make update-workspace

set in spec
add alias ids to meta API
2026-01-12 16:46:54 +00:00 · 2026-01-12 16:45:24 +00:00 · 2026-01-12 16:36:01 +00:00
84 changed files with 910 additions and 4299 deletions
--- a/apps/plugins/kinds/meta.cue
+++ b/apps/plugins/kinds/meta.cue
@@ -24,6 +24,7 @@ metaV0Alpha1: {
 			translations?: [string]: string
 			// +listType=atomic
 			children?: [...string]
+			aliasIds?: [...string]
 		}
 	}
 }
--- a/apps/plugins/pkg/apis/plugins/v0alpha1/meta_spec_gen.go
+++ b/apps/plugins/pkg/apis/plugins/v0alpha1/meta_spec_gen.go
@@ -219,6 +219,7 @@ type MetaSpec struct {
 	Translations map[string]string          `json:"translations,omitempty"`
 	// +listType=atomic
 	Children []string `json:"children,omitempty"`
+	AliasIds []string `json:"aliasIds,omitempty"`
 }

 // NewMetaSpec creates a new MetaSpec object.
--- a/apps/plugins/pkg/apis/plugins_manifest.go
+++ b/apps/plugins/pkg/apis/plugins_manifest.go
--- a/apps/plugins/pkg/app/meta/converter.go
+++ b/apps/plugins/pkg/app/meta/converter.go
@@ -573,6 +573,8 @@ func pluginStorePluginToMeta(plugin pluginstore.Plugin, loadingStrategy plugins.
 		metaSpec.Translations = plugin.Translations
 	}

+	metaSpec.AliasIds = plugin.AliasIDs
+
 	return metaSpec
 }

@@ -676,6 +678,8 @@ func pluginToMetaSpec(plugin *plugins.Plugin) pluginsv0alpha1.MetaSpec {
 		metaSpec.Translations = plugin.Translations
 	}

+	metaSpec.AliasIds = plugin.AliasIDs
+
 	return metaSpec
 }

--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/connections.go
@@ -32,7 +32,7 @@ type ConnectionSecure struct {

 	// Token is the reference of the token used to act as the Connection.
 	// This value is stored securely and cannot be read back
-	Token common.InlineSecureValue `json:"token,omitzero,omitempty"`
+	Token common.InlineSecureValue `json:"webhook,omitzero,omitempty"`
 }

