* refactor template service to contstruct notification template in one place, get provenance before creating and calculate resource version after.
* refactor get by UID and name
* introduce template kind in NotificationTemplate
* introduce includeImported flag and use in the k8s api
* support imported templates
* add kind to template uid
* tests for imported templates
* update API model
* set kind to default templates
* Deprecate Legacy Storage Migration in Backend
* Change the messaging around legacy storage
* Disable cards to connect
* Commit import changes
* Block repository creation if resources are in legacy storage
* Update error message
* Prettify
* chore: uncomment unified migration
* chore: adapt and fix tests
* Remove legacy storage migration from frontend
* Refactor provisioning job options by removing legacy storage and history fields
- Removed the `History` field from `MigrateJobOptions` and related references in the codebase.
- Eliminated the `LegacyStorage` field from `RepositoryViewList` and its associated comments.
- Updated tests and generated OpenAPI schema to reflect these changes.
- Simplified the `MigrationWorker` by removing dependencies on legacy storage checks.
* Refactor OpenAPI schema and tests to remove deprecated fields
- Removed the `history` field from `MigrateJobOptions` and updated the OpenAPI schema accordingly.
- Eliminated the `legacyStorage` field from `RepositoryViewList` and its associated comments in the schema.
- Updated integration tests to reflect the removal of these fields.
* Fix typescript errors
* Refactor provisioning code to remove legacy storage dependencies
- Eliminated references to `dualwrite.Service` and related legacy storage checks across multiple files.
- Updated `APIBuilder`, `RepositoryController`, and `SyncWorker` to streamline resource handling without legacy storage considerations.
- Adjusted tests to reflect the removal of legacy storage mocks and dependencies, ensuring cleaner and more maintainable code.
* Fix unit tests
* Remove more references to legacy
* Enhance provisioning wizard with migration options
- Added a checkbox for migrating existing resources in the BootstrapStep component.
- Updated the form context to track the new migration option.
- Adjusted the SynchronizeStep and useCreateSyncJob hook to incorporate the migration logic.
- Enhanced localization with new descriptions and labels for migration features.
* Remove unused variable and dualwrite reference in provisioning code
- Eliminated an unused variable declaration in `provisioning_manifest.go`.
- Removed the `nil` reference for dualwrite in `repo_operator.go`, aligning with the standalone operator's assumption of unified storage.
* Update go.mod and go.sum to include new dependencies
- Added `github.com/grafana/grafana-app-sdk` version `0.48.5` and several indirect dependencies including `github.com/getkin/kin-openapi`, `github.com/hashicorp/errwrap`, and others.
- Updated `go.sum` to reflect the new dependencies and their respective versions.
* Refactor provisioning components for improved readability
- Simplified the import statement in HomePage.tsx by removing unnecessary line breaks.
- Consolidated props in the SynchronizeStep component for cleaner code.
- Enhanced the layout of the ProvisioningWizard component by streamlining the rendering of the SynchronizeStep.
* Deprecate MigrationWorker and clean up related comments
- Removed the deprecated MigrationWorker implementation and its associated comments from the provisioning code.
- This change reflects the ongoing effort to eliminate legacy components and improve code maintainability.
* Fix linting issues
* Add explicit comment
* Update useResourceStats hook in BootstrapStep component to accept selected target
- Modified the BootstrapStep component to pass the selected target to the useResourceStats hook.
- Updated related tests to reflect the change in expected arguments for the useResourceStats hook.
* fix(provisioning): Update migrate tests to match export-then-sync behavior for all repository types
Updates test expectations for folder-type repositories to match the
implementation changes where both folder and instance repository types
now run export followed by sync. Only the namespace cleaner is skipped
for folder-type repositories.
Changes:
- Update "should run export and sync for folder-type repositories" test to include export mocks
- Update "should fail when sync job fails for folder-type repositories" test to include export mocks
- Rename test to clarify that both export and sync run for folder types
- Add proper mock expectations for SetMessage, StrictMaxErrors, Process, and ResetResults
All migrate package tests now pass.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Update provisioning wizard text and improve resource counting display
- Enhanced descriptions for migrating existing resources to clarify that unmanaged resources will also be included.
- Refactored BootstrapStepResourceCounting component to simplify the rendering logic and ensure both external storage and unmanaged resources are displayed correctly.
- Updated alert messages in SynchronizeStep to reflect accurate information regarding resource management during migration.
- Adjusted localization strings for consistency with the new descriptions.
* Update provisioning wizard alert messages for clarity and accuracy
- Revised alert points to indicate that resources can still be modified during migration, with a note on potential export issues.
- Clarified that resources will be marked as managed post-provisioning and that dashboards remain accessible throughout the process.
