{
-		TestHappyPath:                 true,
 		TestWatchWriteEvents:          true,
 		TestList:                      true,
 		TestBlobSupport:               true,
@@ -51,21 +50,24 @@ func TestSQLKVStorageBackend(t *testing.T) {
 		TestGetResourceLastImportTime: true,
 		TestOptimisticLocking:         true,
 	}
-	// without RvManager
-	RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
-		backend, _ := NewTestSqlKvBackend(t, ctx, false)
-		return backend
-	}, &TestOptions{
-		NSPrefix:  "sqlkvstorage-test",
-		SkipTests: skipTests,
+
+	t.Run("Without RvManager", func(t *testing.T) {
+		RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
+			backend, _ := NewTestSqlKvBackend(t, ctx, false)
+			return backend
+		}, &TestOptions{
+			NSPrefix:  "sqlkvstorage-test",
+			SkipTests: skipTests,
+		})
 	})

-	// with RvManager
-	RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
-		backend, _ := NewTestSqlKvBackend(t, ctx, true)
-		return backend
-	}, &TestOptions{
-		NSPrefix:  "sqlkvstorage-withrvmanager-test",
-		SkipTests: skipTests,
+	t.Run("With RvManager", func(t *testing.T) {
+		RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
+			backend, _ := NewTestSqlKvBackend(t, ctx, true)
+			return backend
+		}, &TestOptions{
+			NSPrefix:  "sqlkvstorage-withrvmanager-test",
+			SkipTests: skipTests,
+		})
 	})
 }
--- a/pkg/tests/apis/helper.go
+++ b/pkg/tests/apis/helper.go
@@ -14,6 +14,7 @@ import (
 	"testing"
 	"time"

+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -207,6 +208,10 @@ func (c *K8sTestHelper) GetEnv() server.TestEnv {
 	return c.env
 }

+func (c *K8sTestHelper) SetGithubConnectionFactory(f githubConnection.GithubFactory) {
+	c.env.GithubConnectionFactory = f
+}
+
 func (c *K8sTestHelper) GetListenerAddress() string {
 	return c.listenerAddress
 }
--- a/pkg/tests/apis/openapi_snapshots/provisioning.grafana.app-v0alpha1.json
+++ b/pkg/tests/apis/openapi_snapshots/provisioning.grafana.app-v0alpha1.json
@@ -4559,7 +4559,7 @@
              }
            ]
          },
-          "webhook": {
+          "token": {
            "description": "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
            "default": {},
            "allOf": [
--- a/pkg/tests/apis/provisioning/connection_repositories_test.go
+++ b/pkg/tests/apis/provisioning/connection_repositories_test.go
@@ -2,13 +2,13 @@ package provisioning

 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"testing"

 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
@@ -20,7 +20,7 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {

 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -39,13 +39,12 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)

 	t.Run("endpoint returns not implemented", func(t *testing.T) {
 		var statusCode int
@@ -129,14 +128,14 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T

 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
 		"apiVersion": "provisioning.grafana.app/v0alpha1",
 		"kind":       "Connection",
 		"metadata": map[string]any{
-			"name":      "connection-repositories-type-test",
+			"name":      "connection-repositories-test",
 			"namespace": "default",
 		},
 		"spec": map[string]any{
@@ -148,13 +147,12 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)

 	t.Run("verify ExternalRepositoryList type exists in API", func(t *testing.T) {
 		// Verify the type is registered and can be instantiated
--- a/pkg/tests/apis/provisioning/connection_status_auth_test.go
+++ b/pkg/tests/apis/provisioning/connection_status_auth_test.go
@@ -2,12 +2,12 @@ package provisioning

 import (
 	"context"
+	"encoding/base64"
 	"net/http"
 	"testing"

 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	"github.com/grafana/grafana/pkg/util/testutil"
@@ -18,7 +18,7 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {

 	helper := runGrafana(t)
 	ctx := context.Background()
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -37,13 +37,12 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "someSecret",
+				"create": privateKeyBase64,
 			},
 		},
 	}}
-
-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-	require.NoError(t, err, "failed to create connection")
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	require.NoError(t, err)

 	t.Run("admin can GET connection status", func(t *testing.T) {
 		var statusCode int
--- a/pkg/tests/apis/provisioning/connection_test.go
+++ b/pkg/tests/apis/provisioning/connection_test.go
@@ -2,11 +2,20 @@ package provisioning

 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"errors"
+	"fmt"
+	"net/http"
 	"testing"
 	"time"

+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/go-github/v70/github"
+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
+	"github.com/grafana/grafana/pkg/extensions"
 	"github.com/grafana/grafana/pkg/util/testutil"
+	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -17,12 +26,55 @@ import (
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 )

+//nolint:gosec // Test RSA private key (generated for testing purposes only)
+const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
+MIIEoQIBAAKCAQBn1MuM5hIfH6d3TNStI1ofWv/gcjQ4joi9cFijEwVLuPYkF1nD
+KkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6m5T/sHfVSiEWAEUblh3cA34HVCmD
+cqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyjpKOXuojJ9wN9a17D2cYU5WkXjoDC
+4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7DA9T8yiZwIWPp5YesgsAPyQLCFPgM
+s77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQohUID0BIxE7G5quL069RuuCZWZkoF
+oPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmXAgMBAAECggEADSs4Bc7ITZo+Kytb
+bfol3AQ2n8jcRrANN7mgBE7NRSVYUouDnvUlbnCC2t3QXPwLdxQa11GkygLSQ2bg
+GeVDgq1o4GUJTcvxFlFCcpU/hEANI/DQsxNAQ/4wUGoLOlHaO3HPvwBblHA70gGe
+Ux/xpG+lMAFAiB0EHEwZ4M0mClBEOQv3NzaFTWuBHtIMS8eid7M1q5qz9+rCgZSL
+KBBHo0OvUbajG4CWl8SM6LUYapASGg+U17E+4xA3npwpIdsk+CbtX+vvX324n4kn
+0EkrJqCjv8M1KiCKAP+UxwP00ywxOg4PN+x+dHI/I7xBvEKe/x6BltVSdGA+PlUK
+02wagQKBgQDF7gdQLFIagPH7X7dBP6qEGxj/Ck9Qdz3S1gotPkVeq+1/UtQijYZ1
+j44up/0yB2B9P4kW091n+iWcyfoU5UwBua9dHvCZP3QH05LR1ZscUHxLGjDPBASt
+l2xSq0hqqNWBspb1M0eCY0Yxi65iDkj3xsI2iN35BEb1FlWdR5KGvwKBgQCGS0ce
+wASWbZIPU2UoKGOQkIJU6QmLy0KZbfYkpyfE8IxGttYVEQ8puNvDDNZWHNf+LP85
+c8iV6SfnWiLmu1XkG2YmJFBCCAWgJ8Mq2XQD8E+a/xcaW3NqlcC5+I2czX367j3r
+69wZSxRbzR+DCfOiIkrekJImwN183ZYy2cBbKQKBgFj86IrSMmO6H5Ft+j06u5ZD
+fJyF7Rz3T3NwSgkHWzbyQ4ggHEIgsRg/36P4YSzSBj6phyAdRwkNfUWdxXMJmH+a
+FU7frzqnPaqbJAJ1cBRt10QI1XLtkpDdaJVObvONTtjOC3LYiEkGCzQRYeiyFXpZ
+AU51gJ8JnkFotjtNR4KPAoGAehVREDlLcl0lnN0ZZspgyPk2Im6/iOA9KTH3xBZZ
+ZwWu4FIyiHA7spgk4Ep5R0ttZ9oMI3SIcw/EgONGOy8uw/HMiPwWIhEc3B2JpRiO
+CU6bb7JalFFyuQBudiHoyxVcY5PVovWF31CLr3DoJr4TR9+Y5H/U/XnzYCIo+w1N
+exECgYBFAGKYTIeGAvhIvD5TphLpbCyeVLBIq5hRyrdRY+6Iwqdr5PGvLPKwin5+
+4CDhWPW4spq8MYPCRiMrvRSctKt/7FhVGL2vE/0VY3TcLk14qLC+2+0lnPVgnYn
+u5/wOyuHp1cIBnjeN41/pluOWFBHI9xLW3ExLtmYMiecJ8VdRA==
+-----END RSA PRIVATE KEY-----`
+
+//nolint:gosec // Test RSA public key (generated for testing purposes only)
+const testPublicKeyPem = `-----BEGIN PUBLIC KEY-----
+MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBn1MuM5hIfH6d3TNStI1of
+Wv/gcjQ4joi9cFijEwVLuPYkF1nDKkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6
+m5T/sHfVSiEWAEUblh3cA34HVCmDcqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyj
+pKOXuojJ9wN9a17D2cYU5WkXjoDC4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7D
+A9T8yiZwIWPp5YesgsAPyQLCFPgMs77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQo
+hUID0BIxE7G5quL069RuuCZWZkoFoPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmX
+AgMBAAE=
+-----END PUBLIC KEY-----`
+
 func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 	testutil.SkipIntegrationTestInShortMode(t)

 	helper := runGrafana(t)
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+
+	decryptService := helper.GetEnv().DecryptService
+	require.NotNil(t, decryptService, "decrypt service not wired properly")

 	t.Run("should perform CRUDL requests on connection", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -41,12 +93,12 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		// CREATE
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		_, err := helper.CreateGithubConnection(t, ctx, connection)
 		require.NoError(t, err, "failed to create resource")

 		// READ
@@ -64,6 +116,22 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 		require.Contains(t, output.Object, "secure", "object should contain secure")
 		assert.Contains(t, output.Object["secure"], "privateKey", "secure should contain PrivateKey")

+		// Verifying token
+		assert.Contains(t, output.Object["secure"], "token", "token should be created")
+		secretName, found, err := unstructured.NestedString(output.Object, "secure", "token", "name")
+		require.NoError(t, err, "error getting secret name")
+		require.True(t, found, "secret name should exist: %v", output.Object)
+		decrypted, err := decryptService.Decrypt(ctx, "provisioning.grafana.app", output.GetNamespace(), secretName)
+		require.NoError(t, err, "decryption error")
+		require.Len(t, decrypted, 1)
+
+		val := decrypted[secretName].Value()
+		require.NotNil(t, val)
+		k := val.DangerouslyExposeAndConsumeValue()
+		valid, err := verifyToken(t, "123456", testPublicKeyPem, k)
+		require.NoError(t, err, "error verifying token: %s", k)
+		require.True(t, valid, "token should be valid: %s", k)
+
 		// LIST
 		list, err := helper.Connections.Resource.List(ctx, metav1.ListOptions{})
 		require.NoError(t, err, "failed to list resource")
@@ -81,22 +149,22 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			"spec": map[string]any{
 				"type": "github",
 				"github": map[string]any{
-					"appID":          "456789",
-					"installationID": "454545",
+					"appID":          "123456",
+					"installationID": "454546",
 				},
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
-		res, err := helper.Connections.Resource.Update(ctx, updatedConnection, metav1.UpdateOptions{})
+		res, err := helper.UpdateGithubConnection(t, ctx, updatedConnection)
 		require.NoError(t, err, "failed to update resource")
 		spec = res.Object["spec"].(map[string]any)
 		require.Contains(t, spec, "github")
 		githubInfo = spec["github"].(map[string]any)
-		assert.Equal(t, "456789", githubInfo["appID"], "appID should be updated")
+		assert.Equal(t, "454546", githubInfo["installationID"], "installationID should be updated")

 		// DELETE
 		require.NoError(t, helper.Connections.Resource.Delete(ctx, "connection", metav1.DeleteOptions{}), "failed to delete resource")
@@ -122,7 +190,7 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
@@ -155,9 +223,12 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 }

 func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
+	testutil.SkipIntegrationTestInShortMode(t)
+
 	helper := runGrafana(t)
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	t.Run("should fail when type is empty", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -172,13 +243,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "type must be specified")
+		assert.Contains(t, err.Error(), "connection type \"\" is not supported")
 	})

 	t.Run("should fail when type is invalid", func(t *testing.T) {
@@ -194,13 +265,57 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "spec.type: Unsupported value: \"some-invalid-type\"")
+		assert.Contains(t, err.Error(), "connection type \"some-invalid-type\" is not supported")
+	})
+
+	t.Run("should fail when type is 'git'", func(t *testing.T) {
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "git",
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "connection type \"git\" is not supported")
+	})
+
+	t.Run("should fail when type is 'local'", func(t *testing.T) {
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "local",
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "connection type \"local\" is not supported")
 	})

 	t.Run("should fail when type is github but 'github' field is not there", func(t *testing.T) {
@@ -216,13 +331,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "github info must be specified for GitHub connection")
+		assert.Contains(t, err.Error(), "invalid github connection")
 	})

 	t.Run("should fail when type is github but private key is not there", func(t *testing.T) {
@@ -246,7 +361,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "privateKey must be specified for GitHub connection")
 	})