 func (v ConnectionSecure) IsZero() bool {
--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi.go
@@ -320,7 +320,7 @@ func schema_pkg_apis_provisioning_v0alpha1_ConnectionSecure(ref common.Reference
 							Ref:         ref("github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1.InlineSecureValue"),
 						},
 					},
-					"token": {
+					"webhook": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
 							Default:     map[string]interface{}{},
--- a/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list
+++ b/apps/provisioning/pkg/apis/provisioning/v0alpha1/zz_generated.openapi_violation_exceptions.list
@@ -22,6 +22,7 @@ API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioni
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ResourceList,Items
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,TestResults,Errors
 API rule violation: list_type_missing,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,WebhookStatus,SubscribedEvents
+API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSecure,Token
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,ConnectionSpec,GitHub
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobSpec,PullRequest
 API rule violation: names_match,github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1,JobStatus,URLs
--- a/apps/provisioning/pkg/connection/connection.go
+++ b/apps/provisioning/pkg/connection/connection.go
@@ -1,16 +0,0 @@
-package connection
-
-import (
-	"context"
-)
-
-//go:generate mockery --name Connection --structname MockConnection --inpackage --filename connection_mock.go --with-expecter
-type Connection interface {
-	// Validate ensures the resource _looks_ correct.
-	// It should be called before trying to upsert a resource into the Kubernetes API server.
-	// This is not an indication that the connection information works, just that they are reasonably configured.
-	Validate(ctx context.Context) error
-
-	// Mutate performs in place mutation of the underneath resource.
-	Mutate(context.Context) error
-}
--- a/apps/provisioning/pkg/connection/connection_mock.go
+++ b/apps/provisioning/pkg/connection/connection_mock.go
@@ -1,128 +0,0 @@
-// Code generated by mockery v2.53.4. DO NOT EDIT.
-
-package connection
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockConnection is an autogenerated mock type for the Connection type
-type MockConnection struct {
-	mock.Mock
-}
-
-type MockConnection_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockConnection) EXPECT() *MockConnection_Expecter {
-	return &MockConnection_Expecter{mock: &_m.Mock}
-}
-
-// Mutate provides a mock function with given fields: _a0
-func (_m *MockConnection) Mutate(_a0 context.Context) error {
-	ret := _m.Called(_a0)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Mutate")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
-		r0 = rf(_a0)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockConnection_Mutate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Mutate'
-type MockConnection_Mutate_Call struct {
-	*mock.Call
-}
-
-// Mutate is a helper method to define mock.On call
-//   - _a0 context.Context
-func (_e *MockConnection_Expecter) Mutate(_a0 interface{}) *MockConnection_Mutate_Call {
-	return &MockConnection_Mutate_Call{Call: _e.mock.On("Mutate", _a0)}
-}
-
-func (_c *MockConnection_Mutate_Call) Run(run func(_a0 context.Context)) *MockConnection_Mutate_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockConnection_Mutate_Call) Return(_a0 error) *MockConnection_Mutate_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockConnection_Mutate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Mutate_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Validate provides a mock function with given fields: ctx
-func (_m *MockConnection) Validate(ctx context.Context) error {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Validate")
-	}
-
-	var r0 error
-	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
-		r0 = rf(ctx)
-	} else {
-		r0 = ret.Error(0)
-	}
-
-	return r0
-}
-
-// MockConnection_Validate_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Validate'
-type MockConnection_Validate_Call struct {
-	*mock.Call
-}
-
-// Validate is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockConnection_Expecter) Validate(ctx interface{}) *MockConnection_Validate_Call {
-	return &MockConnection_Validate_Call{Call: _e.mock.On("Validate", ctx)}
-}
-
-func (_c *MockConnection_Validate_Call) Run(run func(ctx context.Context)) *MockConnection_Validate_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockConnection_Validate_Call) Return(_a0 error) *MockConnection_Validate_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockConnection_Validate_Call) RunAndReturn(run func(context.Context) error) *MockConnection_Validate_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockConnection creates a new instance of MockConnection. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockConnection(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockConnection {
-	mock := &MockConnection{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/apps/provisioning/pkg/connection/extra_mock.go
+++ b/apps/provisioning/pkg/connection/extra_mock.go
@@ -1,141 +0,0 @@
-// Code generated by mockery v2.53.4. DO NOT EDIT.
-
-package connection
-
-import (
-	context "context"
-
-	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockExtra is an autogenerated mock type for the Extra type
-type MockExtra struct {
-	mock.Mock
-}
-
-type MockExtra_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockExtra) EXPECT() *MockExtra_Expecter {
-	return &MockExtra_Expecter{mock: &_m.Mock}
-}
-
-// Build provides a mock function with given fields: ctx, r
-func (_m *MockExtra) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
-	ret := _m.Called(ctx, r)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Build")
-	}
-
-	var r0 Connection
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
-		return rf(ctx, r)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
-		r0 = rf(ctx, r)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Connection)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
-		r1 = rf(ctx, r)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockExtra_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
-type MockExtra_Build_Call struct {
-	*mock.Call
-}
-
-// Build is a helper method to define mock.On call
-//   - ctx context.Context
-//   - r *v0alpha1.Connection
-func (_e *MockExtra_Expecter) Build(ctx interface{}, r interface{}) *MockExtra_Build_Call {
-	return &MockExtra_Build_Call{Call: _e.mock.On("Build", ctx, r)}
-}
-
-func (_c *MockExtra_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockExtra_Build_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
-	})
-	return _c
-}
-
-func (_c *MockExtra_Build_Call) Return(_a0 Connection, _a1 error) *MockExtra_Build_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockExtra_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockExtra_Build_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Type provides a mock function with no fields
-func (_m *MockExtra) Type() v0alpha1.ConnectionType {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Type")
-	}
-
-	var r0 v0alpha1.ConnectionType
-	if rf, ok := ret.Get(0).(func() v0alpha1.ConnectionType); ok {
-		r0 = rf()
-	} else {
-		r0 = ret.Get(0).(v0alpha1.ConnectionType)
-	}
-
-	return r0
-}
-
-// MockExtra_Type_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Type'
-type MockExtra_Type_Call struct {
-	*mock.Call
-}
-
-// Type is a helper method to define mock.On call
-func (_e *MockExtra_Expecter) Type() *MockExtra_Type_Call {
-	return &MockExtra_Type_Call{Call: _e.mock.On("Type")}
-}
-
-func (_c *MockExtra_Type_Call) Run(run func()) *MockExtra_Type_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockExtra_Type_Call) Return(_a0 v0alpha1.ConnectionType) *MockExtra_Type_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockExtra_Type_Call) RunAndReturn(run func() v0alpha1.ConnectionType) *MockExtra_Type_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockExtra creates a new instance of MockExtra. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockExtra(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockExtra {
-	mock := &MockExtra{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/apps/provisioning/pkg/connection/factory.go
+++ b/apps/provisioning/pkg/connection/factory.go
@@ -1,75 +0,0 @@
-package connection
-
-import (
-	"context"
-	"fmt"
-	"sort"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-)
-
-//go:generate mockery --name=Extra --structname=MockExtra --inpackage --filename=extra_mock.go --with-expecter
-type Extra interface {
-	Type() provisioning.ConnectionType
-	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
-}
-
-//go:generate mockery --name=Factory --structname=MockFactory --inpackage --filename=factory_mock.go --with-expecter
-type Factory interface {
-	Types() []provisioning.ConnectionType
-	Build(ctx context.Context, r *provisioning.Connection) (Connection, error)
-}
-
-type factory struct {
-	extras  map[provisioning.ConnectionType]Extra
-	enabled map[provisioning.ConnectionType]struct{}
-}
-
-func ProvideFactory(enabled map[provisioning.ConnectionType]struct{}, extras []Extra) (Factory, error) {
-	f := &factory{
-		enabled: enabled,
-		extras:  make(map[provisioning.ConnectionType]Extra, len(extras)),
-	}
-
-	for _, e := range extras {
-		if _, exists := f.extras[e.Type()]; exists {
-			return nil, fmt.Errorf("connection type %q is already registered", e.Type())
-		}
-		f.extras[e.Type()] = e
-	}
-
-	return f, nil
-}
-
-func (f *factory) Types() []provisioning.ConnectionType {
-	var types []provisioning.ConnectionType
-	for t := range f.enabled {
-		if _, exists := f.extras[t]; exists {
-			types = append(types, t)
-		}
-	}
-
-	sort.Slice(types, func(i, j int) bool {
-		return string(types[i]) < string(types[j])
-	})
-
-	return types
-}
-
-func (f *factory) Build(ctx context.Context, c *provisioning.Connection) (Connection, error) {
-	for _, e := range f.extras {
-		if e.Type() == c.Spec.Type {
-			if _, enabled := f.enabled[e.Type()]; !enabled {
-				return nil, fmt.Errorf("connection type %q is not enabled", e.Type())
-			}
-
-			return e.Build(ctx, c)
-		}
-	}
-
-	return nil, fmt.Errorf("connection type %q is not supported", c.Spec.Type)
-}
-
-var (
-	_ Factory = (*factory)(nil)
-)
--- a/apps/provisioning/pkg/connection/factory_mock.go
+++ b/apps/provisioning/pkg/connection/factory_mock.go
@@ -1,143 +0,0 @@
-// Code generated by mockery v2.53.4. DO NOT EDIT.
-
-package connection
-
-import (
-	context "context"
-
-	v0alpha1 "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockFactory is an autogenerated mock type for the Factory type
-type MockFactory struct {
-	mock.Mock
-}
-
-type MockFactory_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockFactory) EXPECT() *MockFactory_Expecter {
-	return &MockFactory_Expecter{mock: &_m.Mock}
-}
-
-// Build provides a mock function with given fields: ctx, r
-func (_m *MockFactory) Build(ctx context.Context, r *v0alpha1.Connection) (Connection, error) {
-	ret := _m.Called(ctx, r)
-
-	if len(ret) == 0 {
-		panic("no return value specified for Build")
-	}
-
-	var r0 Connection
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) (Connection, error)); ok {
-		return rf(ctx, r)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, *v0alpha1.Connection) Connection); ok {
-		r0 = rf(ctx, r)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Connection)
-		}
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, *v0alpha1.Connection) error); ok {
-		r1 = rf(ctx, r)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockFactory_Build_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Build'
-type MockFactory_Build_Call struct {
-	*mock.Call
-}
-
-// Build is a helper method to define mock.On call
-//   - ctx context.Context
-//   - r *v0alpha1.Connection
-func (_e *MockFactory_Expecter) Build(ctx interface{}, r interface{}) *MockFactory_Build_Call {
-	return &MockFactory_Build_Call{Call: _e.mock.On("Build", ctx, r)}
-}
-
-func (_c *MockFactory_Build_Call) Run(run func(ctx context.Context, r *v0alpha1.Connection)) *MockFactory_Build_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(*v0alpha1.Connection))
-	})
-	return _c
-}
-
-func (_c *MockFactory_Build_Call) Return(_a0 Connection, _a1 error) *MockFactory_Build_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockFactory_Build_Call) RunAndReturn(run func(context.Context, *v0alpha1.Connection) (Connection, error)) *MockFactory_Build_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// Types provides a mock function with no fields
-func (_m *MockFactory) Types() []v0alpha1.ConnectionType {
-	ret := _m.Called()
-
-	if len(ret) == 0 {
-		panic("no return value specified for Types")
-	}
-
-	var r0 []v0alpha1.ConnectionType
-	if rf, ok := ret.Get(0).(func() []v0alpha1.ConnectionType); ok {
-		r0 = rf()
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]v0alpha1.ConnectionType)
-		}
-	}
-
-	return r0
-}
-
-// MockFactory_Types_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Types'
-type MockFactory_Types_Call struct {
-	*mock.Call
-}
-
-// Types is a helper method to define mock.On call
-func (_e *MockFactory_Expecter) Types() *MockFactory_Types_Call {
-	return &MockFactory_Types_Call{Call: _e.mock.On("Types")}
-}
-
-func (_c *MockFactory_Types_Call) Run(run func()) *MockFactory_Types_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run()
-	})
-	return _c
-}
-
-func (_c *MockFactory_Types_Call) Return(_a0 []v0alpha1.ConnectionType) *MockFactory_Types_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockFactory_Types_Call) RunAndReturn(run func() []v0alpha1.ConnectionType) *MockFactory_Types_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockFactory creates a new instance of MockFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockFactory(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockFactory {
-	mock := &MockFactory{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/apps/provisioning/pkg/connection/factory_test.go
+++ b/apps/provisioning/pkg/connection/factory_test.go
@@ -1,309 +0,0 @@
-package connection
-
-import (
-	"context"
-	"errors"
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestProvideFactory(t *testing.T) {
-	t.Run("should create factory with valid extras", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-			provisioning.GitlabConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.NoError(t, err)
-		require.NotNil(t, factory)
-	})
-
-	t.Run("should create factory with empty extras", func(t *testing.T) {
-		enabled := map[provisioning.ConnectionType]struct{}{}
-
-		factory, err := ProvideFactory(enabled, []Extra{})
-		require.NoError(t, err)
-		require.NotNil(t, factory)
-	})
-
-	t.Run("should create factory with nil enabled map", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		factory, err := ProvideFactory(nil, []Extra{extra1})
-		require.NoError(t, err)
-		require.NotNil(t, factory)
-	})
-
-	t.Run("should return error when duplicate repository types", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.Error(t, err)
-		assert.Nil(t, factory)
-		assert.Contains(t, err.Error(), "connection type \"github\" is already registered")
-	})
-}
-
-func TestFactory_Types(t *testing.T) {
-	t.Run("should return only enabled types that have extras", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-			provisioning.GitlabConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Len(t, types, 2)
-		assert.Contains(t, types, provisioning.GithubConnectionType)
-		assert.Contains(t, types, provisioning.GitlabConnectionType)
-	})
-
-	t.Run("should return sorted list of types", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-			provisioning.GitlabConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Len(t, types, 2)
-		// github should come before gitlab alphabetically
-		assert.Equal(t, provisioning.GithubConnectionType, types[0])
-		assert.Equal(t, provisioning.GitlabConnectionType, types[1])
-	})
-
-	t.Run("should return empty list when no types are enabled", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Empty(t, types)
-	})
-
-	t.Run("should not return types that are enabled but have no extras", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-			provisioning.GitlabConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Len(t, types, 1)
-		assert.Contains(t, types, provisioning.GithubConnectionType)
-		assert.NotContains(t, types, provisioning.GitlabConnectionType)
-	})
-
-	t.Run("should not return types that have extras but are not enabled", func(t *testing.T) {
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Len(t, types, 1)
-		assert.Contains(t, types, provisioning.GithubConnectionType)
-		assert.NotContains(t, types, provisioning.GitlabConnectionType)
-	})
-
-	t.Run("should return empty list when no extras are provided", func(t *testing.T) {
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{})
-		require.NoError(t, err)
-
-		types := factory.Types()
-		assert.Empty(t, types)
-	})
-}
-
-func TestFactory_Build(t *testing.T) {
-	t.Run("should successfully build connection when type is enabled and has extra", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-			},
-		}
-
-		mockConnection := NewMockConnection(t)
-		extra := NewMockExtra(t)
-		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
-		extra.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra})
-		require.NoError(t, err)
-
-		result, err := factory.Build(ctx, conn)
-		require.NoError(t, err)
-		assert.Equal(t, mockConnection, result)
-	})
-
-	t.Run("should return error when type is not enabled", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GitlabConnectionType,
-			},
-		}
-
-		extra := NewMockExtra(t)
-		extra.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra})
-		require.NoError(t, err)
-
-		result, err := factory.Build(ctx, conn)
-		require.Error(t, err)
-		assert.Nil(t, result)
-		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not enabled")
-	})
-
-	t.Run("should return error when type is not supported", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GitlabConnectionType,
-			},
-		}
-
-		extra := NewMockExtra(t)
-		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra})
-		require.NoError(t, err)
-
-		result, err := factory.Build(ctx, conn)
-		require.Error(t, err)
-		assert.Nil(t, result)
-		assert.Contains(t, err.Error(), "connection type \"gitlab\" is not supported")
-	})
-
-	t.Run("should pass through errors from extra.Build()", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-			},
-		}
-
-		expectedErr := errors.New("build error")
-		extra := NewMockExtra(t)
-		extra.EXPECT().Type().Return(provisioning.GithubConnectionType)
-		extra.EXPECT().Build(ctx, conn).Return(nil, expectedErr)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra})
-		require.NoError(t, err)
-
-		result, err := factory.Build(ctx, conn)
-		require.Error(t, err)
-		assert.Nil(t, result)
-		assert.Equal(t, expectedErr, err)
-	})
-
-	t.Run("should build with multiple extras registered", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GitlabConnectionType,
-			},
-		}
-
-		mockConnection := NewMockConnection(t)
-
-		extra1 := NewMockExtra(t)
-		extra1.EXPECT().Type().Return(provisioning.GithubConnectionType)
-
-		extra2 := NewMockExtra(t)
-		extra2.EXPECT().Type().Return(provisioning.GitlabConnectionType)
-		extra2.EXPECT().Build(ctx, conn).Return(mockConnection, nil)
-
-		enabled := map[provisioning.ConnectionType]struct{}{
-			provisioning.GithubConnectionType: {},
-			provisioning.GitlabConnectionType: {},
-		}
-
-		factory, err := ProvideFactory(enabled, []Extra{extra1, extra2})
-		require.NoError(t, err)
-
-		result, err := factory.Build(ctx, conn)
-		require.NoError(t, err)
-		assert.Equal(t, mockConnection, result)
-	})
-}
--- a/apps/provisioning/pkg/connection/github/client.go
+++ b/apps/provisioning/pkg/connection/github/client.go
@@ -1,93 +0,0 @@
-package github
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"strconv"
-
-	"github.com/google/go-github/v70/github"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-)
-
-// API errors that we need to convey after parsing real GH errors (or faking them).
-var (
-	//lint:ignore ST1005 this is not punctuation
-	ErrServiceUnavailable = apierrors.NewServiceUnavailable("github is unavailable")
-)
-
-//go:generate mockery --name Client --structname MockClient --inpackage --filename client_mock.go --with-expecter
-type Client interface {
-	// Apps and installations
-	GetApp(ctx context.Context) (App, error)
-	GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error)
-}
-
-// App represents a Github App.
-type App struct {
-	// ID represents the GH app ID.
-	ID int64
-	// Slug represents the GH app slug.
-	Slug string
-	// Owner represents the GH account/org owning the app
-	Owner string
-}
-
-// AppInstallation represents a Github App Installation.
-type AppInstallation struct {
-	// ID represents the GH installation ID.
-	ID int64
-	// Whether the installation is enabled or not.
-	Enabled bool
-}
-
-type githubClient struct {
-	gh *github.Client
-}
-
-func NewClient(client *github.Client) Client {
-	return &githubClient{client}
-}
-
-// GetApp gets the app by using the given token.
-func (r *githubClient) GetApp(ctx context.Context) (App, error) {
-	app, _, err := r.gh.Apps.Get(ctx, "")
-	if err != nil {
-		var ghErr *github.ErrorResponse
-		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
-			return App{}, ErrServiceUnavailable
-		}
-		return App{}, err
-	}
-
-	// TODO(ferruvich): do we need any other info?
-	return App{
-		ID:    app.GetID(),
-		Slug:  app.GetSlug(),
-		Owner: app.GetOwner().GetLogin(),
-	}, nil
-}
-
-// GetAppInstallation gets the installation of the app related to the given token.
-func (r *githubClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
-	id, err := strconv.Atoi(installationID)
-	if err != nil {
-		return AppInstallation{}, fmt.Errorf("invalid installation ID: %s", installationID)
-	}
-
-	installation, _, err := r.gh.Apps.GetInstallation(ctx, int64(id))
-	if err != nil {
-		var ghErr *github.ErrorResponse
-		if errors.As(err, &ghErr) && ghErr.Response.StatusCode == http.StatusServiceUnavailable {
-			return AppInstallation{}, ErrServiceUnavailable
-		}
-		return AppInstallation{}, err
-	}
-
-	// TODO(ferruvich): do we need any other info?
-	return AppInstallation{
-		ID:      installation.GetID(),
-		Enabled: installation.GetSuspendedAt().IsZero(),
-	}, nil
-}
--- a/apps/provisioning/pkg/connection/github/client_mock.go
+++ b/apps/provisioning/pkg/connection/github/client_mock.go
@@ -1,149 +0,0 @@
-// Code generated by mockery v2.53.4. DO NOT EDIT.
-
-package github
-
-import (
-	context "context"
-
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockClient is an autogenerated mock type for the Client type
-type MockClient struct {
-	mock.Mock
-}
-
-type MockClient_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockClient) EXPECT() *MockClient_Expecter {
-	return &MockClient_Expecter{mock: &_m.Mock}
-}
-
-// GetApp provides a mock function with given fields: ctx
-func (_m *MockClient) GetApp(ctx context.Context) (App, error) {
-	ret := _m.Called(ctx)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetApp")
-	}
-
-	var r0 App
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context) (App, error)); ok {
-		return rf(ctx)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context) App); ok {
-		r0 = rf(ctx)
-	} else {
-		r0 = ret.Get(0).(App)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
-		r1 = rf(ctx)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockClient_GetApp_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetApp'
-type MockClient_GetApp_Call struct {
-	*mock.Call
-}
-
-// GetApp is a helper method to define mock.On call
-//   - ctx context.Context
-func (_e *MockClient_Expecter) GetApp(ctx interface{}) *MockClient_GetApp_Call {
-	return &MockClient_GetApp_Call{Call: _e.mock.On("GetApp", ctx)}
-}
-
-func (_c *MockClient_GetApp_Call) Run(run func(ctx context.Context)) *MockClient_GetApp_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context))
-	})
-	return _c
-}
-
-func (_c *MockClient_GetApp_Call) Return(_a0 App, _a1 error) *MockClient_GetApp_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockClient_GetApp_Call) RunAndReturn(run func(context.Context) (App, error)) *MockClient_GetApp_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// GetAppInstallation provides a mock function with given fields: ctx, installationID
-func (_m *MockClient) GetAppInstallation(ctx context.Context, installationID string) (AppInstallation, error) {
-	ret := _m.Called(ctx, installationID)
-
-	if len(ret) == 0 {
-		panic("no return value specified for GetAppInstallation")
-	}
-
-	var r0 AppInstallation
-	var r1 error
-	if rf, ok := ret.Get(0).(func(context.Context, string) (AppInstallation, error)); ok {
-		return rf(ctx, installationID)
-	}
-	if rf, ok := ret.Get(0).(func(context.Context, string) AppInstallation); ok {
-		r0 = rf(ctx, installationID)
-	} else {
-		r0 = ret.Get(0).(AppInstallation)
-	}
-
-	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
-		r1 = rf(ctx, installationID)
-	} else {
-		r1 = ret.Error(1)
-	}
-
-	return r0, r1
-}
-
-// MockClient_GetAppInstallation_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAppInstallation'
-type MockClient_GetAppInstallation_Call struct {
-	*mock.Call
-}
-
-// GetAppInstallation is a helper method to define mock.On call
-//   - ctx context.Context
-//   - installationID string
-func (_e *MockClient_Expecter) GetAppInstallation(ctx interface{}, installationID interface{}) *MockClient_GetAppInstallation_Call {
-	return &MockClient_GetAppInstallation_Call{Call: _e.mock.On("GetAppInstallation", ctx, installationID)}
-}
-
-func (_c *MockClient_GetAppInstallation_Call) Run(run func(ctx context.Context, installationID string)) *MockClient_GetAppInstallation_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(string))
-	})
-	return _c
-}
-
-func (_c *MockClient_GetAppInstallation_Call) Return(_a0 AppInstallation, _a1 error) *MockClient_GetAppInstallation_Call {
-	_c.Call.Return(_a0, _a1)
-	return _c
-}
-
-func (_c *MockClient_GetAppInstallation_Call) RunAndReturn(run func(context.Context, string) (AppInstallation, error)) *MockClient_GetAppInstallation_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockClient creates a new instance of MockClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockClient(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockClient {
-	mock := &MockClient{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/apps/provisioning/pkg/connection/github/client_test.go
+++ b/apps/provisioning/pkg/connection/github/client_test.go
@@ -1,297 +0,0 @@
-package github_test
-
-import (
-	"context"
-	"encoding/json"
-	"net/http"
-	"testing"
-	"time"
-
-	"github.com/google/go-github/v70/github"
-	conngh "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
-	mockhub "github.com/migueleliasweb/go-github-mock/src/mock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestGithubClient_GetApp(t *testing.T) {
-	tests := []struct {
-		name        string
-		mockHandler *http.Client
-		token       string
-		wantApp     conngh.App
-		wantErr     error
-	}{
-		{
-			name: "get app successfully",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetApp,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						app := &github.App{
-							ID:   github.Ptr(int64(12345)),
-							Slug: github.Ptr("my-test-app"),
-							Owner: &github.User{
-								Login: github.Ptr("grafana"),
-							},
-						}
-						w.WriteHeader(http.StatusOK)
-						require.NoError(t, json.NewEncoder(w).Encode(app))
-					}),
-				),
-			),
-			token: "test-token",
-			wantApp: conngh.App{
-				ID:    12345,
-				Slug:  "my-test-app",
-				Owner: "grafana",
-			},
-			wantErr: nil,
-		},
-		{
-			name: "service unavailable",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetApp,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusServiceUnavailable)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusServiceUnavailable,
-							},
-							Message: "Service unavailable",
-						}))
-					}),
-				),
-			),
-			token:   "test-token",
-			wantApp: conngh.App{},
-			wantErr: conngh.ErrServiceUnavailable,
-		},
-		{
-			name: "other error",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetApp,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusInternalServerError)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusInternalServerError,
-							},
-							Message: "Internal server error",
-						}))
-					}),
-				),
-			),
-			token:   "test-token",
-			wantApp: conngh.App{},
-			wantErr: &github.ErrorResponse{
-				Response: &http.Response{
-					StatusCode: http.StatusInternalServerError,
-				},
-				Message: "Internal server error",
-			},
-		},
-		{
-			name: "unauthorized error",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetApp,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusUnauthorized)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusUnauthorized,
-							},
-							Message: "Bad credentials",
-						}))
-					}),
-				),
-			),
-			token:   "invalid-token",
-			wantApp: conngh.App{},
-			wantErr: &github.ErrorResponse{
-				Response: &http.Response{
-					StatusCode: http.StatusUnauthorized,
-				},
-				Message: "Bad credentials",
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Create a mock client
-			ghClient := github.NewClient(tt.mockHandler)
-			client := conngh.NewClient(ghClient)
-
-			// Call the method being tested
-			app, err := client.GetApp(context.Background())
-
-			// Check the error
-			if tt.wantErr != nil {
-				assert.Error(t, err)
-				assert.Equal(t, tt.wantApp, app)
-			} else {
-				assert.NoError(t, err)
-				assert.Equal(t, tt.wantApp, app)
-			}
-		})
-	}
-}
-
-func TestGithubClient_GetAppInstallation(t *testing.T) {
-	tests := []struct {
-		name             string
-		mockHandler      *http.Client
-		appToken         string
-		installationID   string
-		wantInstallation conngh.AppInstallation
-		wantErr          bool
-		errContains      string
-	}{
-		{
-			name: "get disabled app installation successfully",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetAppInstallationsByInstallationId,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						installation := &github.Installation{
-							ID:          github.Ptr(int64(67890)),
-							SuspendedAt: github.Ptr(github.Timestamp{Time: time.Now()}),
-						}
-						w.WriteHeader(http.StatusOK)
-						require.NoError(t, json.NewEncoder(w).Encode(installation))
-					}),
-				),
-			),
-			appToken:       "test-app-token",
-			installationID: "67890",
-			wantInstallation: conngh.AppInstallation{
-				ID:      67890,
-				Enabled: false,
-			},
-			wantErr: false,
-		},
-		{
-			name: "get enabled app installation successfully",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetAppInstallationsByInstallationId,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						installation := &github.Installation{
-							ID:          github.Ptr(int64(67890)),
-							SuspendedAt: nil,
-						}
-						w.WriteHeader(http.StatusOK)
-						require.NoError(t, json.NewEncoder(w).Encode(installation))
-					}),
-				),
-			),
-			appToken:       "test-app-token",
-			installationID: "67890",
-			wantInstallation: conngh.AppInstallation{
-				ID:      67890,
-				Enabled: true,
-			},
-			wantErr: false,
-		},
-		{
-			name:             "invalid installation ID",
-			mockHandler:      mockhub.NewMockedHTTPClient(),
-			appToken:         "test-app-token",
-			installationID:   "not-a-number",
-			wantInstallation: conngh.AppInstallation{},
-			wantErr:          true,
-			errContains:      "invalid installation ID",
-		},
-		{
-			name: "service unavailable",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetAppInstallationsByInstallationId,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusServiceUnavailable)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusServiceUnavailable,
-							},
-							Message: "Service unavailable",
-						}))
-					}),
-				),
-			),
-			appToken:         "test-app-token",
-			installationID:   "67890",
-			wantInstallation: conngh.AppInstallation{},
-			wantErr:          true,
-		},
-		{
-			name: "installation not found",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetAppInstallationsByInstallationId,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusNotFound)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusNotFound,
-							},