* Fix issue with trigger wrong type of job
* Fix export failure when folder already exists in repository
When exporting resources to a repository, if a folder already exists,
the Read() method would fail with "path component is empty" error.
This occurred because:
1. Folders are identified by trailing slash (e.g., "Legacy Folder/")
2. The Read() method passes this path directly to GetTreeByPath()
3. GetTreeByPath() splits the path by "/" creating empty components
4. This causes the "path component is empty" error
The fix strips the trailing slash before calling GetTreeByPath() to
avoid empty path components, while still using the trailing slash
convention to identify directories.
The Create() method already handles this correctly by appending
".keep" to directory paths, which is why the first export succeeded
but subsequent exports failed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Fix folder tree not updated when folder already exists in repository
When exporting resources and a folder already exists in the repository,
the folder was not being added to the FolderManager's tree. This caused
subsequent dashboard exports to fail with "folder NOT found in tree".
The fix adds the folder to fm.tree even when it already exists in the
repository, ensuring all folders are available for resource lookups.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Revert "Merge remote-tracking branch 'origin/uncomment-unified-migration-code' into cleanup/deprecate-legacy-storage-migration-in-provisioning"
This reverts commit 6440fae342, reversing
changes made to ec39fb04f2.
* fix: handle empty folder titles in path construction
- Skip folders with empty titles in dirPath to avoid empty path components
- Skip folders with empty paths before checking if they exist in repository
- Fix unit tests to properly check useResourceStats hook calls with type annotations
* Update workspace
* Fix BootstrapStep tests after reverting unified migration merge
Updated test expectations to match the current component behavior where
resource counts are displayed for both instance and folder sync options.
- Changed 'Empty' count expectation from 3 to 4 (2 cards × 2 counts each)
- Changed '7 resources' test to use findAllByText instead of findByText
since the count appears in multiple cards
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Remove bubbletee deps
* Fix workspace
* provisioning: update error message to reference enableMigration config
Update the error message when provisioning cannot be used due to
incompatible data format to instruct users to enable data migration
for folders and dashboards using the enableMigration configuration
introduced in PR #114857.
Also update the test helper to include EnableMigration: true for both
dashboards and folders to match the new configuration pattern.
* provisioning: add comment explaining Mode5 and EnableMigration requirement
Add a comment in the integration test helper explaining that Provisioning
requires Mode5 (unified storage) and EnableMigration (data migration) as
it expects resources to be fully migrated to unified storage.
* Remove migrate resources checkbox from folder type provisioning wizard
- Remove checkbox UI for migrating existing resources in folder type
- Remove migrateExistingResources from migration logic
- Simplify migration to only use requiresMigration flag
- Remove unused translation keys
- Update i18n strings
* Fix linting
* Remove unnecessary React Fragment wrapper in BootstrapStep
* Address comments
---------
Co-authored-by: Rafael Paulovic <rafael.paulovic@grafana.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* Alerting: Protect sensitive fields of contact points from
unauthorized modification
- Introduce a new permission alert.notifications.receivers.protected:write. The permission is granted to contact point administrators.
- Introduce field Protected to NotifierOption
- Introduce DiffReport for models.Integrations with focus on Settings. The diff report is extended with methods that return all keys that are different between two settings.
- Add new annotation 'grafana.com/access/CanModifyProtected' to Receiver model
- Update receiver service to enforce the permission and return status 403 if unauthorized user modifies protected field
- Update receiver testing API to enforce permission and return status 403 if unauthorized user modifies protected field.
- Update UI to disable protected fields if user cannot modify them
* refactor: delegate authorization to access checker in dualwriter
- Remove role-based authorization checks (editor/admin role checks)
- Delegate all authorization to access checker which checks resource-level permissions
- Update authorizeCreateFolder to use access checker instead of role-based checks
- Add comprehensive authorization tests for viewer, editor, and admin roles
- Tests cover GET, POST, PUT, DELETE operations and folder creation
This change ensures that authorization is consistently handled through
the access checker, which checks resource-level permissions rather than
just organization roles.
* fix: format files_test.go
* fix: check error return value of resp.Body.Close()
* fix: grant permissions to all dashboards for editor role in authorization test
Use SetPermissions with wildcard to grant permissions to Editor user
for all dashboards, not just the initial one. This ensures that dashboards
created during tests (like in DELETE operations) have the necessary
permissions for the editor role.
**What is this feature?**
Add `rule_matcher` filter to the Prometheus-compatible list rules API: `/api/prometheus/grafana/api/v1/rules`. It allows to filter rules by static labels (not by alert instance labels).
**Special notes:**
- Equality (`=`) and inequality (`!=`) matchers are pushed down to the database. Regex matchers (`=~`, `!~`) are applied in-memory at the API layer.