-	t.Run("should fail when type is github but a client Secret is specified", func(t *testing.T) {
+	t.Run("should fail when type is github but a client Secret is also specified", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
 			"kind":       "Connection",
@@ -263,7 +378,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "someSecret",
+					"create": privateKeyBase64,
 				},
 				"clientSecret": map[string]any{
 					"create": "someSecret",
@@ -275,6 +390,100 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "clientSecret is forbidden in GitHub connection")
 	})

+	t.Run("should fail when type is github and github API is unavailable", func(t *testing.T) {
+		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+		connectionFactory.Client = ghmock.NewMockedHTTPClient(
+			ghmock.WithRequestMatchHandler(
+				ghmock.GetApp,
+				http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+					w.WriteHeader(http.StatusServiceUnavailable)
+					require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
+						Response: &http.Response{
+							StatusCode: http.StatusServiceUnavailable,
+						},
+						Message: "Service unavailable",
+					}))
+				}),
+			),
+		)
+		helper.SetGithubConnectionFactory(connectionFactory)
+
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "github",
+				"github": map[string]any{
+					"appID":          "123456",
+					"installationID": "454545",
+				},
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "spec.token: Internal error: github is unavailable")
+	})
+
+	t.Run("should fail when type is github and returned app ID doesn't match given one", func(t *testing.T) {
+		var appID int64 = 123455
+		appSlug := "appSlug"
+		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+		connectionFactory.Client = ghmock.NewMockedHTTPClient(
+			ghmock.WithRequestMatch(
+				ghmock.GetApp, github.App{
+					ID:   &appID,
+					Slug: &appSlug,
+				},
+			),
+		)
+		helper.SetGithubConnectionFactory(connectionFactory)
+
+		connection := &unstructured.Unstructured{Object: map[string]any{
+			"apiVersion": "provisioning.grafana.app/v0alpha1",
+			"kind":       "Connection",
+			"metadata": map[string]any{
+				"name":      "connection",
+				"namespace": "default",
+			},
+			"spec": map[string]any{
+				"type": "github",
+				"github": map[string]any{
+					"appID":          "123456",
+					"installationID": "454545",
+				},
+			},
+			"secure": map[string]any{
+				"privateKey": map[string]any{
+					"create": privateKeyBase64,
+				},
+			},
+		}}
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+		require.Error(t, err, "failed to create resource")
+		assert.Contains(t, err.Error(), "spec.appID: Invalid value: \"123456\": appID mismatch")
+	})
+}
+
+func TestIntegrationProvisioning_ConnectionEnterpriseValidation(t *testing.T) {
+	testutil.SkipIntegrationTestInShortMode(t)
+
+	if !extensions.IsEnterprise {
+		t.Skip("Skipping integration test when not enterprise")
+	}
+
+	helper := runGrafana(t)
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	ctx := context.Background()
+
 	t.Run("should fail when type is bitbucket but 'bitbucket' field is not there", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
@@ -294,7 +503,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "bitbucket info must be specified in Bitbucket connection")
+		assert.Contains(t, err.Error(), "invalid bitbucket connection")
 	})

 	t.Run("should fail when type is bitbucket but client secret is not there", func(t *testing.T) {
@@ -364,7 +573,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "gitlab info must be specified in Gitlab connection")
+		assert.Contains(t, err.Error(), "invalid gitlab connection")
 	})

 	t.Run("should fail when type is gitlab but client secret is not there", func(t *testing.T) {
@@ -428,6 +637,7 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 	provisioningClient, err := clientset.NewForConfig(restConfig)
 	require.NoError(t, err)
 	connClient := provisioningClient.ProvisioningV0alpha1().Connections(namespace)
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	t.Run("health check gets updated after initial creation", func(t *testing.T) {
 		// Create a connection using unstructured (like other connection tests)
@@ -447,12 +657,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "test-private-key",
+					"create": privateKeyBase64,
 				},
 			},
 		}}

-		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
+		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)

@@ -501,12 +711,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": "test-private-key-2",
+					"create": privateKeyBase64,
 				},
 			},
 		}}

-		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
+		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)

@@ -538,7 +748,7 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 		updatedUnstructured := latestUnstructured.DeepCopy()
 		githubSpec := updatedUnstructured.Object["spec"].(map[string]any)["github"].(map[string]any)
 		githubSpec["appID"] = "99999"
-		_, err = helper.Connections.Resource.Update(ctx, updatedUnstructured, metav1.UpdateOptions{})
+		_, err = helper.UpdateGithubConnection(t, ctx, updatedUnstructured)
 		require.NoError(t, err)

 		// Wait for reconciliation after spec change
@@ -566,6 +776,7 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 	helper := runGrafana(t)
 	ctx := context.Background()
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
+	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	// Create a connection first
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -584,12 +795,12 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": "test-private-key",
+				"create": privateKeyBase64,
 			},
 		},
 	}}

-	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+	_, err := helper.CreateGithubConnection(t, ctx, connection)
 	require.NoError(t, err, "failed to create connection")

 	t.Cleanup(func() {
@@ -731,3 +942,27 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		assert.Contains(t, names, "repo-with-different-connection")
 	})
 }
+
+func verifyToken(t *testing.T, appID, publicKey, token string) (bool, error) {
+	t.Helper()
+
+	// Parse the private key
+	key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKey))
+	if err != nil {
+		return false, err
+	}
+
+	parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (any, error) {
+		return key, nil
+	}, jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}))
+	if err != nil {
+		return false, err
+	}
+
+	claims, ok := parsedToken.Claims.(jwt.MapClaims)
+	if !ok || !parsedToken.Valid {
+		return false, fmt.Errorf("invalid token")
+	}
+
+	return claims.VerifyIssuer(appID, true), nil
+}
--- a/pkg/tests/apis/provisioning/helper_test.go
+++ b/pkg/tests/apis/provisioning/helper_test.go
@@ -10,11 +10,14 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 	"text/template"
 	"time"

+	"github.com/google/go-github/v70/github"
+	"github.com/grafana/grafana/pkg/extensions"
 	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -30,6 +33,7 @@ import (
 	dashboardsV2beta1 "github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v2beta1"
 	folder "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	grafanarest "github.com/grafana/grafana/pkg/apiserver/rest"
 	"github.com/grafana/grafana/pkg/registry/apis/provisioning/jobs"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -699,13 +703,18 @@ func runGrafana(t *testing.T, options ...grafanaOption) *provisioningTestHelper
 		// (instance is needed for export jobs, folder for most operations)
 		ProvisioningAllowedTargets: []string{"folder", "instance"},
 	}
+
+	if extensions.IsEnterprise {
+		opts.ProvisioningRepositoryTypes = []string{"local", "github", "gitlab", "bitbucket"}
+	}
+
 	for _, o := range options {
 		o(&opts)
 	}
 	helper := apis.NewK8sTestHelper(t, opts)

-	// FIXME: keeping this line here to keep the dependency around until we have tests which use this again.
-	helper.GetEnv().GitHubFactory.Client = ghmock.NewMockedHTTPClient()
+	// FIXME: keeping these lines here to keep the dependency around until we have tests which use this again.
+	helper.GetEnv().GithubRepoFactory.Client = ghmock.NewMockedHTTPClient()

 	repositories := helper.GetResourceClient(apis.ResourceClientArgs{
 		User:      helper.Org1.Admin,
@@ -973,6 +982,79 @@ func (h *provisioningTestHelper) CleanupAllRepos(t *testing.T) {
 	}, waitTimeoutDefault, waitIntervalDefault, "repositories should be cleaned up between subtests")
 }

+func (h *provisioningTestHelper) CreateGithubConnection(
+	t *testing.T,
+	ctx context.Context,
+	connection *unstructured.Unstructured,
+) (*unstructured.Unstructured, error) {
+	t.Helper()
+
+	err := h.setGithubClient(t, connection)
+	if err != nil {
+		return nil, err
+	}
+
+	return h.Connections.Resource.Create(ctx, connection, metav1.CreateOptions{FieldValidation: "Strict"})
+}
+
+func (h *provisioningTestHelper) UpdateGithubConnection(
+	t *testing.T,
+	ctx context.Context,
+	connection *unstructured.Unstructured,
+) (*unstructured.Unstructured, error) {
+	t.Helper()
+
+	err := h.setGithubClient(t, connection)
+	if err != nil {
+		return nil, err
+	}
+
+	return h.Connections.Resource.Update(ctx, connection, metav1.UpdateOptions{FieldValidation: "Strict"})
+}
+
+func (h *provisioningTestHelper) setGithubClient(t *testing.T, connection *unstructured.Unstructured) error {
+	t.Helper()
+
+	objectSpec := connection.Object["spec"].(map[string]interface{})
+	githubObj := objectSpec["github"].(map[string]interface{})
+	appID := githubObj["appID"].(string)
+	id, err := strconv.ParseInt(appID, 10, 64)
+	if err != nil {
+		return err
+	}
+
+	appSlug := "someSlug"
+	connectionFactory := h.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
+	connectionFactory.Client = ghmock.NewMockedHTTPClient(
+		ghmock.WithRequestMatchHandler(
+			ghmock.GetApp,
+			http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+				app := github.App{
+					ID:   &id,
+					Slug: &appSlug,
+				}
+				_, _ = w.Write(ghmock.MustMarshal(app))
+			}),
+		),
+		ghmock.WithRequestMatchHandler(
+			ghmock.GetAppInstallationsByInstallationId,
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				id := r.URL.Query().Get("installation_id")
+				idInt, _ := strconv.ParseInt(id, 10, 64)
+				w.WriteHeader(http.StatusOK)
+				installation := github.Installation{
+					ID: &idInt,
+				}
+				_, _ = w.Write(ghmock.MustMarshal(installation))
+			}),
+		),
+	)
+	h.SetGithubConnectionFactory(connectionFactory)
+
+	return nil
+}
+
 func postHelper(t *testing.T, helper apis.K8sTestHelper, path string, body interface{}, user apis.User) (map[string]interface{}, int, error) {
 	return requestHelper(t, helper, http.MethodPost, path, body, user)
 }
--- a/pkg/tests/apis/provisioning/repository_test.go
+++ b/pkg/tests/apis/provisioning/repository_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 	"time"

+	"github.com/grafana/grafana/pkg/extensions"
 	provisioningAPIServer "github.com/grafana/grafana/pkg/registry/apis/provisioning"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -149,10 +150,19 @@ func TestIntegrationProvisioning_CreatingAndGetting(t *testing.T) {
 				}
 			}

-			assert.ElementsMatch(collect, []provisioning.RepositoryType{
-				provisioning.LocalRepositoryType,
-				provisioning.GitHubRepositoryType,
-			}, settings.AvailableRepositoryTypes)
+			if extensions.IsEnterprise {
+				assert.ElementsMatch(collect, []provisioning.RepositoryType{
+					provisioning.LocalRepositoryType,
+					provisioning.GitHubRepositoryType,
+					provisioning.BitbucketRepositoryType,
+					provisioning.GitLabRepositoryType,
+				}, settings.AvailableRepositoryTypes)
+			} else {
+				assert.ElementsMatch(collect, []provisioning.RepositoryType{
+					provisioning.LocalRepositoryType,
+					provisioning.GitHubRepositoryType,
+				}, settings.AvailableRepositoryTypes)
+			}
 		}, time.Second*10, time.Millisecond*100, "Expected settings to match")
 	})

--- a/pkg/tests/testinfra/testinfra.go
+++ b/pkg/tests/testinfra/testinfra.go
@@ -622,6 +622,12 @@ func CreateGrafDir(t *testing.T, opts GrafanaOpts) (string, string) {
 		_, err = provisioningSect.NewKey("allowed_targets", strings.Join(opts.ProvisioningAllowedTargets, "|"))
 		require.NoError(t, err)
 	}
+	if len(opts.ProvisioningRepositoryTypes) > 0 {
+		provisioningSect, err := getOrCreateSection("provisioning")
+		require.NoError(t, err)
+		_, err = provisioningSect.NewKey("repository_types", strings.Join(opts.ProvisioningRepositoryTypes, "|"))
+		require.NoError(t, err)
+	}
 	if opts.EnableSCIM {
 		scimSection, err := getOrCreateSection("auth.scim")
 		require.NoError(t, err)
@@ -731,6 +737,7 @@ type GrafanaOpts struct {
 	UnifiedStorageMaxPageSizeBytes        int
 	PermittedProvisioningPaths            string
 	ProvisioningAllowedTargets            []string
+	ProvisioningRepositoryTypes           []string
 	GrafanaComSSOAPIToken                 string
 	LicensePath                           string
 	EnableRecordingRules                  bool
--- a/public/app/core/components/AppChrome/MegaMenu/MegaMenu.tsx
+++ b/public/app/core/components/AppChrome/MegaMenu/MegaMenu.tsx
@@ -37,9 +37,24 @@ export const MegaMenu = memo(
    const pinnedItems = usePinnedItems();