-							Message: "Not Found",
-						}))
-					}),
-				),
-			),
-			appToken:         "test-app-token",
-			installationID:   "99999",
-			wantInstallation: conngh.AppInstallation{},
-			wantErr:          true,
-		},
-		{
-			name: "other error",
-			mockHandler: mockhub.NewMockedHTTPClient(
-				mockhub.WithRequestMatchHandler(
-					mockhub.GetAppInstallationsByInstallationId,
-					http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-						w.WriteHeader(http.StatusInternalServerError)
-						require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-							Response: &http.Response{
-								StatusCode: http.StatusInternalServerError,
-							},
-							Message: "Internal server error",
-						}))
-					}),
-				),
-			),
-			appToken:         "test-app-token",
-			installationID:   "67890",
-			wantInstallation: conngh.AppInstallation{},
-			wantErr:          true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Create a mock client
-			ghClient := github.NewClient(tt.mockHandler)
-			client := conngh.NewClient(ghClient)
-
-			// Call the method being tested
-			installation, err := client.GetAppInstallation(context.Background(), tt.installationID)
-
-			// Check the error
-			if tt.wantErr {
-				assert.Error(t, err)
-				if tt.errContains != "" {
-					assert.Contains(t, err.Error(), tt.errContains)
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-
-			// Check the result
-			assert.Equal(t, tt.wantInstallation, installation)
-		})
-	}
-}
--- a/apps/provisioning/pkg/connection/github/connection.go
+++ b/apps/provisioning/pkg/connection/github/connection.go
@@ -1,192 +0,0 @@
-package github
-
-import (
-	"context"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/golang-jwt/jwt/v4"
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-//go:generate mockery --name GithubFactory --structname MockGithubFactory --inpackage --filename factory_mock.go --with-expecter
-type GithubFactory interface {
-	New(ctx context.Context, ghToken common.RawSecureValue) Client
-}
-
-type Connection struct {
-	obj       *provisioning.Connection
-	ghFactory GithubFactory
-}
-
-func NewConnection(
-	obj *provisioning.Connection,
-	factory GithubFactory,
-) Connection {
-	return Connection{
-		obj:       obj,
-		ghFactory: factory,
-	}
-}
-
-const (
-	//TODO(ferruvich): these probably need to be setup in API configuration.
-	githubInstallationURL = "https://github.com/settings/installations"
-	jwtExpirationMinutes  = 10 // GitHub Apps JWT tokens expire in 10 minutes maximum
-)
-
-// Mutate performs in place mutation of the underneath resource.
-func (c *Connection) Mutate(_ context.Context) error {
-	// Do nothing in case spec.Github is nil.
-	// If this field is required, we should fail at validation time.
-	if c.obj.Spec.GitHub == nil {
-		return nil
-	}
-
-	c.obj.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, c.obj.Spec.GitHub.InstallationID)
-
-	// Generate JWT token if private key is being provided.
-	// Same as for the spec.Github, if such a field is required, Validation will take care of that.
-	if !c.obj.Secure.PrivateKey.Create.IsZero() {
-		token, err := generateToken(c.obj.Spec.GitHub.AppID, c.obj.Secure.PrivateKey.Create)
-		if err != nil {
-			return fmt.Errorf("failed to generate JWT token: %w", err)
-		}
-
-		// Store the generated token
-		c.obj.Secure.Token = common.InlineSecureValue{Create: token}
-	}
-
-	return nil
-}
-
-// Token generates and returns the Connection token.
-func generateToken(appID string, privateKey common.RawSecureValue) (common.RawSecureValue, error) {
-	// Decode base64-encoded private key
-	privateKeyPEM, err := base64.StdEncoding.DecodeString(string(privateKey))
-	if err != nil {
-		return "", fmt.Errorf("failed to decode base64 private key: %w", err)
-	}
-
-	// Parse the private key
-	key, err := jwt.ParseRSAPrivateKeyFromPEM(privateKeyPEM)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse private key: %w", err)
-	}
-
-	// Create the JWT token
-	now := time.Now()
-	claims := jwt.RegisteredClaims{
-		IssuedAt:  jwt.NewNumericDate(now),
-		ExpiresAt: jwt.NewNumericDate(now.Add(time.Duration(jwtExpirationMinutes) * time.Minute)),
-		Issuer:    appID,
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	signedToken, err := token.SignedString(key)
-	if err != nil {
-		return "", fmt.Errorf("failed to sign JWT token: %w", err)
-	}
-
-	return common.RawSecureValue(signedToken), nil
-}
-
-// Validate ensures the resource _looks_ correct.
-func (c *Connection) Validate(ctx context.Context) error {
-	list := field.ErrorList{}
-
-	if c.obj.Spec.Type != provisioning.GithubConnectionType {
-		list = append(list, field.Invalid(field.NewPath("spec", "type"), c.obj.Spec.Type, "invalid connection type"))
-
-		// Doesn't make much sense to continue validating a connection which is not a Github one.
-		return toError(c.obj.GetName(), list)
-	}
-
-	if c.obj.Spec.GitHub == nil {
-		list = append(
-			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
-		)
-
-		// Doesn't make much sense to continue validating a connection with no information.
-		return toError(c.obj.GetName(), list)
-	}
-
-	if c.obj.Secure.PrivateKey.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
-	}
-	if c.obj.Secure.Token.IsZero() {
-		list = append(list, field.Required(field.NewPath("secure", "token"), "token must be specified for GitHub connection"))
-	}
-	if !c.obj.Secure.ClientSecret.IsZero() {
-		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
-	}
-
-	// Validate GitHub configuration fields
-	if c.obj.Spec.GitHub.AppID == "" {
-		list = append(list, field.Required(field.NewPath("spec", "github", "appID"), "appID must be specified for GitHub connection"))
-	}
-	if c.obj.Spec.GitHub.InstallationID == "" {
-		list = append(list, field.Required(field.NewPath("spec", "github", "installationID"), "installationID must be specified for GitHub connection"))
-	}
-
-	// In case we have any error above, we don't go forward with the validation, and return the errors.
-	if len(list) > 0 {
-		return toError(c.obj.GetName(), list)
-	}
-
-	// Validating app content via GH API
-	if err := c.validateAppAndInstallation(ctx); err != nil {
-		list = append(list, err)
-	}
-
-	return toError(c.obj.GetName(), list)
-}
-
-// validateAppAndInstallation validates the appID and installationID against the given github token.
-func (c *Connection) validateAppAndInstallation(ctx context.Context) *field.Error {
-	ghClient := c.ghFactory.New(ctx, c.obj.Secure.Token.Create)
-
-	app, err := ghClient.GetApp(ctx)
-	if err != nil {
-		if errors.Is(err, ErrServiceUnavailable) {
-			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
-		}
-		return field.Invalid(field.NewPath("spec", "token"), "[REDACTED]", "invalid token")
-	}
-
-	if fmt.Sprintf("%d", app.ID) != c.obj.Spec.GitHub.AppID {
-		return field.Invalid(field.NewPath("spec", "appID"), c.obj.Spec.GitHub.AppID, "appID mismatch")
-	}
-
-	_, err = ghClient.GetAppInstallation(ctx, c.obj.Spec.GitHub.InstallationID)
-	if err != nil {
-		if errors.Is(err, ErrServiceUnavailable) {
-			return field.InternalError(field.NewPath("spec", "token"), ErrServiceUnavailable)
-		}
-		return field.Invalid(field.NewPath("spec", "installationID"), c.obj.Spec.GitHub.InstallationID, "invalid installation ID")
-	}
-
-	return nil
-}
-
-// toError converts a field.ErrorList to an error, returning nil if the list is empty
-func toError(name string, list field.ErrorList) error {
-	if len(list) == 0 {
-		return nil
-	}
-	return apierrors.NewInvalid(
-		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
-		name,
-		list,
-	)
-}
-
-var (
-	_ connection.Connection = (*Connection)(nil)
-)
--- a/apps/provisioning/pkg/connection/github/connection_test.go
+++ b/apps/provisioning/pkg/connection/github/connection_test.go
@@ -1,434 +0,0 @@
-package github
-
-import (
-	"context"
-	"encoding/base64"
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-//nolint:gosec // Test RSA private key (generated for testing purposes only)
-const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAoInVbLY9io2Q/wHvUIXlEHg2Qyvd8eRzBAVEJ92DS6fx9H10
-06V0VRm78S0MXyo6i+n8ZAbZ0/R+GWpP2Ephxm0Gs2zo+iO2mpB19xQFI4o6ZTOw
-b2WyjSaa2Vr4oyDkqti6AvfjW4VUAu932e08GkgwmmQSHXj7FX2CMWjgUwTTcuaX
-65SHNKLNYLUP0HTumLzoZeqDTdoMMpKNdgH9Avr4/8vkVJ0mD6rqvxnw3JHsseNO
-WdQTxf2aApBNHIIKxWZ2i/ZmjLNey7kltgjEquGiBdJvip3fHhH5XHdkrXcjRtnw
-OJDnDmi5lQwv5yUBOSkbvbXRv/L/m0YLoD/fbwIDAQABAoIBAFfl//hM8/cnuesV
-+R1Con/ZAgTXQOdPqPXbmEyniVrkMqMmCdBUOBTcST4s5yg36+RtkeaGpb/ajyyF
-PAB2AYDucwvMpudGpJWOYTiOOp4R8hU1LvZfXVrRd1lo6NgQi4NLtNUpOtACeVQ+
-H4Yv0YemXQ47mnuOoRNMK/u3q5NoIdSahWptXBgUno8KklNpUrH3IYWaUxfBzDN3
-2xsVRTn2SfTSyoDmTDdTgptJONmoK1/sV7UsgWksdFc6XyYhsFAZgOGEJrBABRvF
-546dyQ0cWxuPyVXpM7CN3tqC5ssvLjElg3LicK1V6gnjpdRnnvX88d1Eh3Uc/9IM
-OZInT2ECgYEA6W8sQXTWinyEwl8SDKKMbB2ApIghAcFgdRxprZE4WFxjsYNCNL70
-dnSB7MRuzmxf5W77cV0N7JhH66N8HvY6Xq9olrpQ5dNttR4w8Pyv3wavDe8x7seL
-5L2Xtbu7ihDr8Dk27MjiBSin3IxhBP5CJS910+pR6LrAWtEuU+FzFfECgYEAsA6y
-qxHhCMXlTnauXhsnmPd1g61q7chW8kLQFYtHMLlQlgjHTW7irDZ9cPbPYDNjwRLO
-7KLorcpv2NKe7rqq2ZyCm6hf1b9WnlQjo3dLpNWMu6fhy/smK8MgbRqcWpX+oTKF
-79mK6hbY7o6eBzsQHBl7Z+LBNuwYmp9qOodPa18CgYEArv6ipKdcNhFGzRfMRiCN
-OHederp6VACNuP2F05IsNUF9kxOdTEFirnKE++P+VU01TqA2azOhPp6iO+ohIGzi
-MR06QNSH1OL9OWvasK4dggpWrRGF00VQgDgJRTnpS4WH+lxJ6pRlrAxgWpv6F24s
-VAgSQr1Ejj2B+hMasdMvHWECgYBJ4uE4yhgXBnZlp4kmFV9Y4wF+cZkekaVrpn6N
-jBYkbKFVVfnOlWqru3KJpgsB5I9IyAvvY68iwIKQDFSG+/AXw4dMrC0MF3DSoZ0T
-TU2Br92QI7SvVod+djV1lGVp3ukt3XY4YqPZ+hywgUnw3uiz4j3YK2HLGup4ec6r
-IX5DIQKBgHRLzvT3zqtlR1Oh0vv098clLwt+pGzXOxzJpxioOa5UqK13xIpFXbcg
-iWUVh5YXCcuqaICUv4RLIEac5xQitk9Is/9IhP0NJ/81rHniosvdSpCeFXzxTImS
-B8Uc0WUgheB4+yVKGnYpYaSOgFFI5+1BYUva/wDHLy2pWHz39Usb
-----END RSA PRIVATE KEY-----`
-
-func TestConnection_Mutate(t *testing.T) {
-	t.Run("should add URL to Github connection", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Name: "test-private-key",
-				},
-			},
-		}
-
-		mockFactory := NewMockGithubFactory(t)
-		conn := NewConnection(c, mockFactory)
-
-		require.NoError(t, conn.Mutate(context.Background()))
-		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
-	})
-
-	t.Run("should generate JWT token when private key is provided", func(t *testing.T) {
-		privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
-
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Create: common.NewSecretValue(privateKeyBase64),
-				},
-			},
-		}
-
-		mockFactory := NewMockGithubFactory(t)
-		conn := NewConnection(c, mockFactory)
-
-		require.NoError(t, conn.Mutate(context.Background()))
-		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
-		assert.False(t, c.Secure.Token.Create.IsZero(), "JWT token should be generated")
-	})
-
-	t.Run("should do nothing when GitHub config is nil", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GitlabConnectionType,
-				Gitlab: &provisioning.GitlabConnectionConfig{
-					ClientID: "clientID",
-				},
-			},
-		}
-
-		mockFactory := NewMockGithubFactory(t)
-		conn := NewConnection(c, mockFactory)
-
-		require.NoError(t, conn.Mutate(context.Background()))
-	})
-
-	t.Run("should fail when private key is not base64", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Create: common.NewSecretValue("invalid-key"),
-				},
-			},
-		}
-
-		mockFactory := NewMockGithubFactory(t)
-		conn := NewConnection(c, mockFactory)
-
-		err := conn.Mutate(context.Background())
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to generate JWT token")
-		assert.Contains(t, err.Error(), "failed to decode base64 private key")
-	})
-
-	t.Run("should fail when private key is invalid", func(t *testing.T) {
-		c := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Create: common.NewSecretValue(base64.StdEncoding.EncodeToString([]byte("invalid-key"))),
-				},
-			},
-		}
-
-		mockFactory := NewMockGithubFactory(t)
-		conn := NewConnection(c, mockFactory)
-
-		err := conn.Mutate(context.Background())
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "failed to generate JWT token")
-		assert.Contains(t, err.Error(), "failed to parse private key")
-	})
-}
-
-func TestConnection_Validate(t *testing.T) {
-	tests := []struct {
-		name           string
-		connection     *provisioning.Connection
-		setupMock      func(*MockGithubFactory)
-		wantErr        bool
-		errMsgContains []string
-	}{
-		{
-			name: "invalid type returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: "invalid",
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.type"},
-		},
-		{
-			name: "github type without github config returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.github"},
-		},
-		{
-			name: "github type without private key returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"secure.privateKey"},
-		},
-		{
-			name: "github type without token returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"secure.token"},
-		},
-		{
-			name: "github type with client secret returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					ClientSecret: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-client-secret"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"secure.clientSecret"},
-		},
-		{
-			name: "github type without appID returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-					Token: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-token"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.github.appID"},
-		},
-		{
-			name: "github type without installationID returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID: "123",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Name: "test-private-key",
-					},
-					Token: common.InlineSecureValue{
-						Name: "test-token",
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.github.installationID"},
-		},
-		{
-			name: "github type with valid config is valid",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-					Token: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-token"),
-					},
-				},
-			},
-			wantErr: false,
-			setupMock: func(mockFactory *MockGithubFactory) {
-				mockClient := NewMockClient(t)
-
-				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
-				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
-				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{ID: 456}, nil)
-			},
-		},
-		{
-			name: "problem getting app returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-					Token: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-token"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.token", "[REDACTED]"},
-			setupMock: func(mockFactory *MockGithubFactory) {
-				mockClient := NewMockClient(t)
-
-				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
-				mockClient.EXPECT().GetApp(mock.Anything).Return(App{}, assert.AnError)
-			},
-		},
-		{
-			name: "mismatched app ID returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-					Token: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-token"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.appID"},
-			setupMock: func(mockFactory *MockGithubFactory) {
-				mockClient := NewMockClient(t)
-
-				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
-				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 444, Slug: "test-app"}, nil)
-			},
-		},
-		{
-			name: "problem when getting installation returns error",
-			connection: &provisioning.Connection{
-				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-				Spec: provisioning.ConnectionSpec{
-					Type: provisioning.GithubConnectionType,
-					GitHub: &provisioning.GitHubConnectionConfig{
-						AppID:          "123",
-						InstallationID: "456",
-					},
-				},
-				Secure: provisioning.ConnectionSecure{
-					PrivateKey: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-private-key"),
-					},
-					Token: common.InlineSecureValue{
-						Create: common.NewSecretValue("test-token"),
-					},
-				},
-			},
-			wantErr:        true,
-			errMsgContains: []string{"spec.installationID", "456"},
-			setupMock: func(mockFactory *MockGithubFactory) {
-				mockClient := NewMockClient(t)
-
-				mockFactory.EXPECT().New(mock.Anything, common.RawSecureValue("test-token")).Return(mockClient)
-				mockClient.EXPECT().GetApp(mock.Anything).Return(App{ID: 123, Slug: "test-app"}, nil)
-				mockClient.EXPECT().GetAppInstallation(mock.Anything, "456").Return(AppInstallation{}, assert.AnError)
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			mockFactory := NewMockGithubFactory(t)
-			if tt.setupMock != nil {
-				tt.setupMock(mockFactory)
-			}
-
-			conn := NewConnection(tt.connection, mockFactory)
-			err := conn.Validate(context.Background())
-			if tt.wantErr {
-				assert.Error(t, err)
-				for _, msg := range tt.errMsgContains {
-					assert.Contains(t, err.Error(), msg)
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
--- a/apps/provisioning/pkg/connection/github/extra.go
+++ b/apps/provisioning/pkg/connection/github/extra.go
@@ -1,36 +0,0 @@
-package github
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/grafana/grafana-app-sdk/logging"
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-)
-
-type extra struct {
-	factory GithubFactory
-}
-
-func (e *extra) Type() provisioning.ConnectionType {
-	return provisioning.GithubConnectionType
-}
-
-func (e *extra) Build(ctx context.Context, connection *provisioning.Connection) (connection.Connection, error) {
-	logger := logging.FromContext(ctx)
-	if connection == nil || connection.Spec.GitHub == nil {
-		logger.Error("connection is nil or github info is nil")
-
-		return nil, fmt.Errorf("invalid github connection")
-	}
-
-	c := NewConnection(connection, e.factory)
-	return &c, nil
-}
-
-func Extra(factory GithubFactory) connection.Extra {
-	return &extra{
-		factory: factory,
-	}
-}
--- a/apps/provisioning/pkg/connection/github/extra_test.go
+++ b/apps/provisioning/pkg/connection/github/extra_test.go
@@ -1,126 +0,0 @@
-package github_test
-
-import (
-	"context"
-	"testing"
-
-	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-func TestExtra_Type(t *testing.T) {
-	t.Run("should return GithubConnectionType", func(t *testing.T) {
-		mockFactory := github.NewMockGithubFactory(t)
-		e := github.Extra(mockFactory)
-		result := e.Type()
-		assert.Equal(t, provisioning.GithubConnectionType, result)
-	})
-}
-
-func TestExtra_Build(t *testing.T) {
-	t.Run("should successfully build connection", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Create: common.NewSecretValue("test-private-key"),
-				},
-			},
-		}
-
-		mockFactory := github.NewMockGithubFactory(t)
-
-		e := github.Extra(mockFactory)
-
-		result, err := e.Build(ctx, conn)
-		require.NoError(t, err)
-		require.NotNil(t, result)
-	})
-
-	t.Run("should handle different connection configurations", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "another-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "789",
-					InstallationID: "101112",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				PrivateKey: common.InlineSecureValue{
-					Name: "existing-private-key",
-				},
-				Token: common.InlineSecureValue{
-					Name: "existing-token",
-				},
-			},
-		}
-
-		mockFactory := github.NewMockGithubFactory(t)
-
-		e := github.Extra(mockFactory)
-
-		result, err := e.Build(ctx, conn)
-		require.NoError(t, err)
-		require.NotNil(t, result)
-	})
-
-	t.Run("should build connection with background context", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-		}
-
-		mockFactory := github.NewMockGithubFactory(t)
-		e := github.Extra(mockFactory)
-		result, err := e.Build(ctx, conn)
-		require.NoError(t, err)
-		require.NotNil(t, result)
-	})
-
-	t.Run("should always pass empty token to factory.New", func(t *testing.T) {
-		ctx := context.Background()
-		conn := &provisioning.Connection{
-			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
-			Spec: provisioning.ConnectionSpec{
-				Type: provisioning.GithubConnectionType,
-				GitHub: &provisioning.GitHubConnectionConfig{
-					AppID:          "123",
-					InstallationID: "456",
-				},
-			},
-			Secure: provisioning.ConnectionSecure{
-				Token: common.InlineSecureValue{
-					Create: common.NewSecretValue("some-token"),
-				},
-			},
-		}
-
-		mockFactory := github.NewMockGithubFactory(t)
-		e := github.Extra(mockFactory)
-		result, err := e.Build(ctx, conn)
-		require.NoError(t, err)
-		require.NotNil(t, result)
-	})
-}
--- a/apps/provisioning/pkg/connection/github/factory.go
+++ b/apps/provisioning/pkg/connection/github/factory.go
@@ -1,39 +0,0 @@
-package github
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/google/go-github/v70/github"
-	"golang.org/x/oauth2"
-
-	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-)
-
-// Factory creates new GitHub clients.
-// It exists only for the ability to test the code easily.
-type Factory struct {
-	// Client allows overriding the client to use in the GH client returned. It exists primarily for testing.
-	// FIXME: we should replace in this way. We should add some options pattern for the factory.
-	Client *http.Client
-}
-
-func ProvideFactory() GithubFactory {
-	return &Factory{}
-}
-
-func (r *Factory) New(ctx context.Context, ghToken common.RawSecureValue) Client {
-	if r.Client != nil {
-		return NewClient(github.NewClient(r.Client))
-	}
-
-	if !ghToken.IsZero() {
-		tokenSrc := oauth2.StaticTokenSource(
-			&oauth2.Token{AccessToken: string(ghToken)},
-		)
-		tokenClient := oauth2.NewClient(ctx, tokenSrc)
-		return NewClient(github.NewClient(tokenClient))
-	}
-
-	return NewClient(github.NewClient(&http.Client{}))
-}
--- a/apps/provisioning/pkg/connection/github/factory_mock.go
+++ b/apps/provisioning/pkg/connection/github/factory_mock.go
@@ -1,86 +0,0 @@
-// Code generated by mockery v2.53.4. DO NOT EDIT.
-
-package github
-
-import (
-	context "context"
-
-	v0alpha1 "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
-	mock "github.com/stretchr/testify/mock"
-)
-
-// MockGithubFactory is an autogenerated mock type for the GithubFactory type
-type MockGithubFactory struct {
-	mock.Mock
-}
-
-type MockGithubFactory_Expecter struct {
-	mock *mock.Mock
-}
-
-func (_m *MockGithubFactory) EXPECT() *MockGithubFactory_Expecter {
-	return &MockGithubFactory_Expecter{mock: &_m.Mock}
-}
-
-// New provides a mock function with given fields: ctx, ghToken
-func (_m *MockGithubFactory) New(ctx context.Context, ghToken v0alpha1.RawSecureValue) Client {
-	ret := _m.Called(ctx, ghToken)
-
-	if len(ret) == 0 {
-		panic("no return value specified for New")
-	}
-
-	var r0 Client
-	if rf, ok := ret.Get(0).(func(context.Context, v0alpha1.RawSecureValue) Client); ok {
-		r0 = rf(ctx, ghToken)
-	} else {
-		if ret.Get(0) != nil {
-			r0 = ret.Get(0).(Client)
-		}
-	}
-
-	return r0
-}
-
-// MockGithubFactory_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
-type MockGithubFactory_New_Call struct {
-	*mock.Call
-}
-
-// New is a helper method to define mock.On call
-//   - ctx context.Context
-//   - ghToken v0alpha1.RawSecureValue
-func (_e *MockGithubFactory_Expecter) New(ctx interface{}, ghToken interface{}) *MockGithubFactory_New_Call {
-	return &MockGithubFactory_New_Call{Call: _e.mock.On("New", ctx, ghToken)}
-}
-
-func (_c *MockGithubFactory_New_Call) Run(run func(ctx context.Context, ghToken v0alpha1.RawSecureValue)) *MockGithubFactory_New_Call {
-	_c.Call.Run(func(args mock.Arguments) {
-		run(args[0].(context.Context), args[1].(v0alpha1.RawSecureValue))
-	})
-	return _c
-}
-
-func (_c *MockGithubFactory_New_Call) Return(_a0 Client) *MockGithubFactory_New_Call {
-	_c.Call.Return(_a0)
-	return _c
-}
-
-func (_c *MockGithubFactory_New_Call) RunAndReturn(run func(context.Context, v0alpha1.RawSecureValue) Client) *MockGithubFactory_New_Call {
-	_c.Call.Return(run)
-	return _c
-}
-
-// NewMockGithubFactory creates a new instance of MockGithubFactory. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
-// The first argument is typically a *testing.T value.
-func NewMockGithubFactory(t interface {
-	mock.TestingT
-	Cleanup(func())
-}) *MockGithubFactory {
-	mock := &MockGithubFactory{}
-	mock.Mock.Test(t)
-
-	t.Cleanup(func() { mock.AssertExpectations(t) })
-
-	return mock
-}
--- a/apps/provisioning/pkg/connection/mutator.go
+++ b/apps/provisioning/pkg/connection/mutator.go
@@ -0,0 +1,28 @@
+package connection
+
+import (
+	"fmt"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+)
+
+const (
+	githubInstallationURL = "https://github.com/settings/installations"
+)
+
+func MutateConnection(connection *provisioning.Connection) error {
+	switch connection.Spec.Type {
+	case provisioning.GithubConnectionType:
+		// Do nothing in case spec.Github is nil.
+		// If this field is required, we should fail at validation time.
+		if connection.Spec.GitHub == nil {
+			return nil
+		}
+
+		connection.Spec.URL = fmt.Sprintf("%s/%s", githubInstallationURL, connection.Spec.GitHub.InstallationID)
+		return nil
+	default:
+		// TODO: we need to setup the URL for bitbucket and gitlab.
+		return nil
+	}
+}
--- a/apps/provisioning/pkg/connection/mutator_test.go
+++ b/apps/provisioning/pkg/connection/mutator_test.go
@@ -0,0 +1,35 @@
+package connection_test
+
+import (
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestMutateConnection(t *testing.T) {
+	t.Run("should add URL to Github connection", func(t *testing.T) {
+		c := &provisioning.Connection{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+			Spec: provisioning.ConnectionSpec{
+				Type: provisioning.GithubConnectionType,
+				GitHub: &provisioning.GitHubConnectionConfig{
+					AppID:          "123",
+					InstallationID: "456",
+				},
+			},
+			Secure: provisioning.ConnectionSecure{
+				PrivateKey: common.InlineSecureValue{
+					Name: "test-private-key",
+				},
+			},
+		}
+
+		require.NoError(t, connection.MutateConnection(c))
+		assert.Equal(t, "https://github.com/settings/installations/456", c.Spec.URL)
+	})
+}
--- a/apps/provisioning/pkg/connection/validator.go
+++ b/apps/provisioning/pkg/connection/validator.go
@@ -0,0 +1,104 @@
+package connection
+
+import (
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func ValidateConnection(connection *provisioning.Connection) error {
+	list := field.ErrorList{}
+
+	if connection.Spec.Type == "" {
+		list = append(list, field.Required(field.NewPath("spec", "type"), "type must be specified"))
+	}
+
+	switch connection.Spec.Type {
+	case provisioning.GithubConnectionType:
+		list = append(list, validateGithubConnection(connection)...)
+	case provisioning.BitbucketConnectionType:
+		list = append(list, validateBitbucketConnection(connection)...)
+	case provisioning.GitlabConnectionType:
+		list = append(list, validateGitlabConnection(connection)...)
+	default:
+		list = append(
+			list, field.NotSupported(
+				field.NewPath("spec", "type"),
+				connection.Spec.Type,
+				[]provisioning.ConnectionType{
+					provisioning.GithubConnectionType,
+					provisioning.BitbucketConnectionType,
+					provisioning.GitlabConnectionType,
+				}),
+		)
+	}
+
+	return toError(connection.GetName(), list)
+}
+
+func validateGithubConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.GitHub == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "github"), "github info must be specified for GitHub connection"),
+		)
+	}
+
+	if connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "privateKey"), "privateKey must be specified for GitHub connection"))
+	}
+	if !connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "clientSecret"), "clientSecret is forbidden in GitHub connection"))
+	}
+
+	return list
+}
+
+func validateBitbucketConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.Bitbucket == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "bitbucket"), "bitbucket info must be specified in Bitbucket connection"),
+		)
+	}
+	if connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Bitbucket connection"))
+	}
+	if !connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Bitbucket connection"))
+	}
+
+	return list
+}
+
+func validateGitlabConnection(connection *provisioning.Connection) field.ErrorList {
+	list := field.ErrorList{}
+
+	if connection.Spec.Gitlab == nil {
+		list = append(
+			list, field.Required(field.NewPath("spec", "gitlab"), "gitlab info must be specified in Gitlab connection"),
+		)
+	}
+	if connection.Secure.ClientSecret.IsZero() {
+		list = append(list, field.Required(field.NewPath("secure", "clientSecret"), "clientSecret must be specified for Gitlab connection"))
+	}
+	if !connection.Secure.PrivateKey.IsZero() {
+		list = append(list, field.Forbidden(field.NewPath("secure", "privateKey"), "privateKey is forbidden in Gitlab connection"))
+	}
+
+	return list
+}
+
+// toError converts a field.ErrorList to an error, returning nil if the list is empty
+func toError(name string, list field.ErrorList) error {
+	if len(list) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(
+		provisioning.ConnectionResourceInfo.GroupVersionKind().GroupKind(),
+		name,
+		list,
+	)
+}
--- a/apps/provisioning/pkg/connection/validator_test.go
+++ b/apps/provisioning/pkg/connection/validator_test.go
@@ -0,0 +1,253 @@
+package connection_test
+
+import (
+	"testing"
+
+	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
+	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	common "github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestValidateConnection(t *testing.T) {
+	tests := []struct {
+		name       string
+		connection *provisioning.Connection
+		wantErr    bool
+		errMsg     string
+	}{
+		{
+			name: "empty type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec:       provisioning.ConnectionSpec{},
+			},
+			wantErr: true,
+			errMsg:  "spec.type",
+		},
+		{
+			name: "invalid type returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: "invalid",
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.type",
+		},
+		{
+			name: "github type without github config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.github",
+		},
+		{
+			name: "github type without private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "github type with client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "github type with github config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GithubConnectionType,
+					GitHub: &provisioning.GitHubConnectionConfig{
+						AppID:          "123",
+						InstallationID: "456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "bitbucket type without bitbucket config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.bitbucket",
+		},
+		{
+			name: "bitbucket type without client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "bitbucket type with private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "bitbucket type with bitbucket config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.BitbucketConnectionType,
+					Bitbucket: &provisioning.BitbucketConnectionConfig{
+						ClientID: "client-123",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "gitlab type without gitlab config returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+				},
+			},
+			wantErr: true,
+			errMsg:  "spec.gitlab",
+		},
+		{
+			name: "gitlab type without client secret returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.clientSecret",
+		},
+		{
+			name: "gitlab type with private key returns error",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					PrivateKey: common.InlineSecureValue{
+						Name: "test-private-key",
+					},
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: true,
+			errMsg:  "secure.privateKey",
+		},
+		{
+			name: "gitlab type with gitlab config is valid",
+			connection: &provisioning.Connection{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-connection"},
+				Spec: provisioning.ConnectionSpec{
+					Type: provisioning.GitlabConnectionType,
+					Gitlab: &provisioning.GitlabConnectionConfig{
+						ClientID: "client-456",
+					},
+				},
+				Secure: provisioning.ConnectionSecure{
+					ClientSecret: common.InlineSecureValue{
+						Name: "test-client-secret",
+					},
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := connection.ValidateConnection(tt.connection)
+			if tt.wantErr {
+				assert.Error(t, err)
+				if tt.errMsg != "" {
+					assert.Contains(t, err.Error(), tt.errMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go
+++ b/apps/provisioning/pkg/generated/applyconfiguration/provisioning/v0alpha1/connectionsecure.go
@@ -13,7 +13,7 @@ import (
 type ConnectionSecureApplyConfiguration struct {
 	PrivateKey   *commonv0alpha1.InlineSecureValue `json:"privateKey,omitempty"`
 	ClientSecret *commonv0alpha1.InlineSecureValue `json:"clientSecret,omitempty"`
-	Token        *commonv0alpha1.InlineSecureValue `json:"token,omitempty"`
+	Token        *commonv0alpha1.InlineSecureValue `json:"webhook,omitempty"`
 }