- SQLite: Uses GLOB pattern matching
- MySQL / PostgreSQL: Use JSON functions to compare label values
---------
Co-authored-by: Konrad Lalik <konradlalik@gmail.com>
fix: allow editors to POST jobs in provisioning API
Editors should be able to post jobs in the 'jobs' endpoint for syncing
repositories. This aligns with the requirement that syncing a repository
requires editor privileges.
- Separated 'jobs' subresource authorization from repository/test
- Allow both admins and editors to POST jobs
- Added integration tests to verify permissions
Fixes authorization bug where editors were incorrectly denied access.
* Provisioning: Deprecate single file/folder move and delete on configured branch
Reject individual file and folder move/delete operations on the configured
branch via the single files endpoints (HTTP 405 MethodNotAllowed). Users
must use the bulk operations API (jobs API) instead.
Motivation:
- Reconciliation for these operations is not reliable as it must be
recursive and cannot run synchronously since it could take a long time
- Simplifies authorization logic - fewer operations to secure and validate
- Reduces complexity and surface area for potential bugs
- Bulk operations via jobs API provide better control and observability
Operations on non-configured branches (e.g., creating PRs) continue to work
as before since they don't update the Grafana database.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* fix: remove trailing whitespace in test file
* Fix behaviour to match current behavior
* Revert changes for individual files
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* `grafana-iam`: Fetch target parent folder
* WIP add different ParentProviders
* Add version
* Move code to a different file
* Instantiate resourceParentProvider
* same import name
* imports
* Add tests
* Remove unecessary test
* forgot wire
* WIP integration tests
* Add test to cover list
* Fix caching problem in integration tests
* comments
* Logger and comments
* Add lazy creation and caching
* Instantiate clients only once
* Rerun wire gen
* feat: legacy ListIterator with batches
* chore: address code review
* chore: remove nil check in nextBatch
* chore: move close before count check
* chore: add err field to batchingIterator for its own errors
* chore: remove unused import
* Reapply "K8s: read resource configs from API Enablement for API Builders" (#114475)
This reverts commit 4130bd9cd3.
* revert part that broke things
* FF service changes are gonna come later
* MTFF: allow viewers access to MTFF by enforcing runtime_config for custom routes
* unused var
* removed now
* pass the test, include defaults
* revert sample.ini change
* add legacy search (wip)
* fix search field name
* implement team search endpoint
* generate openapi spec
* generate endpoints for frontend
* minor fixes
* fix issues found while testing
* add more fields to search result
* add basic unit tests
* add more unit tests
* improve getColumns() func in legacy search
* configure search endpoint in team.cue
* add team search handler
* add the searchTeams endpoint to manifest.cue
* make gofmt
* update openapi spec
* generate frontend endpoints
* remove unused field
* move fields defiitions to separate builder
* fix legacy search
* fix unit tests
* fix unit test
* address feedback
* fix unit test
* update openapi specs
* yarn generate-apis
* add missing unit tests
* Update docs
* Remove 406 response since now it is converted
* fix linter
---------
Co-authored-by: Stephanie Hingtgen <stephanie.hingtgen@grafana.com>
* Alerting: Add expression type to webhook valueString
- Add Type field to NumberValueCapture struct
- Implement AlertQuery.GetExpressionType() method
- Update valueString format to include type information
* Alerting: Add expression type to webhook valueString
- Fix tests
* Alerting: Add expression type to webhook valueString
- Update default annotations in notifier templates to include type field
* Alerting: Add expression type to webhook valueString
- Add type='math' to webhook and email test expectations
* feat(provisioning): add generic version handling for dashboard export
- Update export job to handle any dashboard version generically (v0, v1, v2, v3, etc.)
- Dynamically construct GroupVersionResource for any stored version
- Cache version-specific clients for efficiency
- Add comprehensive table-driven unit tests for multiple versions
- Add integration test to verify version handling end-to-end
- Remove unnecessary version shim from clean operation (deletion works by name)
* test: add unit test for v2 dashboard version (no suffix)
* fix: add missing transformation for scenes -> save model v2
* fix: link placement transformation on the backend between schemas
* fix: update the openapi spec in the tests
* tes: add tests for `transformSceneToSaveModelSchemaV2`
* tests: extend conversion_test.go to cover link placements
Ryan McKinley
Yuri Tseretyan
Roberto Jiménez Sánchez
Will Browne
Rafael Bortolon Paulovic
Daniele Stefano Ferru
Alexander Akhmetov
Gonzalo Trigueros Manzanas
Gabriel MABILLE
Misi
Galen Kistler
Todd Treece
Kristina Demeshchik
Mihai Doarna
Renato Costa
Charandas
Austin Pond
Ivan Ortega Alba
Dominik Prokop
Seunghun Shin
Ezequiel Victorero
Liza Detrick
Steve Simpson
Levente Balogh