    // Remove profile + help from tree
+    // For Alerting navigation, flatten the sidebar to show only top-level items (hide nested children/tabs)
    const navItems = navTree
      .filter((item) => item.id !== 'profile' && item.id !== 'help')
-      .map((item) => enrichWithInteractionTracking(item, state.megaMenuDocked));
+      .map((item) => {
+        const enriched = enrichWithInteractionTracking(item, state.megaMenuDocked);
+        // If this is Alerting section, flatten children for sidebar display
+        // Children are still available in navIndex for breadcrumbs and page navigation
+        if (item.id === 'alerting' && enriched.children) {
+          return {
+            ...enriched,
+            children: enriched.children.map((child) => ({
+              ...child,
+              children: undefined, // Remove nested children from sidebar, but keep them for page navigation
+            })),
+          };
+        }
+        return enriched;
+      });

    const bookmarksItem = navItems.find((item) => item.id === 'bookmarks');
    if (bookmarksItem) {
--- a/public/app/core/components/Breadcrumbs/utils.ts
+++ b/public/app/core/components/Breadcrumbs/utils.ts
@@ -35,11 +35,18 @@ export function buildBreadcrumbs(sectionNav: NavModelItem, pageNav?: NavModelIte

    if (shouldAddCrumb) {
      const activeChildIndex = node.children?.findIndex((child) => child.active) ?? -1;
-      // Add tab to breadcrumbs if it's not the first active child
-      if (activeChildIndex > 0) {
+      // Add active tab to breadcrumbs if it exists and its URL is different from the node's URL
+      // This ensures tabs show in breadcrumbs (including the first tab) while preventing duplication
+      if (activeChildIndex >= 0) {
        const activeChild = node.children?.[activeChildIndex];
        if (activeChild) {
-          crumbs.unshift({ text: activeChild.text, href: activeChild.url ?? '' });
+          // Only add the active child if its URL doesn't match the node's URL
+          // This prevents duplication when the pageNav is the active tab
+          const nodeUrl = node.url?.split('?')[0] ?? '';
+          const childUrl = activeChild.url?.split('?')[0] ?? '';
+          if (nodeUrl !== childUrl) {
+            crumbs.unshift({ text: activeChild.text, href: activeChild.url ?? '' });
+          }
        }
      }
      crumbs.unshift({ text: node.text, href: node.url ?? '' });
--- a/public/app/features/alerting/routes.tsx
+++ b/public/app/features/alerting/routes.tsx
@@ -56,6 +56,17 @@ export function getAlertingRoutes(cfg = config): RouteDescriptor[] {
          )
      ),
    },
+    {
+      path: '/alerting/time-intervals',
+      roles: evaluateAccess([
+        AccessControlAction.AlertingNotificationsRead,
+        AccessControlAction.AlertingNotificationsExternalRead,
+        ...PERMISSIONS_TIME_INTERVALS_READ,
+      ]),
+      component: importAlertingComponent(
+        () => import(/* webpackChunkName: "TimeIntervalsPage" */ 'app/features/alerting/unified/TimeIntervalsPage')
+      ),
+    },
    {
      path: '/alerting/routes/mute-timing/new',
      roles: evaluateAccess([
@@ -212,6 +223,13 @@ export function getAlertingRoutes(cfg = config): RouteDescriptor[] {
          )
      ),
    },
+    {
+      path: '/alerting/insights',
+      roles: evaluateAccess([AccessControlAction.AlertingRuleRead, AccessControlAction.AlertingRuleExternalRead]),
+      component: importAlertingComponent(
+        () => import(/* webpackChunkName: "InsightsPage" */ 'app/features/alerting/unified/insights/InsightsPage')
+      ),
+    },
    {
      path: '/alerting/recently-deleted/',
      roles: () => ['Admin'],
--- a/public/app/features/alerting/unified/AlertGroups.tsx
+++ b/public/app/features/alerting/unified/AlertGroups.tsx
@@ -14,6 +14,7 @@ import { AlertGroupFilter } from './components/alert-groups/AlertGroupFilter';
 import { useFilteredAmGroups } from './hooks/useFilteredAmGroups';
 import { useGroupedAlerts } from './hooks/useGroupedAlerts';
 import { useUnifiedAlertingSelector } from './hooks/useUnifiedAlertingSelector';
+import { useAlertActivityNav } from './navigation/useAlertActivityNav';
 import { useAlertmanager } from './state/AlertmanagerContext';
 import { fetchAlertGroupsAction } from './state/actions';
 import { NOTIFICATIONS_POLL_INTERVAL_MS } from './utils/constants';
@@ -113,8 +114,9 @@ const AlertGroups = () => {
 };

 function AlertGroupsPage() {
+  const { navId, pageNav } = useAlertActivityNav();
  return (
-    <AlertmanagerPageWrapper navId="groups" accessType="instance">
+    <AlertmanagerPageWrapper navId={navId || 'groups'} pageNav={pageNav} accessType="instance">
      <AlertGroups />
    </AlertmanagerPageWrapper>
  );
--- a/public/app/features/alerting/unified/NotificationPoliciesPage.test.tsx
+++ b/public/app/features/alerting/unified/NotificationPoliciesPage.test.tsx
@@ -140,6 +140,35 @@ const getRootRoute = async () => {
 };

 describe('NotificationPolicies', () => {
+  beforeEach(() => {
+    setupDataSources(dataSources.am);
+    grantUserPermissions([
+      AccessControlAction.AlertingNotificationsRead,
+      AccessControlAction.AlertingNotificationsWrite,
+      ...PERMISSIONS_NOTIFICATION_POLICIES,
+    ]);
+  });
+
+  it('shows only notification policies without internal tabs', async () => {
+    renderNotificationPolicies();
+
+    // Should show notification policies directly
+    expect(await ui.rootRouteContainer.find()).toBeInTheDocument();
+
+    // Should not have tabs
+    expect(screen.queryByRole('tab')).not.toBeInTheDocument();
+  });
+
+  it('does not show time intervals tab', async () => {
+    renderNotificationPolicies();
+
+    // Should show notification policies
+    expect(await ui.rootRouteContainer.find()).toBeInTheDocument();
+
+    // Should not show time intervals tab
+    expect(screen.queryByText(/time intervals/i)).not.toBeInTheDocument();
+  });
+
  // combobox hack :/
  beforeAll(() => {
    const mockGetBoundingClientRect = jest.fn(() => ({
--- a/public/app/features/alerting/unified/NotificationPoliciesPage.tsx
+++ b/public/app/features/alerting/unified/NotificationPoliciesPage.tsx
@@ -1,115 +1,29 @@
-import { css } from '@emotion/css';
-import { useState } from 'react';
-
-import { GrafanaTheme2, UrlQueryMap } from '@grafana/data';
-import { t } from '@grafana/i18n';
-import { Tab, TabContent, TabsBar, useStyles2 } from '@grafana/ui';
-import { useQueryParams } from 'app/core/hooks/useQueryParams';
-import { useMuteTimings } from 'app/features/alerting/unified/components/mute-timings/useMuteTimings';
 import { NotificationPoliciesList } from 'app/features/alerting/unified/components/notification-policies/NotificationPoliciesList';
-import { AlertmanagerAction, useAlertmanagerAbility } from 'app/features/alerting/unified/hooks/useAbilities';

 import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
 import { GrafanaAlertmanagerWarning } from './components/GrafanaAlertmanagerWarning';
-import { TimeIntervalsTable } from './components/mute-timings/MuteTimingsTable';
+import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
 import { useAlertmanager } from './state/AlertmanagerContext';
 import { withPageErrorBoundary } from './withPageErrorBoundary';

-enum ActiveTab {
-  NotificationPolicies = 'notification_policies',
-  TimeIntervals = 'time_intervals',
-}
-
-const NotificationPoliciesTabs = () => {
-  const styles = useStyles2(getStyles);
-
-  // Alertmanager logic and data hooks
+const NotificationPoliciesContent = () => {
  const { selectedAlertmanager = '' } = useAlertmanager();
-  const [policiesSupported, canSeePoliciesTab] = useAlertmanagerAbility(AlertmanagerAction.ViewNotificationPolicyTree);
-  const [timingsSupported, canSeeTimingsTab] = useAlertmanagerAbility(AlertmanagerAction.ViewTimeInterval);
-  const availableTabs = [
-    canSeePoliciesTab && ActiveTab.NotificationPolicies,
-    canSeeTimingsTab && ActiveTab.TimeIntervals,
-  ].filter((tab) => !!tab);
-  const { data: muteTimings = [] } = useMuteTimings({
-    alertmanager: selectedAlertmanager,
-    skip: !canSeeTimingsTab,
-  });
-
-  // Tab state management
-  const [queryParams, setQueryParams] = useQueryParams();
-  const { tab } = getActiveTabFromUrl(queryParams, availableTabs[0]);
-  const [activeTab, setActiveTab] = useState<ActiveTab>(tab);
-
-  const muteTimingsTabActive = activeTab === ActiveTab.TimeIntervals;
-  const policyTreeTabActive = activeTab === ActiveTab.NotificationPolicies;
-
-  const numberOfMuteTimings = muteTimings.length;
-
  return (
    <>
      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager} />
-      <TabsBar>
-        {policiesSupported && canSeePoliciesTab && (
-          <Tab
-            label={t('alerting.notification-policies-tabs.label-notification-policies', 'Notification Policies')}
-            active={policyTreeTabActive}
-            onChangeTab={() => {
-              setActiveTab(ActiveTab.NotificationPolicies);
-              setQueryParams({ tab: ActiveTab.NotificationPolicies });
-            }}
-          />
-        )}
-        {timingsSupported && canSeeTimingsTab && (
-          <Tab
-            label={t('alerting.notification-policies-tabs.label-time-intervals', 'Time intervals')}
-            active={muteTimingsTabActive}
-            counter={numberOfMuteTimings}
-            onChangeTab={() => {
-              setActiveTab(ActiveTab.TimeIntervals);
-              setQueryParams({ tab: ActiveTab.TimeIntervals });
-            }}
-          />
-        )}
-      </TabsBar>
-      <TabContent className={styles.tabContent}>
-        {policyTreeTabActive && <NotificationPoliciesList />}
-        {muteTimingsTabActive && <TimeIntervalsTable />}
-      </TabContent>
+      <NotificationPoliciesList />
    </>
  );
 };

-const getStyles = (theme: GrafanaTheme2) => ({
-  tabContent: css({
-    marginTop: theme.spacing(2),
-  }),
-});
-
-interface QueryParamValues {
-  tab: ActiveTab;
-}
-
-function getActiveTabFromUrl(queryParams: UrlQueryMap, defaultTab: ActiveTab): QueryParamValues {
-  let tab = defaultTab;
-
-  if (queryParams.tab === ActiveTab.NotificationPolicies) {
-    tab = ActiveTab.NotificationPolicies;
-  }
-
-  if (queryParams.tab === ActiveTab.TimeIntervals) {
-    tab = ActiveTab.TimeIntervals;
-  }
-
-  return {
-    tab,
-  };
-}
-
 function NotificationPoliciesPage() {
+  const { navId, pageNav } = useNotificationConfigNav();
+
+  // Show only notification policies (no internal tabs)
+  // Time intervals are accessible via the sidebar navigation
  return (
-    <AlertmanagerPageWrapper navId="am-routes" accessType="notification">
-      <NotificationPoliciesTabs />
+    <AlertmanagerPageWrapper navId={navId || 'am-routes'} pageNav={pageNav} accessType="notification">
+      <NotificationPoliciesContent />
    </AlertmanagerPageWrapper>
  );
 }
--- a/public/app/features/alerting/unified/Templates.tsx
+++ b/public/app/features/alerting/unified/Templates.tsx
@@ -1,13 +1,52 @@
 import { Route, Routes } from 'react-router-dom-v5-compat';