 // ConnectionSecureApplyConfiguration constructs a declarative configuration of the ConnectionSecure type for use with
--- a/packages/grafana-api-clients/src/clients/rtkq/provisioning/v0alpha1/endpoints.gen.ts
+++ b/packages/grafana-api-clients/src/clients/rtkq/provisioning/v0alpha1/endpoints.gen.ts
@@ -1452,7 +1452,7 @@ export type ConnectionSecure = {
  /** PrivateKey is the reference to the private key used for GitHub App authentication. This value is stored securely and cannot be read back */
  privateKey?: InlineSecureValue;
  /** Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back */
-  token?: InlineSecureValue;
+  webhook?: InlineSecureValue;
 };
 export type BitbucketConnectionConfig = {
  /** App client ID */
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@@ -695,6 +695,10 @@ export interface FeatureToggles {
  */
  passwordlessMagicLinkAuthentication?: boolean;
  /**
+  * Display Related Logs in Grafana Metrics Drilldown
+  */
+  exploreMetricsRelatedLogs?: boolean;
+  /**
  * Adds support for quotes and special characters in label values for Prometheus queries
  */
  prometheusSpecialCharsInLabelValues?: boolean;
--- a/pkg/registry/apis/provisioning/extras/register.go
+++ b/pkg/registry/apis/provisioning/extras/register.go
@@ -2,8 +2,6 @@ package extras

 import (
 	apisprovisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
-	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/git"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
@@ -44,15 +42,6 @@ func ProvideProvisioningOSSRepositoryExtras(
 	}
 }

-func ProvideProvisioningOSSConnectionExtras(
-	_ *setting.Cfg,
-	ghFactory ghconnection.GithubFactory,
-) []connection.Extra {
-	return []connection.Extra{
-		ghconnection.Extra(ghFactory),
-	}
-}
-
 func ProvideExtraWorkers(pullRequestWorker *pullrequest.PullRequestWorker) []jobs.Worker {
 	return []jobs.Worker{pullRequestWorker}
 }
@@ -65,12 +54,3 @@ func ProvideFactoryFromConfig(cfg *setting.Cfg, extras []repository.Extra) (repo

 	return repository.ProvideFactory(enabledTypes, extras)
 }
-
-func ProvideConnectionFactoryFromConfig(cfg *setting.Cfg, extras []connection.Extra) (connection.Factory, error) {
-	enabledTypes := make(map[apisprovisioning.ConnectionType]struct{}, len(cfg.ProvisioningRepositoryTypes))
-	for _, e := range cfg.ProvisioningRepositoryTypes {
-		enabledTypes[apisprovisioning.ConnectionType(e)] = struct{}{}
-	}
-
-	return connection.ProvideFactory(enabledTypes, extras)
-}
--- a/pkg/registry/apis/provisioning/register.go
+++ b/pkg/registry/apis/provisioning/register.go
@@ -30,7 +30,7 @@ import (