+import { Trans } from '@grafana/i18n';
+import { LinkButton, Stack, Text } from '@grafana/ui';
+
+import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
 import DuplicateMessageTemplate from './components/contact-points/DuplicateMessageTemplate';
 import EditMessageTemplate from './components/contact-points/EditMessageTemplate';
 import NewMessageTemplate from './components/contact-points/NewMessageTemplate';
+import { NotificationTemplates } from './components/contact-points/NotificationTemplates';
+import { AlertmanagerAction, useAlertmanagerAbility } from './hooks/useAbilities';
+import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
 import { withPageErrorBoundary } from './withPageErrorBoundary';

-function NotificationTemplates() {
+const TemplatesList = () => {
+  const [createTemplateSupported, createTemplateAllowed] = useAlertmanagerAbility(
+    AlertmanagerAction.CreateNotificationTemplate
+  );
+
+  return (
+    <>
+      <Stack direction="row" alignItems="center" justifyContent="space-between">
+        <Text variant="body" color="secondary">
+          <Trans i18nKey="alerting.notification-templates-tab.create-notification-templates-customize-notifications">
+            Create notification templates to customize your notifications.
+          </Trans>
+        </Text>
+        {createTemplateSupported && (
+          <LinkButton
+            icon="plus"
+            variant="primary"
+            href="/alerting/notifications/templates/new"
+            disabled={!createTemplateAllowed}
+          >
+            <Trans i18nKey="alerting.notification-templates-tab.add-notification-template-group">
+              Add notification template group
+            </Trans>
+          </LinkButton>
+        )}
+      </Stack>
+      <NotificationTemplates />
+    </>
+  );
+};
+
+function NotificationTemplatesRoutes() {
  return (
    <Routes>
+      <Route path="" element={<TemplatesList />} />
      <Route path="new" element={<NewMessageTemplate />} />
      <Route path=":name/edit" element={<EditMessageTemplate />} />
      <Route path=":name/duplicate" element={<DuplicateMessageTemplate />} />
@@ -15,4 +54,14 @@ function NotificationTemplates() {
  );
 }

-export default withPageErrorBoundary(NotificationTemplates);
+function NotificationTemplatesPage() {
+  const { navId, pageNav } = useNotificationConfigNav();
+
+  return (
+    <AlertmanagerPageWrapper navId={navId || 'receivers'} pageNav={pageNav} accessType="notification">
+      <NotificationTemplatesRoutes />
+    </AlertmanagerPageWrapper>
+  );
+}
+
+export default withPageErrorBoundary(NotificationTemplatesPage);
--- a/public/app/features/alerting/unified/TimeIntervalsPage.test.tsx
+++ b/public/app/features/alerting/unified/TimeIntervalsPage.test.tsx
@@ -0,0 +1,65 @@
+import { render, screen } from 'test/test-utils';
+
+import { configureStore } from 'app/store/configureStore';
+import { AccessControlAction } from 'app/types/accessControl';
+
+import TimeIntervalsPage from './TimeIntervalsPage';
+import { defaultConfig } from './components/mute-timings/mocks';
+import { setupMswServer } from './mockApi';
+import { grantUserPermissions, mockDataSource } from './mocks';
+import { setTimeIntervalsListEmpty } from './mocks/server/configure';
+import { setAlertmanagerConfig } from './mocks/server/entities/alertmanagers';
+import { setupDataSources } from './testSetup/datasources';
+import { DataSourceType, GRAFANA_RULES_SOURCE_NAME } from './utils/datasource';
+
+setupMswServer();
+
+const alertManager = mockDataSource({
+  name: 'Alertmanager',
+  type: DataSourceType.Alertmanager,
+});
+
+describe('TimeIntervalsPage', () => {
+  beforeEach(() => {
+    setupDataSources(alertManager);
+    setAlertmanagerConfig(GRAFANA_RULES_SOURCE_NAME, defaultConfig);
+    setTimeIntervalsListEmpty(); // Mock empty time intervals list so component renders
+    grantUserPermissions([
+      AccessControlAction.AlertingNotificationsRead,
+      AccessControlAction.AlertingTimeIntervalsRead,
+    ]);
+  });
+
+  it('renders time intervals table', async () => {
+    const mockNavIndex = {
+      'notification-config': {
+        id: 'notification-config',
+        text: 'Notification configuration',
+        url: '/alerting/notifications',
+      },
+      'notification-config-time-intervals': {
+        id: 'notification-config-time-intervals',
+        text: 'Time intervals',
+        url: '/alerting/time-intervals',
+      },
+    };
+    const store = configureStore({
+      navIndex: mockNavIndex,
+    });
+
+    render(<TimeIntervalsPage />, {
+      store,
+      historyOptions: {
+        initialEntries: ['/alerting/time-intervals'],
+      },
+    });
+
+    // Should show time intervals content
+    // When empty, it shows "You haven't created any time intervals yet"
+    // When loading, it shows "Loading time intervals..."
+    // When error, it shows "Error loading time intervals"
+    // All contain "time intervals" - use getAllByText since there are multiple matches (tab, description, empty state)
+    const timeIntervalsTexts = await screen.findAllByText(/time intervals/i, {}, { timeout: 5000 });
+    expect(timeIntervalsTexts.length).toBeGreaterThan(0);
+  });
+});
--- a/public/app/features/alerting/unified/TimeIntervalsPage.tsx
+++ b/public/app/features/alerting/unified/TimeIntervalsPage.tsx
@@ -0,0 +1,31 @@
+import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
+import { GrafanaAlertmanagerWarning } from './components/GrafanaAlertmanagerWarning';
+import { TimeIntervalsTable } from './components/mute-timings/MuteTimingsTable';
+import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
+import { useAlertmanager } from './state/AlertmanagerContext';
+import { withPageErrorBoundary } from './withPageErrorBoundary';
+
+// Content component that uses AlertmanagerContext
+// This must be rendered within AlertmanagerPageWrapper
+function TimeIntervalsPageContent() {
+  const { selectedAlertmanager } = useAlertmanager();
+
+  return (
+    <>
+      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager!} />
+      <TimeIntervalsTable />
+    </>
+  );
+}
+
+function TimeIntervalsPage() {
+  const { navId, pageNav } = useNotificationConfigNav();
+
+  return (
+    <AlertmanagerPageWrapper navId={navId || 'am-routes'} pageNav={pageNav} accessType="notification">
+      <TimeIntervalsPageContent />
+    </AlertmanagerPageWrapper>
+  );
+}
+
+export default withPageErrorBoundary(TimeIntervalsPage);
--- a/public/app/features/alerting/unified/components/contact-points/ContactPoints.test.tsx
+++ b/public/app/features/alerting/unified/components/contact-points/ContactPoints.test.tsx
@@ -170,6 +170,26 @@ describe('contact points', () => {
      });
    });

+    test('shows only contact points without internal tabs', async () => {
+      renderWithProvider(<ContactPointsPageContents />);
+
+      // Should show contact points directly
+      expect(await screen.findByText(/create contact point/i)).toBeInTheDocument();
+
+      // Should not have tabs
+      expect(screen.queryByRole('tab')).not.toBeInTheDocument();
+    });
+
+    test('does not show templates tab', async () => {
+      renderWithProvider(<ContactPointsPageContents />);
+
+      // Should show contact points
+      expect(await screen.findByText(/create contact point/i)).toBeInTheDocument();
+
+      // Should not show templates tab
+      expect(screen.queryByText(/notification templates/i)).not.toBeInTheDocument();
+    });
+
    describe('templates tab', () => {
      it('does not show a warning for a "misconfigured" template', async () => {
        renderWithProvider(
@@ -258,14 +278,6 @@ describe('contact points', () => {
      // there should be view buttons though - one for provisioned, and one for the un-editable contact point
      const viewButtons = screen.getAllByRole('link', { name: /^view$/i });
      expect(viewButtons).toHaveLength(2);
-
-      // check buttons in Notification Templates
-      const notificationTemplatesTab = screen.getByRole('tab', { name: 'Notification Templates' });
-      await user.click(notificationTemplatesTab);
-      expect(screen.getByRole('link', { name: 'Add notification template group' })).toHaveAttribute(
-        'aria-disabled',
-        'true'
-      );
    });

    it('allows deleting when not disabled', async () => {
@@ -470,11 +482,6 @@ describe('contact points', () => {
      const viewButton = screen.getByRole('link', { name: /^view$/i });
      expect(viewButton).toBeInTheDocument();
      expect(viewButton).toBeEnabled();
-
-      // check buttons in Notification Templates
-      const notificationTemplatesTab = screen.getByRole('tab', { name: 'Notification Templates' });
-      await user.click(notificationTemplatesTab);
-      expect(screen.queryByRole('link', { name: 'Add notification template group' })).not.toBeInTheDocument();
    });
  });

--- a/public/app/features/alerting/unified/components/contact-points/ContactPoints.tsx
+++ b/public/app/features/alerting/unified/components/contact-points/ContactPoints.tsx
@@ -1,19 +1,5 @@
-import { useMemo } from 'react';
-
 import { Trans, t } from '@grafana/i18n';
-import {
-  Alert,
-  Button,
-  EmptyState,
-  LinkButton,
-  LoadingPlaceholder,
-  Pagination,
-  Stack,
-  Tab,
-  TabContent,
-  TabsBar,
-  Text,
-} from '@grafana/ui';
+import { Alert, Button, EmptyState, LinkButton, LoadingPlaceholder, Pagination, Stack } from '@grafana/ui';
 import { contextSrv } from 'app/core/services/context_srv';
 import { shouldUseK8sApi } from 'app/features/alerting/unified/utils/k8s/utils';
 import { makeAMLink, stringifyErrorLike } from 'app/features/alerting/unified/utils/misc';
@@ -22,6 +8,7 @@ import { AccessControlAction } from 'app/types/accessControl';
 import { AlertmanagerAction, useAlertmanagerAbility } from '../../hooks/useAbilities';
 import { usePagination } from '../../hooks/usePagination';
 import { useURLSearchParams } from '../../hooks/useURLSearchParams';
+import { useNotificationConfigNav } from '../../navigation/useNotificationConfigNav';
 import { useAlertmanager } from '../../state/AlertmanagerContext';
 import { isExtraConfig } from '../../utils/alertmanager/extraConfigs';
 import { GRAFANA_RULES_SOURCE_NAME } from '../../utils/datasource';
@@ -30,7 +17,6 @@ import { AlertmanagerPageWrapper } from '../AlertingPageWrapper';
 import { GrafanaAlertmanagerWarning } from '../GrafanaAlertmanagerWarning';

 import { ContactPoint } from './ContactPoint';
-import { NotificationTemplates } from './NotificationTemplates';
 import { ContactPointsFilter } from './components/ContactPointsFilter';
 import { GlobalConfigAlert } from './components/GlobalConfigAlert';
 import { useContactPointsWithStatus } from './useContactPoints';
@@ -99,7 +85,7 @@ const ContactPointsTab = () => {
  }

  return (
-    <>
+    <Stack direction="column" gap={1}>
      {/* TODO we can add some additional info here with a ToggleTip */}
      <Stack direction="row" alignItems="end" justifyContent="space-between">
        <ContactPointsFilter />
@@ -148,109 +134,19 @@ const ContactPointsTab = () => {
        <GlobalConfigAlert alertManagerName={selectedAlertmanager!} />
      )}
      {ExportDrawer}
-    </>
+    </Stack>
  );
 };