 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
 	"github.com/grafana/grafana/apps/provisioning/pkg/auth"
-	"github.com/grafana/grafana/apps/provisioning/pkg/connection"
+	connectionvalidation "github.com/grafana/grafana/apps/provisioning/pkg/connection"
 	appcontroller "github.com/grafana/grafana/apps/provisioning/pkg/controller"
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 	client "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned/typed/provisioning/v0alpha1"
@@ -105,21 +105,20 @@ type APIBuilder struct {
 		jobs.Queue
 		jobs.Store
 	}
-	jobHistoryConfig  *JobHistoryConfig
-	jobHistoryLoki    *jobs.LokiJobHistory
-	resourceLister    resources.ResourceLister
-	dashboardAccess   legacy.MigrationDashboardAccessor
-	unified           resource.ResourceClient
-	repoFactory       repository.Factory
-	connectionFactory connection.Factory
-	client            client.ProvisioningV0alpha1Interface
-	access            auth.AccessChecker
-	accessWithAdmin   auth.AccessChecker
-	accessWithEditor  auth.AccessChecker
-	accessWithViewer  auth.AccessChecker
-	statusPatcher     *appcontroller.RepositoryStatusPatcher
-	healthChecker     *controller.HealthChecker
-	repoValidator     repository.RepositoryValidator
+	jobHistoryConfig *JobHistoryConfig
+	jobHistoryLoki   *jobs.LokiJobHistory
+	resourceLister   resources.ResourceLister
+	dashboardAccess  legacy.MigrationDashboardAccessor
+	unified          resource.ResourceClient
+	repoFactory      repository.Factory
+	client           client.ProvisioningV0alpha1Interface
+	access           auth.AccessChecker
+	accessWithAdmin  auth.AccessChecker
+	accessWithEditor auth.AccessChecker
+	accessWithViewer auth.AccessChecker
+	statusPatcher    *appcontroller.RepositoryStatusPatcher
+	healthChecker    *controller.HealthChecker
+	validator        repository.RepositoryValidator
 	// Extras provides additional functionality to the API.
 	extras       []Extra
 	extraWorkers []jobs.Worker
@@ -134,7 +133,6 @@ type APIBuilder struct {
 func NewAPIBuilder(
 	onlyApiServer bool,
 	repoFactory repository.Factory,
-	connectionFactory connection.Factory,
 	features featuremgmt.FeatureToggles,
 	unified resource.ResourceClient,
 	configProvider apiserver.RestConfigProvider,
@@ -178,7 +176,6 @@ func NewAPIBuilder(
 		usageStats:                          usageStats,
 		features:                            features,
 		repoFactory:                         repoFactory,
-		connectionFactory:                   connectionFactory,
 		clients:                             clients,
 		parsers:                             parsers,
 		repositoryResources:                 resources.NewRepositoryResourcesFactory(parsers, clients, resourceLister),
@@ -195,7 +192,7 @@ func NewAPIBuilder(
 		allowedTargets:                      allowedTargets,
 		allowImageRendering:                 allowImageRendering,
 		registry:                            registry,
-		repoValidator:                       repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
+		validator:                           repository.NewValidator(minSyncInterval, allowedTargets, allowImageRendering),
 		useExclusivelyAccessCheckerForAuthz: useExclusivelyAccessCheckerForAuthz,
 	}

@@ -256,7 +253,6 @@ func RegisterAPIService(
 	extraBuilders []ExtraBuilder,
 	extraWorkers []jobs.Worker,
 	repoFactory repository.Factory,
-	connectionFactory connection.Factory,
 ) (*APIBuilder, error) {
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if !features.IsEnabledGlobally(featuremgmt.FlagProvisioning) {
@@ -275,7 +271,6 @@ func RegisterAPIService(
 	builder := NewAPIBuilder(
 		cfg.DisableControllers,
 		repoFactory,
-		connectionFactory,
 		features,
 		client,
 		configProvider,
@@ -646,7 +641,7 @@ func (b *APIBuilder) UpdateAPIGroupInfo(apiGroupInfo *genericapiserver.APIGroupI
 	storage[provisioning.ConnectionResourceInfo.StoragePath("repositories")] = NewConnectionRepositoriesConnector()

 	// TODO: Add some logic so that the connectors can registered themselves and we don't have logic all over the place
-	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.repoValidator), b.VerifyAgainstExistingRepositories))
+	storage[provisioning.RepositoryResourceInfo.StoragePath("test")] = NewTestConnector(b, repository.NewRepositoryTesterWithExistingChecker(repository.NewSimpleRepositoryTester(b.validator), b.VerifyAgainstExistingRepositories))
 	storage[provisioning.RepositoryResourceInfo.StoragePath("files")] = NewFilesConnector(b, b.parsers, b.clients, b.accessWithAdmin)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("refs")] = NewRefsConnector(b)
 	storage[provisioning.RepositoryResourceInfo.StoragePath("resources")] = &listConnector{
@@ -687,15 +682,10 @@ func (b *APIBuilder) Mutate(ctx context.Context, a admission.Attributes, o admis
 	if ok {
 		return nil
 	}
-
+	// TODO: complete this as part of https://github.com/grafana/git-ui-sync-project/issues/700
 	c, ok := obj.(*provisioning.Connection)
 	if ok {
-		conn, err := b.asConnection(ctx, c, nil)
-		if err != nil {
-			return err
-		}
-
-		return conn.Mutate(ctx)
+		return connectionvalidation.MutateConnection(c)
 	}

 	r, ok := obj.(*provisioning.Repository)
@@ -746,15 +736,9 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 		return nil
 	}

-	// Validate connections
-	c, ok := obj.(*provisioning.Connection)
+	connection, ok := obj.(*provisioning.Connection)
 	if ok {
-		conn, err := b.asConnection(ctx, c, a.GetOldObject())
-		if err != nil {
-			return err
-		}
-
-		return conn.Validate(ctx)
+		return connectionvalidation.ValidateConnection(connection)
 	}

 	// Validate Jobs
@@ -774,7 +758,7 @@ func (b *APIBuilder) Validate(ctx context.Context, a admission.Attributes, o adm
 	// the only time to add configuration checks here is if you need to compare
 	// the incoming change to the current configuration
 	isCreate := a.GetOperation() == admission.Create
-	list := b.repoValidator.ValidateRepository(repo, isCreate)
+	list := b.validator.ValidateRepository(repo, isCreate)
 	cfg := repo.Config()

 	if a.GetOperation() == admission.Update {
@@ -847,7 +831,7 @@ func (b *APIBuilder) GetPostStartHooks() (map[string]genericapiserver.PostStartH
 			}

 			b.statusPatcher = appcontroller.NewRepositoryStatusPatcher(b.GetClient())
-			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.repoValidator))
+			b.healthChecker = controller.NewHealthChecker(b.statusPatcher, b.registry, repository.NewSimpleRepositoryTester(b.validator))

 			// if running solely CRUD, skip the rest of the setup
 			if b.onlyApiServer {
@@ -1465,35 +1449,6 @@ func (b *APIBuilder) asRepository(ctx context.Context, obj runtime.Object, old r
 	return b.repoFactory.Build(ctx, r)
 }

-func (b *APIBuilder) asConnection(ctx context.Context, obj runtime.Object, old runtime.Object) (connection.Connection, error) {
-	if obj == nil {
-		return nil, fmt.Errorf("missing connection object")
-	}
-
-	c, ok := obj.(*provisioning.Connection)
-	if !ok {
-		return nil, fmt.Errorf("expected connection object")
-	}
-
-	// Copy previous values if they exist
-	if old != nil {
-		o, ok := old.(*provisioning.Connection)
-		if ok && !o.Secure.IsZero() {
-			if c.Secure.PrivateKey.IsZero() {
-				c.Secure.PrivateKey = o.Secure.PrivateKey
-			}
-			if c.Secure.Token.IsZero() {
-				c.Secure.Token = o.Secure.Token
-			}
-			if c.Secure.ClientSecret.IsZero() {
-				c.Secure.ClientSecret = o.Secure.ClientSecret
-			}
-		}
-	}
-
-	return b.connectionFactory.Build(ctx, c)
-}
-
 func getJSONResponse(ref string) *spec3.Responses {
 	return &spec3.Responses{
 		ResponsesProps: spec3.ResponsesProps{
--- a/pkg/registry/apis/provisioning/register_validate_test.go
+++ b/pkg/registry/apis/provisioning/register_validate_test.go
@@ -28,7 +28,7 @@ func TestAPIBuilderValidate(t *testing.T) {
 		repoFactory:         factory,
 		allowedTargets:      []v0alpha1.SyncTargetType{v0alpha1.SyncTargetTypeFolder},
 		allowImageRendering: false,
-		repoValidator:       validator,
+		validator:           validator,
 	}

 	t.Run("min sync interval is less than 10 seconds", func(t *testing.T) {
--- a/pkg/registry/apis/wireset.go
+++ b/pkg/registry/apis/wireset.go
@@ -44,7 +44,6 @@ var provisioningExtras = wire.NewSet(
 	pullrequest.ProvidePullRequestWorker,
 	webhooks.ProvideWebhooksWithImages,
 	extras.ProvideFactoryFromConfig,
-	extras.ProvideConnectionFactoryFromConfig,
 	extras.ProvideProvisioningExtraAPIs,
 	extras.ProvideExtraWorkers,
 )
--- a/pkg/server/test_env.go
+++ b/pkg/server/test_env.go
@@ -3,7 +3,6 @@ package server
 import (
 	"github.com/stretchr/testify/mock"

-	githubconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/apps/secret/pkg/decrypt"
 	"github.com/grafana/grafana/pkg/infra/db"
@@ -35,26 +34,24 @@ func ProvideTestEnv(
 	featureMgmt featuremgmt.FeatureToggles,
 	resourceClient resource.ResourceClient,
 	idService auth.IDService,
-	githubRepoFactory *github.Factory,
-	githubConnectionFactory githubconnection.GithubFactory,
+	githubFactory *github.Factory,
 	decryptService decrypt.DecryptService,
 ) (*TestEnv, error) {
 	return &TestEnv{
-		TestingT:                testingT,
-		Server:                  server,
-		SQLStore:                db,
-		Cfg:                     cfg,
-		NotificationService:     ns,
-		GRPCServer:              grpcServer,
-		PluginRegistry:          pluginRegistry,
-		HTTPClientProvider:      httpClientProvider,
-		OAuthTokenService:       oAuthTokenService,
-		FeatureToggles:          featureMgmt,
-		ResourceClient:          resourceClient,
-		IDService:               idService,
-		GithubRepoFactory:       githubRepoFactory,
-		GithubConnectionFactory: githubConnectionFactory,
-		DecryptService:          decryptService,
+		TestingT:            testingT,
+		Server:              server,
+		SQLStore:            db,
+		Cfg:                 cfg,
+		NotificationService: ns,
+		GRPCServer:          grpcServer,
+		PluginRegistry:      pluginRegistry,
+		HTTPClientProvider:  httpClientProvider,
+		OAuthTokenService:   oAuthTokenService,
+		FeatureToggles:      featureMgmt,
+		ResourceClient:      resourceClient,
+		IDService:           idService,
+		GitHubFactory:       githubFactory,
+		DecryptService:      decryptService,
 	}, nil
 }

@@ -63,19 +60,18 @@ type TestEnv struct {
 		mock.TestingT
 		Cleanup(func())
 	}
-	Server                  *Server
-	SQLStore                db.DB
-	Cfg                     *setting.Cfg
-	NotificationService     *notifications.NotificationServiceMock
-	GRPCServer              grpcserver.Provider
-	PluginRegistry          registry.Service
-	HTTPClientProvider      httpclient.Provider
-	OAuthTokenService       *oauthtokentest.Service
-	RequestMiddleware       web.Middleware
-	FeatureToggles          featuremgmt.FeatureToggles
-	ResourceClient          resource.ResourceClient
-	IDService               auth.IDService
-	GithubRepoFactory       *github.Factory
-	GithubConnectionFactory githubconnection.GithubFactory
-	DecryptService          decrypt.DecryptService
+	Server              *Server
+	SQLStore            db.DB
+	Cfg                 *setting.Cfg
+	NotificationService *notifications.NotificationServiceMock
+	GRPCServer          grpcserver.Provider
+	PluginRegistry      registry.Service
+	HTTPClientProvider  httpclient.Provider
+	OAuthTokenService   *oauthtokentest.Service
+	RequestMiddleware   web.Middleware
+	FeatureToggles      featuremgmt.FeatureToggles
+	ResourceClient      resource.ResourceClient
+	IDService           auth.IDService
+	GitHubFactory       *github.Factory
+	DecryptService      decrypt.DecryptService
 }
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@@ -15,7 +15,6 @@ import (
 	"go.opentelemetry.io/otel/trace"

 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
-	ghconnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/grafana/grafana/apps/provisioning/pkg/repository/github"
 	"github.com/grafana/grafana/pkg/api"
 	"github.com/grafana/grafana/pkg/api/avatar"
@@ -298,7 +297,6 @@ var wireBasicSet = wire.NewSet(
 	notifications.ProvideService,
 	notifications.ProvideSmtpService,
 	github.ProvideFactory,
-	ghconnection.ProvideFactory,
 	tracing.ProvideService,
 	tracing.ProvideTracingConfig,
 	wire.Bind(new(tracing.Tracer), new(*tracing.TracingService)),
--- a/pkg/server/wire_gen.go
+++ b/pkg/server/wire_gen.go
--- a/pkg/server/wireexts_oss.go
+++ b/pkg/server/wireexts_oss.go
@@ -72,7 +72,6 @@ import (

 var provisioningExtras = wire.NewSet(
 	extras.ProvideProvisioningOSSRepositoryExtras,
-	extras.ProvideProvisioningOSSConnectionExtras,
 )

 var configProviderExtras = wire.NewSet(
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@@ -1148,6 +1148,14 @@ var (
 			Owner:        identityAccessTeam,
 			HideFromDocs: true,
 		},
+		{
+			Name:         "exploreMetricsRelatedLogs",
+			Description:  "Display Related Logs in Grafana Metrics Drilldown",
+			Stage:        FeatureStageExperimental,
+			Owner:        grafanaObservabilityMetricsSquad,
+			FrontendOnly: true,
+			HideFromDocs: false,
+		},
 		{
 			Name:         "prometheusSpecialCharsInLabelValues",
 			Description:  "Adds support for quotes and special characters in label values for Prometheus queries",
--- a/pkg/services/featuremgmt/toggles_gen.csv
+++ b/pkg/services/featuremgmt/toggles_gen.csv
@@ -159,6 +159,7 @@ newTimeRangeZoomShortcuts,experimental,@grafana/dataviz-squad,false,false,true
 azureMonitorDisableLogLimit,GA,@grafana/partner-datasources,false,false,false
 playlistsReconciler,experimental,@grafana/grafana-app-platform-squad,false,true,false
 passwordlessMagicLinkAuthentication,experimental,@grafana/identity-access-team,false,false,false
+exploreMetricsRelatedLogs,experimental,@grafana/observability-metrics,false,false,true
 prometheusSpecialCharsInLabelValues,experimental,@grafana/oss-big-tent,false,false,true
 enableExtensionsAdminPage,experimental,@grafana/plugins-platform-backend,false,true,false
 enableSCIM,preview,@grafana/identity-access-team,false,false,false
--- a/pkg/services/featuremgmt/toggles_gen.json
+++ b/pkg/services/featuremgmt/toggles_gen.json
@@ -348,20 +348,6 @@
        "expression": "true"
      }
    },
-    {
-      "metadata": {
-        "name": "alertingNavigationV2",
-        "resourceVersion": "1767827323622",
-        "creationTimestamp": "2026-01-07T23:08:43Z",
-        "deletionTimestamp": "2026-01-12T18:34:54Z"
-      },
-      "spec": {
-        "description": "Enable new grouped navigation structure for Alerting",
-        "stage": "experimental",
-        "codeowner": "@grafana/alerting-squad",
-        "expression": "false"
-      }
-    },
    {
      "metadata": {
        "name": "alertingNotificationHistory",
@@ -1422,8 +1408,7 @@
      "metadata": {
        "name": "exploreMetricsRelatedLogs",
        "resourceVersion": "1764664939750",
-        "creationTimestamp": "2024-11-05T16:28:43Z",
-        "deletionTimestamp": "2026-01-09T22:14:53Z"
+        "creationTimestamp": "2024-11-05T16:28:43Z"
      },
      "spec": {
        "description": "Display Related Logs in Grafana Metrics Drilldown",
--- a/pkg/services/navtree/navtreeimpl/navtree.go
+++ b/pkg/services/navtree/navtreeimpl/navtree.go
@@ -436,212 +436,97 @@ func (s *ServiceImpl) buildAlertNavLinks(c *contextmodel.ReqContext) *navtree.Na
 	hasAccess := ac.HasAccess(s.accessControl, c)
 	var alertChildNavs []*navtree.NavLink

-	var alertActivityChildren []*navtree.NavLink
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingTriage) {
 		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
-			alertActivityChildren = append(alertActivityChildren, &navtree.NavLink{
-				Text:     "Alerts",
-				SubTitle: "Visualize active and pending alerts",
-				Id:       "alert-activity-alerts",
-				Url:      s.cfg.AppSubURL + "/alerting/alerts",
-				Icon:     "bell",
-			})
-		}
-
-		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingInstanceRead), ac.EvalPermission(ac.ActionAlertingInstancesExternalRead))) {
-			alertActivityChildren = append(alertActivityChildren, &navtree.NavLink{
-				Text:     "Active notifications",
-				SubTitle: "See grouped alerts with active notifications",
-				Id:       "alert-activity-groups",
-				Url:      s.cfg.AppSubURL + "/alerting/groups",
-				Icon:     "layer-group",
-			})
-		}
-		if len(alertActivityChildren) > 0 {
 			alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-				Text:     "Alert activity",
-				SubTitle: "Visualize active and pending alerts",
-				Id:       "alert-activity",
-				Url:      s.cfg.AppSubURL + "/alerting/alerts",
-				Icon:     "bell",
-				IsNew:    true,
-				Children: alertActivityChildren,
+				Text: "Alert activity", SubTitle: "Visualize active and pending alerts", Id: "alert-alerts", Url: s.cfg.AppSubURL + "/alerting/alerts", Icon: "bell", IsNew: true,
 			})
 		}
 	}

-	var alertRulesChildren []*navtree.NavLink
 	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
-		alertRulesChildren = append(alertRulesChildren, &navtree.NavLink{
-			Text:     "Alert rules",
-			SubTitle: "Rules that determine whether an alert will fire",
-			Id:       "alert-rules-list",
-			Url:      s.cfg.AppSubURL + "/alerting/list",
-			Icon:     "list-ul",
-		})
-	}
-	//nolint:staticcheck // not yet migrated to OpenFeature
-	if c.GetOrgRole() == org.RoleAdmin && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertRuleRestore) && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingRuleRecoverDeleted) {
-		alertRulesChildren = append(alertRulesChildren, &navtree.NavLink{
-			Text:     "Recently deleted",
-			SubTitle: "Any items listed here for more than 30 days will be automatically deleted.",
-			Id:       "alert-rules-recently-deleted",
-			Url:      s.cfg.AppSubURL + "/alerting/recently-deleted",
-		})
-	}
-	if len(alertRulesChildren) > 0 {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:     "Alert rules",
-			SubTitle: "Manage alert and recording rules",
-			Id:       "alert-rules",
-			Url:      s.cfg.AppSubURL + "/alerting/list",
-			Icon:     "list-ul",
-			Children: alertRulesChildren,
+			Text: "Alert rules", SubTitle: "Rules that determine whether an alert will fire", Id: "alert-list", Url: s.cfg.AppSubURL + "/alerting/list", Icon: "list-ul",
 		})
 	}

-	var notificationConfigChildren []*navtree.NavLink
-
 	contactPointsPerms := []ac.Evaluator{
 		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
 		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
+
 		ac.EvalPermission(ac.ActionAlertingReceiversRead),
 		ac.EvalPermission(ac.ActionAlertingReceiversReadSecrets),
 		ac.EvalPermission(ac.ActionAlertingReceiversCreate),
+
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesRead),
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesWrite),
 		ac.EvalPermission(ac.ActionAlertingNotificationsTemplatesDelete),
 	}

 	if hasAccess(ac.EvalAny(contactPointsPerms...)) {
-		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
-			Text:     "Contact points",
-			SubTitle: "Choose how to notify your contact points when an alert instance fires",
-			Id:       "notification-config-contact-points",
-			Url:      s.cfg.AppSubURL + "/alerting/notifications",
-			Icon:     "comment-alt-share",
-		})
-	}
-
-	if hasAccess(ac.EvalAny(
-		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
-		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
-		ac.EvalPermission(ac.ActionAlertingRoutesRead),
-		ac.EvalPermission(ac.ActionAlertingRoutesWrite),
-		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsRead),
-		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsWrite),
-	)) {
-		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
-			Text:     "Notification policies",
-			SubTitle: "Determine how alerts are routed to contact points",
-			Id:       "notification-config-policies",
-			Url:      s.cfg.AppSubURL + "/alerting/routes",
-			Icon:     "sitemap",
-		})
-	}
-
-	if hasAccess(ac.EvalAny(contactPointsPerms...)) {
-		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
-			Text:     "Notification templates",
-			SubTitle: "Manage notification templates",
-			Id:       "notification-config-templates",
-			Url:      s.cfg.AppSubURL + "/alerting/notifications/templates",
-			Icon:     "file-alt",
-		})
-	}
-
-	if hasAccess(ac.EvalAny(
-		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
-		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
-		ac.EvalPermission(ac.ActionAlertingRoutesRead),
-		ac.EvalPermission(ac.ActionAlertingRoutesWrite),
-		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsRead),
-		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsWrite),
-	)) {
-		notificationConfigChildren = append(notificationConfigChildren, &navtree.NavLink{
-			Text:     "Time intervals",
-			SubTitle: "Configure time intervals for notification policies",
-			Id:       "notification-config-time-intervals",
-			Url:      s.cfg.AppSubURL + "/alerting/routes?tab=time_intervals",
-			Icon:     "clock-nine",
-		})
-	}
-
-	if len(notificationConfigChildren) > 0 {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:     "Notification configuration",
-			SubTitle: "Configure how alerts are notified",
-			Id:       "notification-config",
-			Url:      s.cfg.AppSubURL + "/alerting/notifications",
-			Icon:     "cog",
-			Children: notificationConfigChildren,
+			Text: "Contact points", SubTitle: "Choose how to notify your contact points when an alert instance fires", Id: "receivers", Url: s.cfg.AppSubURL + "/alerting/notifications",
+			Icon: "comment-alt-share",
 		})
 	}

-	var insightsChildren []*navtree.NavLink
-
-	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead), ac.EvalPermission(ac.ActionAlertingRuleExternalRead))) {
-		insightsChildren = append(insightsChildren, &navtree.NavLink{
-			Text:     "System Insights",
-			SubTitle: "View system insights and analytics",
-			Id:       "insights-system", Url: s.cfg.AppSubURL + "/alerting/insights",
-			Icon: "chart-line",
-		})
+	if hasAccess(ac.EvalAny(
+		ac.EvalPermission(ac.ActionAlertingNotificationsRead),
+		ac.EvalPermission(ac.ActionAlertingNotificationsExternalRead),
+		ac.EvalPermission(ac.ActionAlertingRoutesRead),
+		ac.EvalPermission(ac.ActionAlertingRoutesWrite),
+		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsRead),
+		ac.EvalPermission(ac.ActionAlertingNotificationsTimeIntervalsWrite),
+	)) {
+		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Notification policies", SubTitle: "Determine how alerts are routed to contact points", Id: "am-routes", Url: s.cfg.AppSubURL + "/alerting/routes", Icon: "sitemap"})
 	}
-	// Alert state history
+
+	if hasAccess(ac.EvalAny(
+		ac.EvalPermission(ac.ActionAlertingInstanceRead),
+		ac.EvalPermission(ac.ActionAlertingInstancesExternalRead),
+		ac.EvalPermission(ac.ActionAlertingSilencesRead),
+	)) {
+		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Silences", SubTitle: "Stop notifications from one or more alerting rules", Id: "silences", Url: s.cfg.AppSubURL + "/alerting/silences", Icon: "bell-slash"})
+	}
+
+	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingInstanceRead), ac.EvalPermission(ac.ActionAlertingInstancesExternalRead))) {
+		alertChildNavs = append(alertChildNavs, &navtree.NavLink{Text: "Alert groups", SubTitle: "See grouped alerts with active notifications", Id: "groups", Url: s.cfg.AppSubURL + "/alerting/groups", Icon: "layer-group"})
+	}
+
 	//nolint:staticcheck // not yet migrated to OpenFeature
 	if s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingCentralAlertHistory) {
 		if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleRead))) {
-			insightsChildren = append(insightsChildren, &navtree.NavLink{
-				Text:     "Alert state history",
+			alertChildNavs = append(alertChildNavs, &navtree.NavLink{
+				Text:     "History",
 				SubTitle: "View a history of all alert events generated by your Grafana-managed alert rules. All alert events are displayed regardless of whether silences or mute timings are set.",
-				Id:       "insights-history",
+				Id:       "alerts-history",
 				Url:      s.cfg.AppSubURL + "/alerting/history",
 				Icon:     "history",
 			})
 		}
 	}
-
-	if len(insightsChildren) > 0 {
+	//nolint:staticcheck // not yet migrated to OpenFeature
+	if c.GetOrgRole() == org.RoleAdmin && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertRuleRestore) && s.features.IsEnabled(c.Req.Context(), featuremgmt.FlagAlertingRuleRecoverDeleted) {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:     "Insights",
-			SubTitle: "Analytics and history for alerting",
-			Id:       "insights",
-			Url:      s.cfg.AppSubURL + "/alerting/insights",
-			Icon:     "chart-line",
-			Children: insightsChildren,
+			Text:     "Recently deleted",
+			SubTitle: "Any items listed here for more than 30 days will be automatically deleted.",
+			Id:       "alerts/recently-deleted",
+			Url:      s.cfg.AppSubURL + "/alerting/recently-deleted",
 		})
 	}