-const NotificationTemplatesTab = () => {
-  const [createTemplateSupported, createTemplateAllowed] = useAlertmanagerAbility(
-    AlertmanagerAction.CreateNotificationTemplate
-  );
-
-  return (
-    <>
-      <Stack direction="row" alignItems="center" justifyContent="space-between">
-        <Text variant="body" color="secondary">
-          <Trans i18nKey="alerting.notification-templates-tab.create-notification-templates-customize-notifications">
-            Create notification templates to customize your notifications.
-          </Trans>
-        </Text>
-        {createTemplateSupported && (
-          <LinkButton
-            icon="plus"
-            variant="primary"
-            href="/alerting/notifications/templates/new"
-            disabled={!createTemplateAllowed}
-          >
-            <Trans i18nKey="alerting.notification-templates-tab.add-notification-template-group">
-              Add notification template group
-            </Trans>
-          </LinkButton>
-        )}
-      </Stack>
-      <NotificationTemplates />
-    </>
-  );
-};
-
-const useTabQueryParam = (defaultTab: ActiveTab) => {
-  const [queryParams, setQueryParams] = useURLSearchParams();
-  const param = useMemo(() => {
-    const queryParam = queryParams.get('tab');
-
-    if (!queryParam || !Object.values(ActiveTab).map(String).includes(queryParam)) {
-      return defaultTab;
-    }
-
-    return queryParam || defaultTab;
-  }, [defaultTab, queryParams]);
-
-  const setParam = (tab: ActiveTab) => setQueryParams({ tab });
-  return [param, setParam] as const;
-};
-
 export const ContactPointsPageContents = () => {
  const { selectedAlertmanager } = useAlertmanager();
-  const [, canViewContactPoints] = useAlertmanagerAbility(AlertmanagerAction.ViewContactPoint);
-  const [, canCreateContactPoints] = useAlertmanagerAbility(AlertmanagerAction.CreateContactPoint);
-  const [, showTemplatesTab] = useAlertmanagerAbility(AlertmanagerAction.ViewNotificationTemplate);
-
-  const showContactPointsTab = canViewContactPoints || canCreateContactPoints;
-
-  // Depending on permissions, user may not have access to all tabs,
-  // but we can default to picking the first one that they definitely _do_ have access to
-  const defaultTab = [
-    showContactPointsTab && ActiveTab.ContactPoints,
-    showTemplatesTab && ActiveTab.NotificationTemplates,
-  ].filter((tab) => !!tab)[0];
-
-  const [activeTab, setActiveTab] = useTabQueryParam(defaultTab);
-
-  const { contactPoints } = useContactPointsWithStatus({
-    alertmanager: selectedAlertmanager!,
-  });
-
-  const showingContactPoints = activeTab === ActiveTab.ContactPoints;
-  const showNotificationTemplates = activeTab === ActiveTab.NotificationTemplates;

+  // Show only contact points (no internal tabs)
+  // Templates are accessible via the sidebar navigation
  return (
    <>
      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager!} />
-      <Stack direction="column">
-        <TabsBar>
-          {showContactPointsTab && (
-            <Tab
-              label={t('alerting.contact-points-page-contents.label-contact-points', 'Contact Points')}
-              active={showingContactPoints}
-              counter={contactPoints.length}
-              onChangeTab={() => setActiveTab(ActiveTab.ContactPoints)}
-            />
-          )}
-          {showTemplatesTab && (
-            <Tab
-              label={t('alerting.contact-points-page-contents.label-notification-templates', 'Notification Templates')}
-              active={showNotificationTemplates}
-              onChangeTab={() => setActiveTab(ActiveTab.NotificationTemplates)}
-            />
-          )}
-        </TabsBar>
-        <TabContent>
-          <Stack direction="column">
-            {showingContactPoints && <ContactPointsTab />}
-            {showNotificationTemplates && <NotificationTemplatesTab />}
-          </Stack>
-        </TabContent>
-      </Stack>
+      <ContactPointsTab />
    </>
  );
 };
@@ -282,8 +178,9 @@ const ContactPointsList = ({ contactPoints, search, pageSize = DEFAULT_PAGE_SIZE
 };

 function ContactPointsPage() {
+  const { navId, pageNav } = useNotificationConfigNav();
  return (
-    <AlertmanagerPageWrapper navId="receivers" accessType="notification">
+    <AlertmanagerPageWrapper navId={navId || 'receivers'} pageNav={pageNav} accessType="notification">
      <ContactPointsPageContents />
    </AlertmanagerPageWrapper>
  );
--- a/public/app/features/alerting/unified/components/rules/central-state-history/CentralAlertHistoryPage.tsx
+++ b/public/app/features/alerting/unified/components/rules/central-state-history/CentralAlertHistoryPage.tsx
@@ -1,11 +1,13 @@
+import { useInsightsNav } from '../../../navigation/useInsightsNav';
 import { withPageErrorBoundary } from '../../../withPageErrorBoundary';
 import { AlertingPageWrapper } from '../../AlertingPageWrapper';

 import { CentralAlertHistoryScene } from './CentralAlertHistoryScene';

 function HistoryPage() {
+  const { navId, pageNav } = useInsightsNav();
  return (
-    <AlertingPageWrapper navId="alerts-history" isLoading={false}>
+    <AlertingPageWrapper navId={navId || 'alerts-history'} pageNav={pageNav} isLoading={false}>
      <CentralAlertHistoryScene />
    </AlertingPageWrapper>
  );
--- a/public/app/features/alerting/unified/components/rules/deleted-rules/DeletedRulesPage.tsx
+++ b/public/app/features/alerting/unified/components/rules/deleted-rules/DeletedRulesPage.tsx
@@ -3,6 +3,7 @@ import { Alert } from '@grafana/ui';

 import { alertRuleApi } from '../../../api/alertRuleApi';
 import { GRAFANA_RULER_CONFIG } from '../../../api/featureDiscoveryApi';
+import { useAlertRulesNav } from '../../../navigation/useAlertRulesNav';
 import { stringifyErrorLike } from '../../../utils/misc';
 import { withPageErrorBoundary } from '../../../withPageErrorBoundary';
 import { AlertingPageWrapper } from '../../AlertingPageWrapper';
@@ -18,9 +19,10 @@ function DeletedrulesPage() {
    rulerConfig: GRAFANA_RULER_CONFIG,
    filter: {}, // todo: add filters, and limit?????
  });
+  const { navId, pageNav } = useAlertRulesNav();

  return (
-    <AlertingPageWrapper navId="alerts/recently-deleted" isLoading={isLoading}>
+    <AlertingPageWrapper navId={navId || 'alerts/recently-deleted'} pageNav={pageNav} isLoading={isLoading}>
      <>
        {error && (
          <Alert title={t('alerting.deleted-rules.errorloading', 'Failed to load alert deleted rules')}>
--- a/public/app/features/alerting/unified/home/Home.tsx
+++ b/public/app/features/alerting/unified/home/Home.tsx
@@ -1,23 +1,24 @@
-import { useState } from 'react';
+import { useMemo, useState } from 'react';

 import { t } from '@grafana/i18n';
 import { Box, Stack, Tab, TabContent, TabsBar } from '@grafana/ui';

 import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
-import { isLocalDevEnv } from '../utils/misc';
 import { withPageErrorBoundary } from '../withPageErrorBoundary';

 import GettingStarted, { WelcomeHeader } from './GettingStarted';
 import IRMCard from './IRMCard';
-import { getInsightsScenes, insightsIsAvailable } from './Insights';
+import { getInsightsScenes } from './Insights';
 import { PluginIntegrations } from './PluginIntegrations';
 import SyntheticMonitoringCard from './SyntheticMonitoringCard';

 function Home() {
-  const insightsEnabled = insightsIsAvailable() || isLocalDevEnv();
+  // Insights tab is not shown on Home page - Insights is available via the sidebar menu instead
+  const insightsEnabled = false;

  const [activeTab, setActiveTab] = useState<'insights' | 'overview'>(insightsEnabled ? 'insights' : 'overview');
-  const insightsScene = getInsightsScenes();
+  // Memoize the scene so it's only created once and properly initialized
+  const insightsScene = useMemo(() => getInsightsScenes(), []);

  return (
    <AlertingPageWrapper subTitle="Learn about problems in your systems moments after they occur" navId="alerting">
--- a/public/app/features/alerting/unified/insights/InsightsPage.tsx
+++ b/public/app/features/alerting/unified/insights/InsightsPage.tsx
@@ -0,0 +1,44 @@
+import { useMemo } from 'react';
+
+import { Trans, t } from '@grafana/i18n';
+
+import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
+import { getInsightsScenes, insightsIsAvailable } from '../home/Insights';
+import { useInsightsNav } from '../navigation/useInsightsNav';
+import { isLocalDevEnv } from '../utils/misc';
+import { withPageErrorBoundary } from '../withPageErrorBoundary';
+
+function InsightsPage() {
+  const insightsEnabled = insightsIsAvailable() || isLocalDevEnv();
+  const { navId, pageNav } = useInsightsNav();
+  // Memoize the scene so it's only created once and properly initialized
+  const insightsScene = useMemo(() => getInsightsScenes(), []);
+
+  if (!insightsEnabled) {
+    return (
+      <AlertingPageWrapper
+        navId={navId || 'insights'}
+        pageNav={pageNav}
+        subTitle={t('alerting.insights.subtitle', 'Analytics and history for alerting')}
+      >
+        <div>
+          <Trans i18nKey="alerting.insights.not-available">
+            Insights are not available. Please configure the required data sources.
+          </Trans>
+        </div>
+      </AlertingPageWrapper>
+    );
+  }
+
+  return (
+    <AlertingPageWrapper
+      navId={navId || 'insights'}
+      pageNav={pageNav}
+      subTitle={t('alerting.insights.subtitle', 'Analytics and history for alerting')}
+    >
+      <insightsScene.Component model={insightsScene} />
+    </AlertingPageWrapper>
+  );
+}
+
+export default withPageErrorBoundary(InsightsPage);
--- a/public/app/features/alerting/unified/navigation/useAlertActivityNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useAlertActivityNav.test.tsx
@@ -0,0 +1,134 @@
+import { renderHook } from '@testing-library/react';
+import { getWrapper } from 'test/test-utils';
+
+import { configureStore } from 'app/store/configureStore';
+
+import { useAlertActivityNav } from './useAlertActivityNav';
+
+describe('useAlertActivityNav', () => {
+  const mockNavIndex = {
+    'alert-activity': {
+      id: 'alert-activity',
+      text: 'Alert activity',
+      url: '/alerting/alerts',
+    },
+    'alert-activity-alerts': {
+      id: 'alert-activity-alerts',
+      text: 'Alerts',
+      url: '/alerting/alerts',
+    },
+    'alert-activity-groups': {
+      id: 'alert-activity-groups',
+      text: 'Active notifications',
+      url: '/alerting/groups',
+    },
+  };
+
+  const defaultPreloadedState = {
+    navIndex: mockNavIndex,
+  };
+
+  it('should return navigation with pageNav for Alerts tab', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/alerts'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
+
+    expect(result.current.navId).toBe('alert-activity');
+    expect(result.current.pageNav).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children).toBeDefined();
+    // The pageNav should represent Alert Activity (not the active tab) for consistent title
+    expect(result.current.pageNav?.text).toBe('Alert activity');
+  });
+
+  it('should return navigation with pageNav for Active notifications tab', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/groups'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
+
+    expect(result.current.navId).toBe('alert-activity');
+    expect(result.current.pageNav).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children).toBeDefined();
+    // The pageNav should represent Alert Activity (not the active tab) for consistent title
+    expect(result.current.pageNav?.text).toBe('Alert activity');
+  });
+
+  it('should set active tab based on current path', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/groups'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    const activeNotificationsTab = result.current.pageNav?.children?.find((tab) => tab.id === 'alert-activity-groups');
+    expect(activeNotificationsTab?.active).toBe(true);
+
+    // eslint-disable-next-line testing-library/no-node-access
+    const alertsTab = result.current.pageNav?.children?.find((tab) => tab.id === 'alert-activity-alerts');
+    expect(alertsTab?.active).toBe(false);
+  });
+
+  it('should filter tabs based on permissions', () => {
+    const limitedNavIndex = {
+      'alert-activity': mockNavIndex['alert-activity'],
+      'alert-activity-alerts': mockNavIndex['alert-activity-alerts'],
+      // Missing 'alert-activity-groups' - user doesn't have permission
+    };
+    const store = configureStore({
+      navIndex: limitedNavIndex,
+    });
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/alerts'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.length).toBe(1);
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.[0].id).toBe('alert-activity-alerts');
+  });
+
+  it('should return undefined when alert-activity nav is missing', () => {
+    const store = configureStore({
+      navIndex: {},
+    });
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/groups'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
+
+    expect(result.current.navId).toBeUndefined();
+    expect(result.current.pageNav).toBeUndefined();
+  });
+});
--- a/public/app/features/alerting/unified/navigation/useAlertActivityNav.ts
+++ b/public/app/features/alerting/unified/navigation/useAlertActivityNav.ts
@@ -0,0 +1,57 @@
+import { useLocation } from 'react-router-dom-v5-compat';
+
+import { NavModelItem } from '@grafana/data';
+import { t } from '@grafana/i18n';
+import { useSelector } from 'app/types/store';
+
+export function useAlertActivityNav() {
+  const location = useLocation();
+  const navIndex = useSelector((state) => state.navIndex);
+
+  const alertActivityNav = navIndex['alert-activity'];
+  if (!alertActivityNav) {
+    return {
+      navId: undefined,
+      pageNav: undefined,
+    };
+  }
+
+  // All available tabs
+  const allTabs = [
+    {
+      id: 'alert-activity-alerts',
+      text: t('alerting.navigation.alerts', 'Alerts'),
+      url: '/alerting/alerts',
+      active: location.pathname === '/alerting/alerts',
+      icon: 'bell',
+      parentItem: alertActivityNav,
+    },
+    {
+      id: 'alert-activity-groups',
+      text: t('alerting.navigation.active-notifications', 'Active notifications'),
+      url: '/alerting/groups',
+      active: location.pathname === '/alerting/groups',
+      icon: 'layer-group',
+      parentItem: alertActivityNav,
+    },
+  ].filter((tab) => {
+    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
+    const navItem = navIndex[tab.id];
+    return navItem !== undefined;
+  });
+
+  // Create pageNav structure following the same pattern as useNotificationConfigNav
+  // Keep "Alert Activity" as the pageNav (not the active tab) so the title and subtitle stay consistent
+  // The tabs are children, and the breadcrumb utility will add the active tab to breadcrumbs
+  // (including the first tab, after our fix to the breadcrumb utility)
+  const pageNav: NavModelItem = {
+    ...alertActivityNav,
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    children: allTabs as NavModelItem[],
+  };
+
+  return {
+    navId: 'alert-activity',
+    pageNav,
+  };
+}
--- a/public/app/features/alerting/unified/navigation/useAlertRulesNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useAlertRulesNav.test.tsx
@@ -0,0 +1,95 @@
+import { renderHook } from '@testing-library/react';
+import { getWrapper } from 'test/test-utils';
+
+import { configureStore } from 'app/store/configureStore';
+
+import { useAlertRulesNav } from './useAlertRulesNav';
+
+describe('useAlertRulesNav', () => {
+  const mockNavIndex = {
+    'alert-rules': {
+      id: 'alert-rules',
+      text: 'Alert rules',
+      url: '/alerting/list',
+      icon: 'list-ul' as const,
+    },
+    'alert-rules-list': {
+      id: 'alert-rules-list',
+      text: 'Alert rules',
+      url: '/alerting/list',
+    },
+    'alert-rules-recently-deleted': {
+      id: 'alert-rules-recently-deleted',
+      text: 'Recently deleted',
+      url: '/alerting/recently-deleted',
+    },
+  };
+
+  const defaultPreloadedState = {
+    navIndex: mockNavIndex,
+  };
+
+  it('should return navigation with pageNav', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/list'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
+
+    expect(result.current.navId).toBe('alert-rules');
+    expect(result.current.pageNav).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.length).toBeGreaterThan(0);
+  });
+
+  it('should filter tabs based on permissions', () => {
+    const limitedNavIndex = {
+      'alert-rules': mockNavIndex['alert-rules'],
+      'alert-rules-list': mockNavIndex['alert-rules-list'],
+      // Missing 'alert-rules-recently-deleted' - user doesn't have permission
+    };
+    const store = configureStore({
+      navIndex: limitedNavIndex,
+    });
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/list'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.length).toBe(1);
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.[0].id).toBe('alert-rules-list');
+  });
+
+  it('should set active tab based on current path', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/recently-deleted'],
+      },
+    });
+
+    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    const recentlyDeletedTab = result.current.pageNav?.children?.find(
+      (tab) => tab.id === 'alert-rules-recently-deleted'
+    );
+    expect(recentlyDeletedTab?.active).toBe(true);
+  });
+});
--- a/public/app/features/alerting/unified/navigation/useAlertRulesNav.ts
+++ b/public/app/features/alerting/unified/navigation/useAlertRulesNav.ts
@@ -0,0 +1,54 @@
+import { useLocation } from 'react-router-dom-v5-compat';
+
+import { NavModelItem } from '@grafana/data';
+import { t } from '@grafana/i18n';
+import { useSelector } from 'app/types/store';
+
+export function useAlertRulesNav() {
+  const location = useLocation();
+  const navIndex = useSelector((state) => state.navIndex);
+
+  const alertRulesNav = navIndex['alert-rules'];
+  if (!alertRulesNav) {
+    return {
+      navId: undefined,
+      pageNav: undefined,
+    };
+  }
+
+  // All available tabs
+  const allTabs = [
+    {
+      id: 'alert-rules-list',
+      text: t('alerting.navigation.alert-rules', 'Alert rules'),
+      url: '/alerting/list',
+      active: location.pathname === '/alerting/list',
+      icon: 'list-ul',
+      parentItem: alertRulesNav,
+    },
+    {
+      id: 'alert-rules-recently-deleted',
+      text: t('alerting.navigation.recently-deleted', 'Recently deleted'),
+      url: '/alerting/recently-deleted',
+      active: location.pathname === '/alerting/recently-deleted',
+      icon: 'trash-alt',
+      parentItem: alertRulesNav,
+    },
+  ].filter((tab) => {
+    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
+    const navItem = navIndex[tab.id];
+    return navItem !== undefined;
+  });
+
+  // Create pageNav that represents the Alert rules page with tabs as children
+  const pageNav: NavModelItem = {
+    ...alertRulesNav,
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    children: allTabs as NavModelItem[],
+  };
+
+  return {
+    navId: 'alert-rules',
+    pageNav,
+  };
+}
--- a/public/app/features/alerting/unified/navigation/useInsightsNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useInsightsNav.test.tsx
@@ -0,0 +1,90 @@
+import { renderHook } from '@testing-library/react';
+import { getWrapper } from 'test/test-utils';
+
+import { configureStore } from 'app/store/configureStore';
+
+import { useInsightsNav } from './useInsightsNav';
+
+describe('useInsightsNav', () => {
+  const mockNavIndex = {
+    insights: {
+      id: 'insights',
+      text: 'Insights',
+      url: '/alerting/insights',
+    },
+    'insights-system': {
+      id: 'insights-system',
+      text: 'System Insights',
+      url: '/alerting/insights',
+    },
+    'insights-history': {
+      id: 'insights-history',
+      text: 'Alert state history',
+      url: '/alerting/history',
+    },
+  };
+
+  const defaultPreloadedState = {
+    navIndex: mockNavIndex,
+  };
+
+  it('should return navigation with pageNav', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/insights'],
+      },
+    });
+
+    const { result } = renderHook(() => useInsightsNav(), { wrapper });
+
+    expect(result.current.navId).toBe('insights');
+    expect(result.current.pageNav).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children).toBeDefined();
+  });
+
+  it('should set active tab based on current path', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/history'],
+      },
+    });
+
+    const { result } = renderHook(() => useInsightsNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    const historyTab = result.current.pageNav?.children?.find((tab) => tab.id === 'insights-history');
+    expect(historyTab?.active).toBe(true);
+  });
+
+  it('should filter tabs based on permissions', () => {
+    const limitedNavIndex = {
+      insights: mockNavIndex.insights,
+      'insights-system': mockNavIndex['insights-system'],
+      // Missing 'insights-history' - user doesn't have permission
+    };
+    const store = configureStore({
+      navIndex: limitedNavIndex,
+    });
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/insights'],
+      },
+    });
+
+    const { result } = renderHook(() => useInsightsNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.length).toBe(1);
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.[0].id).toBe('insights-system');
+  });
+});
--- a/public/app/features/alerting/unified/navigation/useInsightsNav.ts
+++ b/public/app/features/alerting/unified/navigation/useInsightsNav.ts
@@ -0,0 +1,54 @@
+import { useLocation } from 'react-router-dom-v5-compat';
+
+import { NavModelItem } from '@grafana/data';
+import { t } from '@grafana/i18n';
+import { useSelector } from 'app/types/store';
+
+export function useInsightsNav() {
+  const location = useLocation();
+  const navIndex = useSelector((state) => state.navIndex);
+
+  const insightsNav = navIndex.insights;
+  if (!insightsNav) {
+    return {
+      navId: undefined,
+      pageNav: undefined,
+    };
+  }
+
+  // All available tabs
+  const allTabs = [
+    {
+      id: 'insights-system',
+      text: t('alerting.navigation.system-insights', 'System Insights'),
+      url: '/alerting/insights',
+      active: location.pathname === '/alerting/insights',
+      icon: 'chart-line',
+      parentItem: insightsNav,
+    },
+    {
+      id: 'insights-history',
+      text: t('alerting.navigation.alert-state-history', 'Alert state history'),
+      url: '/alerting/history',
+      active: location.pathname === '/alerting/history',
+      icon: 'history',
+      parentItem: insightsNav,
+    },
+  ].filter((tab) => {
+    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
+    const navItem = navIndex[tab.id];
+    return navItem !== undefined;
+  });
+
+  // Create pageNav that represents the Insights page with tabs as children
+  const pageNav: NavModelItem = {
+    ...insightsNav,
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    children: allTabs as NavModelItem[],
+  };
+
+  return {
+    navId: 'insights',
+    pageNav,
+  };
+}
--- a/public/app/features/alerting/unified/navigation/useNotificationConfigNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useNotificationConfigNav.test.tsx
@@ -0,0 +1,102 @@
+import { renderHook } from '@testing-library/react';
+import { getWrapper } from 'test/test-utils';
+
+import { configureStore } from 'app/store/configureStore';
+
+import { useNotificationConfigNav } from './useNotificationConfigNav';
+
+describe('useNotificationConfigNav', () => {
+  const mockNavIndex = {
+    'notification-config': {
+      id: 'notification-config',
+      text: 'Notification configuration',
+      url: '/alerting/notifications',
+    },
+    'notification-config-contact-points': {
+      id: 'notification-config-contact-points',
+      text: 'Contact points',
+      url: '/alerting/notifications',
+    },
+    'notification-config-policies': {
+      id: 'notification-config-policies',
+      text: 'Notification policies',
+      url: '/alerting/routes',
+    },
+    'notification-config-templates': {
+      id: 'notification-config-templates',
+      text: 'Notification templates',
+      url: '/alerting/notifications/templates',
+    },
+    'notification-config-time-intervals': {
+      id: 'notification-config-time-intervals',
+      text: 'Time intervals',
+      url: '/alerting/time-intervals',
+    },
+  };
+
+  const defaultPreloadedState = {
+    navIndex: mockNavIndex,
+  };
+
+  it('should return navigation with pageNav', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/notifications'],
+      },
+    });
+
+    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
+
+    expect(result.current.navId).toBe('notification-config');
+    expect(result.current.pageNav).toBeDefined();
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children).toBeDefined();
+  });
+
+  it('should detect time intervals tab from path', () => {
+    const store = configureStore(defaultPreloadedState);
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/time-intervals'],
+      },
+    });
+
+    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    const timeIntervalsTab = result.current.pageNav?.children?.find(
+      (tab) => tab.id === 'notification-config-time-intervals'
+    );
+    expect(timeIntervalsTab?.active).toBe(true);
+  });
+
+  it('should filter tabs based on permissions', () => {
+    const limitedNavIndex = {
+      'notification-config': mockNavIndex['notification-config'],
+      'notification-config-contact-points': mockNavIndex['notification-config-contact-points'],
+      // Missing other tabs - user doesn't have permission
+    };
+    const store = configureStore({
+      navIndex: limitedNavIndex,
+    });
+    const wrapper = getWrapper({
+      store,
+      renderWithRouter: true,
+      historyOptions: {
+        initialEntries: ['/alerting/notifications'],
+      },
+    });
+
+    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
+
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.length).toBe(1);
+    // eslint-disable-next-line testing-library/no-node-access
+    expect(result.current.pageNav?.children?.[0].id).toBe('notification-config-contact-points');
+  });
+});
--- a/public/app/features/alerting/unified/navigation/useNotificationConfigNav.ts
+++ b/public/app/features/alerting/unified/navigation/useNotificationConfigNav.ts
@@ -0,0 +1,86 @@
+import { useLocation } from 'react-router-dom-v5-compat';
+
+import { NavModelItem } from '@grafana/data';
+import { t } from '@grafana/i18n';
+import { useSelector } from 'app/types/store';
+
+export function useNotificationConfigNav() {
+  const location = useLocation();
+  const navIndex = useSelector((state) => state.navIndex);
+
+  const notificationConfigNav = navIndex['notification-config'];
+  if (!notificationConfigNav) {
+    // Fallback to legacy navIds
+    if (location.pathname.includes('/alerting/notifications/templates')) {
+      return {
+        navId: 'receivers',
+        pageNav: undefined,
+      };
+    }
+    if (location.pathname === '/alerting/routes') {
+      return {
+        navId: 'am-routes',
+        pageNav: undefined,
+      };
+    }
+    return {
+      navId: 'receivers',
+      pageNav: undefined,
+    };
+  }
+
+  // Check if we're on the time intervals page
+  const isTimeIntervalsTab = location.pathname === '/alerting/time-intervals';
+
+  // All available tabs
+  const allTabs = [
+    {
+      id: 'notification-config-contact-points',
+      text: t('alerting.navigation.contact-points', 'Contact points'),
+      url: '/alerting/notifications',
+      active: location.pathname === '/alerting/notifications' && !location.pathname.includes('/templates'),
+      icon: 'comment-alt-share',
+      parentItem: notificationConfigNav,
+    },
+    {
+      id: 'notification-config-policies',
+      text: t('alerting.navigation.notification-policies', 'Notification policies'),
+      url: '/alerting/routes',
+      active: location.pathname === '/alerting/routes' && !isTimeIntervalsTab,
+      icon: 'sitemap',
+      parentItem: notificationConfigNav,
+    },
+    {
+      id: 'notification-config-templates',
+      text: t('alerting.navigation.notification-templates', 'Notification templates'),
+      url: '/alerting/notifications/templates',
+      active: location.pathname.includes('/alerting/notifications/templates'),
+      icon: 'file-alt',
+      parentItem: notificationConfigNav,
+    },
+    {
+      id: 'notification-config-time-intervals',
+      text: t('alerting.navigation.time-intervals', 'Time intervals'),
+      url: '/alerting/time-intervals',
+      active: isTimeIntervalsTab,
+      icon: 'clock-nine',
+      parentItem: notificationConfigNav,
+    },
+  ].filter((tab) => {
+    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
+    const navItem = navIndex[tab.id];
+    return navItem !== undefined;
+  });
+
+  // Create pageNav that represents the Notification configuration page with tabs as children
+  const pageNav: NavModelItem = {
+    ...notificationConfigNav,
+    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+    children: allTabs as NavModelItem[],
+  };
+
+  return {
+    navId: 'notification-config',
+    pageNav,
+  };
+}
--- a/public/app/features/alerting/unified/rule-list/RuleList.v1.tsx
+++ b/public/app/features/alerting/unified/rule-list/RuleList.v1.tsx
@@ -20,6 +20,7 @@ import { shouldUsePrometheusRulesPrimary } from '../featureToggles';
 import { useCombinedRuleNamespaces } from '../hooks/useCombinedRuleNamespaces';
 import { useFilteredRules, useRulesFilter } from '../hooks/useFilteredRules';
 import { useUnifiedAlertingSelector } from '../hooks/useUnifiedAlertingSelector';
+import { useAlertRulesNav } from '../navigation/useAlertRulesNav';
 import { fetchAllPromAndRulerRulesAction, fetchAllPromRulesAction, fetchRulerRulesAction } from '../state/actions';
 import { RULE_LIST_POLL_INTERVAL_MS } from '../utils/constants';
 import { GRAFANA_RULES_SOURCE_NAME, getAllRulesSourceNames } from '../utils/datasource';
@@ -115,11 +116,14 @@ const RuleListV1 = () => {

  const combinedNamespaces: CombinedRuleNamespace[] = useCombinedRuleNamespaces();
  const filteredNamespaces = useFilteredRules(combinedNamespaces, filterState);
+  const { navId, pageNav } = useAlertRulesNav();
+
  return (
    // We don't want to show the Loading... indicator for the whole page.
    // We show separate indicators for Grafana-managed and Cloud rules
    <AlertingPageWrapper
-      navId="alert-list"
+      navId={navId}
+      pageNav={pageNav}
      isLoading={false}
      renderTitle={(title) => <RuleListPageTitle title={title} />}
      actions={<RuleListActionButtons hasAlertRulesCreated={hasAlertRulesCreated} />}
--- a/public/app/features/alerting/unified/rule-list/RuleList.v2.tsx
+++ b/public/app/features/alerting/unified/rule-list/RuleList.v2.tsx
@@ -13,6 +13,7 @@ import { useListViewMode } from '../components/rules/Filter/RulesViewModeSelecto
 import { AIAlertRuleButtonComponent } from '../enterprise-components/AI/AIGenAlertRuleButton/addAIAlertRuleButton';
 import { AlertingAction, useAlertingAbility } from '../hooks/useAbilities';
 import { useRulesFilter } from '../hooks/useFilteredRules';
+import { useAlertRulesNav } from '../navigation/useAlertRulesNav';
 import { getRulesDataSources } from '../utils/datasource';

 import { FilterView } from './FilterView';
@@ -123,10 +124,12 @@ export function RuleListActions() {

 export default function RuleListPage() {
  const { isApplying } = useApplyDefaultSearch();
+  const { navId, pageNav } = useAlertRulesNav();

  return (
    <AlertingPageWrapper
-      navId="alert-list"
+      navId={navId}
+      pageNav={pageNav}
      renderTitle={(title) => <RuleListPageTitle title={title} />}
      isLoading={isApplying}
      actions={<RuleListActions />}
--- a/public/app/features/alerting/unified/triage/Triage.tsx
+++ b/public/app/features/alerting/unified/triage/Triage.tsx
@@ -1,23 +1,16 @@
-import { t } from '@grafana/i18n';
 import { UrlSyncContextProvider } from '@grafana/scenes';
 import { withErrorBoundary } from '@grafana/ui';

 import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
+import { useAlertActivityNav } from '../navigation/useAlertActivityNav';

 import { TriageScene, triageScene } from './scene/TriageScene';

 export const TriagePage = () => {
+  const { navId, pageNav } = useAlertActivityNav();
+
  return (
-    <AlertingPageWrapper
-      navId="alert-alerts"
-      subTitle={t(
-        'alerting.pages.triage.subtitle',
-        'See what is currently alerting and explore historical data to investigate current or past issues.'
-      )}
-      pageNav={{
-        text: t('alerting.pages.triage.title', 'Alerts'),
-      }}
-    >
+    <AlertingPageWrapper navId={navId || 'alert-alerts'} pageNav={pageNav}>
      <UrlSyncContextProvider scene={triageScene} updateUrlOnInit={true} createBrowserHistorySteps={true}>
        <TriageScene key={triageScene.state.key} />
      </UrlSyncContextProvider>
--- a/public/app/features/dashboard-scene/scene/VariableControls.test.tsx
+++ b/public/app/features/dashboard-scene/scene/VariableControls.test.tsx
@@ -0,0 +1,84 @@
+import { render, screen } from '@testing-library/react';
+
+import { VariableHide } from '@grafana/data';
+import { SceneGridLayout, SceneVariable, SceneVariableSet, ScopesVariable, TextBoxVariable } from '@grafana/scenes';
+
+import { DashboardScene } from './DashboardScene';
+import { VariableControls } from './VariableControls';
+import { DefaultGridLayoutManager } from './layout-default/DefaultGridLayoutManager';
+
+jest.mock('@grafana/runtime', () => {
+  const runtime = jest.requireActual('@grafana/runtime');
+  return {
+    ...runtime,
+    config: {
+      ...runtime.config,
+      featureToggles: {
+        dashboardNewLayouts: true,
+      },
+    },
+  };
+});
+
+describe('VariableControls', () => {
+  it('should not render scopes variable', () => {
+    const variables = [new ScopesVariable({})];
+    const dashboard = buildScene(variables);
+    dashboard.activate();
+
+    render(<VariableControls dashboard={dashboard} />);
+
+    expect(screen.queryByText('__scopes')).not.toBeInTheDocument();
+  });
+
+  it('should not render regular hidden variables', () => {
+    const hiddenVariable = new TextBoxVariable({
+      name: 'HiddenVar',
+      hide: VariableHide.hideVariable,
+    });
+    const variables = [hiddenVariable];
+    const dashboard = buildScene(variables);
+    dashboard.activate();
+
+    render(<VariableControls dashboard={dashboard} />);
+
+    expect(screen.queryByText('HiddenVar')).not.toBeInTheDocument();
+  });
+
+  it('should render regular hidden variables in edit mode', async () => {
+    const hiddenVariable = new TextBoxVariable({
+      name: 'HiddenVar',
+      hide: VariableHide.hideVariable,
+    });
+    const variables = [hiddenVariable];
+    const dashboard = buildScene(variables);
+    dashboard.activate();
+
+    dashboard.setState({ isEditing: true });
+    render(<VariableControls dashboard={dashboard} />);
+
+    expect(await screen.findByText('HiddenVar')).toBeInTheDocument();
+  });
+
+  it('should not render variables hidden in controls menu in edit mode', async () => {
+    const dashboard = buildScene([new TextBoxVariable({ name: 'TextVarControls', hide: VariableHide.inControlsMenu })]);
+    dashboard.activate();
+
+    dashboard.setState({ isEditing: true });
+    render(<VariableControls dashboard={dashboard} />);
+
+    expect(screen.queryByText('TextVarControls')).not.toBeInTheDocument();
+  });
+});
+
+function buildScene(variables: SceneVariable[] = []) {
+  const dashboard = new DashboardScene({
+    $variables: new SceneVariableSet({ variables }),
+    body: new DefaultGridLayoutManager({
+      grid: new SceneGridLayout({
+        children: [],
+      }),
+    }),
+  });
+  return dashboard;
+}
--- a/public/app/features/dashboard-scene/scene/VariableControls.tsx
+++ b/public/app/features/dashboard-scene/scene/VariableControls.tsx
@@ -39,8 +39,9 @@ export function VariableControls({ dashboard }: { dashboard: DashboardScene }) {
    ? restVariables.filter((v) => v.state.hide !== VariableHide.inControlsMenu)
    : variables.filter(
        (v) =>
+          // used for scopes variables, should always be hidden
          // if we're editing in dynamic dashboards, still shows hidden variable but greyed out
-          (isEditingNewLayouts && v.state.hide === VariableHide.hideVariable) ||
+          (!v.UNSAFE_renderAsHidden && isEditingNewLayouts && v.state.hide === VariableHide.hideVariable) ||
          v.state.hide !== VariableHide.inControlsMenu
      );

--- a/public/locales/en-US/grafana.json
+++ b/public/locales/en-US/grafana.json
@@ -938,10 +938,6 @@
      "label-search-by-name-or-type": "Search by name or type",
      "placeholder-search": "Search"
    },
-    "contact-points-page-contents": {
-      "label-contact-points": "Contact Points",
-      "label-notification-templates": "Notification Templates"
-    },
    "contact-points-tab": {
      "aria-label-add-contact-point": "add contact point",
      "aria-label-export-all": "export all",
@@ -1645,7 +1641,9 @@
    "insights": {
      "monitor-status-of-system": "Monitor the status of your system",
      "monitor-status-system-tooltip": "Alerting insights provides pre-built dashboards to monitor your alerting data.",
-      "monitor-status-system-tooltip-identify": "You can identify patterns in why things go wrong and discover trends in alerting performance within your organization."
+      "monitor-status-system-tooltip-identify": "You can identify patterns in why things go wrong and discover trends in alerting performance within your organization.",
+      "not-available": "Insights are not available. Please configure the required data sources.",
+      "subtitle": "Analytics and history for alerting"
    },
    "insights-menu-button-renderer": {
      "aria-label-rate-this-panel": "Rate this panel",
@@ -1928,6 +1926,18 @@
      "select-group": "Select group",
      "select-namespace": "Select namespace"
    },
+    "navigation": {
+      "active-notifications": "Active notifications",
+      "alert-rules": "Alert rules",
+      "alert-state-history": "Alert state history",
+      "alerts": "Alerts",
+      "contact-points": "Contact points",
+      "notification-policies": "Notification policies",
+      "notification-templates": "Notification templates",
+      "recently-deleted": "Recently deleted",
+      "system-insights": "System Insights",
+      "time-intervals": "Time intervals"
+    },
    "need-help-info": {
      "need-help": "Need help?"
    },
@@ -1976,10 +1986,6 @@
      "title-error-loading-alertmanager-config": "Error loading Alertmanager config",
      "title-notification-policies-have-changed": "Notification policies have changed"
    },
-    "notification-policies-tabs": {
-      "label-notification-policies": "Notification Policies",
-      "label-time-intervals": "Time intervals"
-    },
    "notification-policy-drawer": {
      "view-notification-policy-tree": "View notification policy tree"
    },
@@ -2045,12 +2051,6 @@
      "body-selected-alertmanager-not-found": "The selected Alertmanager no longer exists or you may not have permission to access it. You can select a different Alertmanager from the dropdown.",
      "title-selected-alertmanager-not-found": "Selected Alertmanager not found."
    },
-    "pages": {
-      "triage": {
-        "subtitle": "See what is currently alerting and explore historical data to investigate current or past issues.",
-        "title": "Alerts"
-      }
-    },
    "panel-alert-tab-content": {
      "alert": {
        "title-errors-loading-rules": "Errors loading rules"
Author	SHA1	Message	Date
Alejandro Fraenkel	e4265fe39c	fix(alerting): remove obsolete notification templates tab checks from ContactPoints tests - Remove test code checking for Notification Templates tab (lines 282-288 and 494-497) - Templates are now a separate page in sidebar navigation, not a tab within Contact Points - Tests should only verify contact points permissions, not templates	2026-01-13 17:09:16 +01:00
Alejandro Fraenkel	2635a67630	fix: resolve CI failures from navigation refactoring TypeScript fixes: - Add 'as const' to icon type in useAlertRulesNav.test.tsx for proper type narrowing - Remove unused imports in NotificationPoliciesPage.test.tsx and ContactPoints.test.tsx - Remove unused import in triage/Triage.tsx - Restore missing useURLSearchParams import in ContactPoints.tsx - Restore ActiveTab enum export (used by template pages for URL generation) Go lint fixes: - Move nolint:staticcheck comment to line directly before flagged usage in navtree.go i18n: - Run yarn i18n-extract to update translation files All tests passing: - Backend navtree tests: ✅ - TypeScript compilation: ✅	2026-01-13 13:12:24 +01:00
Alejandro Fraenkel	30bacc4ef1	refactor(alerting): format navtree child items for consistency - Convert child NavLink definitions to multi-line format - Remove redundant inline comments - All navtree tests passing (backend and frontend)	2026-01-13 01:39:37 +01:00
Alejandro Fraenkel	143c256a93	fix: remove unused imports in Home.tsx	2026-01-13 01:01:02 +01:00
Alejandro Fraenkel	cc556f3792	Merge branch 'main' into alerting/menu-v2-only Resolved conflicts: - pkg/services/navtree/navtreeimpl/navtree.go: Kept V2 navigation structure with proper parent-child hierarchy for alert-activity - public/app/features/alerting/unified/rule-list/RuleList.v2.tsx: Merged both import statements (useAlertRulesNav and getRulesDataSources)	2026-01-12 21:20:08 +01:00
Alejandro Fraenkel	661cd58bae	feat(alerting): remove alertingNavigationV2 feature flag Remove the alertingNavigationV2 feature toggle and make V2 navigation the only option. Changes: - Remove feature flag from registry.go and regenerate toggle files - Remove shouldUseAlertingNavigationV2() function from featureToggles.ts - Clean up all navigation hooks (useNotificationConfigNav, useInsightsNav, useAlertRulesNav, useAlertActivityNav) - Remove legacy navigation logic from page components (TimeIntervalsPage, Templates) - Update MegaMenu to always use flattened alerting sidebar navigation - Simplify all test files by removing feature flag mocking and legacy test cases Net result: ~500 lines of code removed, simpler codebase with single navigation implementation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 21:12:32 +01:00
Alejandro Fraenkel	b3625b95e3	Remove feature flag and legacy navigation code This commit removes the alertingNavigationV2 feature flag and all legacy navigation code, making the V2 navigation the only option. This simplifies the codebase by removing: - Feature flag checks in backend and frontend - buildAlertNavLinksLegacy function (114 lines) - Legacy tab code in ContactPoints and NotificationPoliciesPage - Related test code for legacy navigation Backend changes: - navtree.go: Remove feature flag check, delete legacy function - navtree_alerting_test.go: Remove legacy tests, update V2 tests Frontend changes: - Home.tsx: Remove feature flag, Insights tab always hidden - ContactPoints.tsx: Remove tabs, show only contact points - NotificationPoliciesPage.tsx: Remove tabs, show only policies This branch is designed for a one-time change to reduce change surface compared to maintaining both legacy and V2 navigation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 19:19:59 +01:00
Nick Richmond	53aa5e8f7f	MetricsDrilldown: Remove `exploreMetricsRelatedLogs` feature toggle (#116090 ) chore: remove unused exploreMetricsRelatedLogs feature toggle	2026-01-12 12:52:40 -05:00
Ida Štambuk	69bf3068b3	Dashboards: Never show scopes variables (#116132 )	2026-01-12 18:52:23 +01:00
Will Assis	1263a3d364	unified-storage: HappyPath and notifier tests + couple of bugfixes (#116087 ) * unified-storage: couple of bugfixes and enable HappyPath and notifier sqlkv tests	2026-01-12 12:17:41 -05:00
Daniele Stefano Ferru	e4b79e2fc8	Provisioning: Add Validation and Mutation for `Connection` resource (#115596 ) * WIP: mutator added, start working on validator * first validator iteration * second validator iteration * wip: working on integration tests * re-working mutation and validation, using Connection interface * fixing some rebase things * fixing integration tests * formatting * fixing unit tests * k8s codegen * linting * moving tests which are available only for enterprise * addressing comments: using repo config for connections, updating tests * addressing comments: adding some more info in the app and installation * fixing app data * addressing comments: updating connection implementation * addressing comments * formatting * fixing tests	2026-01-12 17:52:00 +01:00
Alejandro Fraenkel	774551589b	Fix spacing in Notification Templates tab (legacy mode) Add proper top margin to TabContent in legacy mode to match the spacing pattern used in Notification Policies page. Changes: - Import css from @emotion/css and useStyles2 - Import GrafanaTheme2 for theme typing - Create getStyles function with tabContent margin - Apply className to TabContent in legacy mode rendering - Matches the pattern used in NotificationPoliciesPage.tsx This fixes the visual issue where the "Create notification templates" text was directly touching the tabs above with no spacing in legacy navigation mode. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 15:32:06 +01:00
Alejandro Fraenkel	dee9bc8fb9	Fix spacing issues in Contact Points and Templates tabs Add proper top spacing to Contact Points and Notification Templates tabs to match the spacing pattern used in Notification Policies. Changes: - Wrap ContactPointsTab content in Stack with gap={1} - Wrap NotificationTemplatesTab content in Stack with gap={1} - This adds consistent spacing between the tabs and the search/filter sections, matching the UX pattern in Notification Policies Fixes visual regression where search boxes were directly touching the tab bar with no spacing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 15:29:05 +01:00
Alejandro Fraenkel	6395a753d8	Hide Insights tab on Home page when V2 navigation is enabled When alertingNavigationV2 feature flag is enabled, remove the Insights tab from the Home page since Insights is now available as a dedicated section in the sidebar navigation. Changes: - Add check for alertingNavigationV2 feature flag in Home.tsx - When V2 is enabled, insightsEnabled is false (no tab on Home) - When V2 is disabled (legacy), keep current behavior (show tab if available) - Insights content remains accessible via sidebar Insights menu in V2 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 15:24:18 +01:00
Alejandro Fraenkel	5b228fd7fa	Revert "Remove Insights from navigation sidebar" This reverts commit `307cce059c`.	2026-01-12 15:08:43 +01:00
Alejandro Fraenkel	307cce059c	Remove Insights from navigation sidebar Remove Insights from sidebar navigation to match main branch behavior. Insights should remain as a tab on the Home page, not a separate navigation item. Changes: - Remove Insights parent and tabs from backend navigation (navtree.go) - Remove /alerting/insights route from routes.tsx - Delete InsightsPage.tsx component - Delete useInsightsNav hook and test files - Update backend tests to remove Insights references All navigation tests pass successfully. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-12 14:50:48 +01:00
Alejandro Fraenkel	a5d240751d	refactor(alerting): rename V2 nav function to main name for easier future cleanup Make the V2 navigation implementation the main buildAlertNavLinks() function, and keep buildAlertNavLinksLegacy() with its descriptive name. This makes future cleanup trivial: - To remove legacy support: just delete buildAlertNavLinksLegacy() and the feature flag check - No need to rename functions later - Main function already has the desired implementation Changes: - Inline V2 implementation into buildAlertNavLinks() - Delete buildAlertNavLinksV2() function (now redundant) - Update tests to call buildAlertNavLinks() directly - Inverted feature flag check (!enabled instead of enabled) All tests pass with identical coverage.	2026-01-12 14:14:30 +01:00
Alejandro Fraenkel	d93867479f	refactor(alerting): optimize navtree alerting tests for better maintainability Reduce test file from 393 to 233 lines (-41%) while maintaining full coverage: - Extract common test fixtures (setupTestContext, setupTestService, fullPermissions) - Add reusable helper functions (findNavLink, hasChildWithId) - Convert repetitive tab tests to table-driven approach - Improve code readability and maintainability All 8 test scenarios still verify: - Feature flag toggle (legacy vs V2) - Navigation structure and permissions for both modes - V2 parent/tab structure - Permission enforcement - Future-proofing Benefits: - 41% code reduction (160 lines removed) - Same test coverage and assertions - More idiomatic Go testing patterns - Easier to extend with new test cases	2026-01-12 14:01:09 +01:00
Alejandro Fraenkel	9f53141368	fix(alerting): restore 'Alert activity' text in V1 navigation Keep the original 'Alert activity' text in the legacy navigation instead of changing it to 'Alerts'. This maintains consistency with the existing V1 navigation experience.	2026-01-12 13:56:15 +01:00
Alejandro Fraenkel	0413b76461	chore: remove conf/defaults.ini dev changes from PR Keep feature flags disabled by default in config. Local dev environments can enable flags as needed.	2026-01-12 13:29:55 +01:00
Alejandro Fraenkel	417d3d914a	fix(alerting): fix failing navigation and TimeIntervalsPage tests - Fix navigation hooks tests by manually creating Redux store with configureStore - getWrapper doesn't use preloadedState, so we need to pass store directly - Updated useNotificationConfigNav, useAlertActivityNav, useAlertRulesNav, and useInsightsNav tests - Fix TimeIntervalsPage test by: - Setting up navIndex in Redux store for V2 navigation - Mocking time intervals API with setTimeIntervalsListEmpty() - Using findAllByText instead of findByText for multiple matches - Update time intervals tab detection test to use V2 path instead of query params - All 21 previously failing tests now pass - All 1,792 alerting tests pass successfully	2026-01-12 13:09:48 +01:00
Alejandro Fraenkel	2a7f698c4c	Flatten Alerting V2 navigation sidebar while keeping tabs in page content - Modified MegaMenu to filter out nested children for Alerting V2 navigation items - Sidebar now shows only top-level items: Alert Activity, Alert Rules, Notification Configuration, Insights, Settings - Tabs are still available in page content (handled by frontend navigation hooks) - Breadcrumbs still work correctly (children available in navIndex) - Only applies when alertingNavigationV2 feature flag is enabled	2026-01-09 11:53:36 +01:00
Alejandro Fraenkel	212bdb4400	fix(alerting): fix AlertmanagerContext error in TimeIntervalsPage - Move useAlertmanager hook call inside AlertmanagerPageWrapper context - Create TimeIntervalsPageContent component that uses the context - Fixes 'useAlertmanager must be used within a AlertmanagerContext' error - Revert incorrect changes to Templates.tsx (error was in TimeIntervalsPage)	2026-01-08 15:56:36 +01:00
Alejandro Fraenkel	2432756be8	fix(alerting): fix breadcrumb for Alert Activity page - Use conditional navId based on feature flag (alert-activity for V2, alert-alerts for legacy) - Remove pageNav.text to avoid extra breadcrumb level - Use renderTitle instead to set page title without affecting breadcrumb - Fixes breadcrumb showing 'Page not found > Alerts' to 'Alerting > Alert Activity'	2026-01-08 12:43:24 +01:00
Alejandro Fraenkel	a59df66e21	fix(alerting): resolve TypeScript and linting errors in navigation hooks - Fix icon type errors by moving type assertions to children assignment - Add ESLint disable comments for necessary type assertions - Fix unused imports in navigation hooks and test files - Fix missing currentAlertmanager prop in TimeIntervalsPage - Fix incorrect permission name in TimeIntervalsPage test - Apply same pattern to useInsightsNav to fix type errors	2026-01-08 12:40:32 +01:00
Alejandro Fraenkel	5bec0f1af7	feat(alerting): separate notification policies and time intervals, contact points and templates - Separate Notification policies and Time intervals into distinct tabs in V2 navigation - Separate Contact points and Notification templates into distinct tabs in V2 navigation - Add backward compatibility for legacy navigation - Add TimeIntervalsPage component - Update navigation hooks and tests - Enable feature toggles in defaults.ini - Fix linting errors (duplicate imports, conditional hooks)	2026-01-08 11:57:11 +01:00
Alejandro Fraenkel	954156d5b3	feat(alerting): implement grouped navigation structure with feature flag - Add alertingNavigationV2 feature flag - Refactor backend navigation to support legacy and V2 structures - Create frontend navigation hooks (useAlertRulesNav, useNotificationConfigNav, useInsightsNav) - Extract Insights component and create InsightsPage - Update all page components to use new navigation hooks - Add comprehensive backend and frontend tests - Support grouped navigation with parent items and tabs	2026-01-08 00:34:41 +01:00