 	if c.GetOrgRole() == org.RoleAdmin {
-		settingsChildren := []*navtree.NavLink{
-			{
-				Text: "Settings",
-				Id:   "alerting-admin",
-				Url:  s.cfg.AppSubURL + "/alerting/admin",
-				Icon: "cog",
-			},
-		}
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:     "Settings",
-			SubTitle: "Alerting configuration and administration",
-			Id:       "alerting-settings",
-			Url:      s.cfg.AppSubURL + "/alerting/admin",
-			Icon:     "cog",
-			Children: settingsChildren,
+			Text: "Settings", Id: "alerting-admin", Url: s.cfg.AppSubURL + "/alerting/admin",
+			Icon: "cog",
 		})
 	}

 	if hasAccess(ac.EvalAny(ac.EvalPermission(ac.ActionAlertingRuleCreate), ac.EvalPermission(ac.ActionAlertingRuleExternalWrite))) {
 		alertChildNavs = append(alertChildNavs, &navtree.NavLink{
-			Text:           "Create alert rule",
-			SubTitle:       "Create an alert rule",
-			Id:             "alert",
-			Icon:           "plus",
-			Url:            s.cfg.AppSubURL + "/alerting/new",
-			HideFromTabs:   true,
-			IsCreateAction: true,
+			Text: "Create alert rule", SubTitle: "Create an alert rule", Id: "alert",
+			Icon: "plus", Url: s.cfg.AppSubURL + "/alerting/new", HideFromTabs: true, IsCreateAction: true,
 		})
 	}

--- a/pkg/services/navtree/navtreeimpl/navtree_alerting_test.go
+++ b/pkg/services/navtree/navtreeimpl/navtree_alerting_test.go
@@ -1,158 +0,0 @@
-package navtreeimpl
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/grafana/grafana/pkg/infra/log"
-	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
-	accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
-	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
-	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	"github.com/grafana/grafana/pkg/services/navtree"
-	"github.com/grafana/grafana/pkg/services/org"
-	"github.com/grafana/grafana/pkg/services/user"
-	"github.com/grafana/grafana/pkg/setting"
-	"github.com/grafana/grafana/pkg/web"
-)
-
-// Test fixtures
-func setupTestContext() *contextmodel.ReqContext {
-	httpReq, _ := http.NewRequest(http.MethodGet, "", nil)
-	return &contextmodel.ReqContext{
-		SignedInUser: &user.SignedInUser{
-			UserID:  1,
-			OrgID:   1,
-			OrgRole: org.RoleAdmin,
-		},
-		Context: &web.Context{Req: httpReq},
-	}
-}
-
-func setupTestService(permissions []ac.Permission, featureFlags ...string) ServiceImpl {
-	// Convert string slice to []any for WithFeatures
-	flags := make([]any, len(featureFlags))
-	for i, flag := range featureFlags {
-		flags[i] = flag
-	}
-	return ServiceImpl{
-		log:           log.New("navtree"),
-		cfg:           setting.NewCfg(),
-		accessControl: accesscontrolmock.New().WithPermissions(permissions),
-		features:      featuremgmt.WithFeatures(flags...),
-	}
-}
-
-func fullPermissions() []ac.Permission {
-	return []ac.Permission{
-		{Action: ac.ActionAlertingRuleRead, Scope: "*"},
-		{Action: ac.ActionAlertingNotificationsRead, Scope: "*"},
-		{Action: ac.ActionAlertingRoutesRead, Scope: "*"},
-		{Action: ac.ActionAlertingInstanceRead, Scope: "*"},
-	}
-}
-
-// Helper to find a nav link by ID
-func findNavLink(navLink *navtree.NavLink, id string) *navtree.NavLink {
-	if navLink == nil {
-		return nil
-	}
-	if navLink.Id == id {
-		return navLink
-	}
-	for _, child := range navLink.Children {
-		if found := findNavLink(child, id); found != nil {
-			return found
-		}
-	}
-	return nil
-}
-
-// Helper to check if a nav link has a child with given ID
-func hasChildWithId(parent *navtree.NavLink, childId string) bool {
-	if parent == nil {
-		return false
-	}
-	for _, child := range parent.Children {
-		if child.Id == childId {
-			return true
-		}
-	}
-	return false
-}
-
-func TestBuildAlertNavLinks(t *testing.T) {
-	reqCtx := setupTestContext()
-	allFeatureFlags := []string{"alertingTriage", "alertingCentralAlertHistory", "alertRuleRestore", "alertingRuleRecoverDeleted"}
-	service := setupTestService(fullPermissions(), allFeatureFlags...)
-
-	t.Run("Should have correct parent structure", func(t *testing.T) {
-		navLink := service.buildAlertNavLinks(reqCtx)
-		require.NotNil(t, navLink)
-		require.NotEmpty(t, navLink.Children)
-
-		// Verify all parent items exist with children
-		parentIds := []string{"alert-rules", "notification-config", "insights", "alerting-settings"}
-		for _, parentId := range parentIds {
-			parent := findNavLink(navLink, parentId)
-			require.NotNil(t, parent, "Should have parent %s", parentId)
-			require.NotEmpty(t, parent.Children, "Parent %s should have children", parentId)
-		}
-	})
-
-	t.Run("Should have correct tabs under each parent", func(t *testing.T) {
-		navLink := service.buildAlertNavLinks(reqCtx)
-		require.NotNil(t, navLink)
-
-		// Table-driven test for tab verification
-		tests := []struct {
-			parentId     string
-			expectedTabs []string
-		}{
-			{"alert-rules", []string{"alert-rules-list", "alert-rules-recently-deleted"}},
-			{"notification-config", []string{"notification-config-contact-points", "notification-config-policies", "notification-config-templates", "notification-config-time-intervals"}},
-			{"insights", []string{"insights-system", "insights-history"}},
-		}
-
-		for _, tt := range tests {
-			parent := findNavLink(navLink, tt.parentId)
-			require.NotNil(t, parent, "Should have %s parent", tt.parentId)
-
-			for _, expectedTab := range tt.expectedTabs {
-				require.True(t, hasChildWithId(parent, expectedTab), "Parent %s should have tab %s", tt.parentId, expectedTab)
-			}
-		}
-	})
-
-	t.Run("Should respect permissions", func(t *testing.T) {
-		limitedPermissions := []ac.Permission{
-			{Action: ac.ActionAlertingRuleRead, Scope: "*"},
-		}
-		limitedService := setupTestService(limitedPermissions)
-
-		navLink := limitedService.buildAlertNavLinks(reqCtx)
-		require.NotNil(t, navLink)
-
-		// Should not have notification-config without notification permissions
-		require.Nil(t, findNavLink(navLink, "notification-config"), "Should not have notification-config without permissions")
-	})
-
-	t.Run("Should exclude future items", func(t *testing.T) {
-		navLink := service.buildAlertNavLinks(reqCtx)
-		require.NotNil(t, navLink)
-
-		// Verify future items are not present
-		futureIds := []string{
-			"alert-rules-recording-rules",
-			"alert-rules-evaluation-chains",
-			"insights-alert-optimizer",
-			"insights-notification-history",
-		}
-
-		for _, futureId := range futureIds {
-			require.Nil(t, findNavLink(navLink, futureId), "Should not have future item %s", futureId)
-		}
-	})
-}
--- a/pkg/storage/unified/resource/notifier.go
+++ b/pkg/storage/unified/resource/notifier.go
@@ -78,13 +78,13 @@ func (n *notifier) Watch(ctx context.Context, opts watchOptions) <-chan Event {
 	cache := gocache.New(cacheTTL, cacheCleanupInterval)
 	events := make(chan Event, opts.BufferSize)

-	lastRV, err := n.lastEventResourceVersion(ctx)
+	initialRV, err := n.lastEventResourceVersion(ctx)
 	if errors.Is(err, ErrNotFound) {
-		lastRV = 0 // No events yet, start from the beginning
+		initialRV = snowflakeFromTime(time.Now()) // No events yet, start from the beginning
 	} else if err != nil {
 		n.log.Error("Failed to get last event resource version", "error", err)
 	}
-	lastRV = lastRV + 1 // We want to start watching from the next event
+	lastRV := initialRV + 1 // We want to start watching from the next event

 	go func() {
 		defer close(events)
@@ -110,7 +110,7 @@ func (n *notifier) Watch(ctx context.Context, opts watchOptions) <-chan Event {
 					}

 					// Skip old events lower than the requested resource version
-					if evt.ResourceVersion < lastRV {
+					if evt.ResourceVersion <= initialRV {
 						continue
 					}

--- a/pkg/storage/unified/resource/notifier_test.go
+++ b/pkg/storage/unified/resource/notifier_test.go
@@ -25,6 +25,7 @@ func setupTestNotifier(t *testing.T) (*notifier, *eventStore) {
 	return notifier, eventStore
 }

+// nolint:unused
 func setupTestNotifierSqlKv(t *testing.T) (*notifier, *eventStore) {
 	dbstore := db.InitTestDB(t)
 	eDB, err := dbimpl.ProvideResourceDB(dbstore, setting.NewCfg(), nil)
@@ -59,7 +60,8 @@ func runNotifierTestWith(t *testing.T, storeName string, newStoreFn func(*testin

 func TestNotifier_lastEventResourceVersion(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierLastEventResourceVersion)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierLastEventResourceVersion)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierLastEventResourceVersion)
 }

 func testNotifierLastEventResourceVersion(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -110,7 +112,8 @@ func testNotifierLastEventResourceVersion(t *testing.T, ctx context.Context, not

 func TestNotifier_cachekey(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierCachekey)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierCachekey)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierCachekey)
 }

 func testNotifierCachekey(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -164,7 +167,8 @@ func testNotifierCachekey(t *testing.T, ctx context.Context, notifier *notifier,

 func TestNotifier_Watch_NoEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchNoEvents)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchNoEvents)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchNoEvents)
 }

 func testNotifierWatchNoEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -205,7 +209,8 @@ func testNotifierWatchNoEvents(t *testing.T, ctx context.Context, notifier *noti

 func TestNotifier_Watch_WithExistingEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchWithExistingEvents)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchWithExistingEvents)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchWithExistingEvents)
 }

 func testNotifierWatchWithExistingEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -279,7 +284,8 @@ func testNotifierWatchWithExistingEvents(t *testing.T, ctx context.Context, noti

 func TestNotifier_Watch_EventDeduplication(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchEventDeduplication)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchEventDeduplication)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchEventDeduplication)
 }

 func testNotifierWatchEventDeduplication(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -345,7 +351,8 @@ func testNotifierWatchEventDeduplication(t *testing.T, ctx context.Context, noti

 func TestNotifier_Watch_ContextCancellation(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchContextCancellation)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchContextCancellation)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchContextCancellation)
 }

 func testNotifierWatchContextCancellation(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
@@ -391,7 +398,8 @@ func testNotifierWatchContextCancellation(t *testing.T, ctx context.Context, not

 func TestNotifier_Watch_MultipleEvents(t *testing.T) {
 	runNotifierTestWith(t, "badger", setupTestNotifier, testNotifierWatchMultipleEvents)
-	runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchMultipleEvents)
+	// enable this when sqlkv is ready
+	// runNotifierTestWith(t, "sqlkv", setupTestNotifierSqlKv, testNotifierWatchMultipleEvents)
 }

 func testNotifierWatchMultipleEvents(t *testing.T, ctx context.Context, notifier *notifier, eventStore *eventStore) {
--- a/pkg/storage/unified/resource/storage_backend.go
+++ b/pkg/storage/unified/resource/storage_backend.go
@@ -346,8 +346,7 @@ func (k *kvStorageBackend) WriteEvent(ctx context.Context, event WriteEvent) (in
 			return 0, fmt.Errorf("failed to write data: %w", err)
 		}

-		rv = rvmanager.SnowflakeFromRv(rv)
-		dataKey.ResourceVersion = rv
+		dataKey.ResourceVersion = rvmanager.SnowflakeFromRv(rv)
 	} else {
 		err := k.dataStore.Save(ctx, dataKey, bytes.NewReader(event.Value))
 		if err != nil {
--- a/pkg/storage/unified/testing/storage_backend_sql_compatibility.go
+++ b/pkg/storage/unified/testing/storage_backend_sql_compatibility.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 	"time"

+	"github.com/bwmarrin/snowflake"
 	"github.com/stretchr/testify/require"

 	claims "github.com/grafana/authlib/types"
@@ -186,30 +187,13 @@ func runKeyPathTest(t *testing.T, backend resource.StorageBackend, nsPrefix stri

 // verifyKeyPath is a helper function to verify key_path generation
 func verifyKeyPath(t *testing.T, db sqldb.DB, ctx context.Context, key *resourcepb.ResourceKey, action string, resourceVersion int64, expectedFolder string) {
-	// For SQL backend (namespace contains "-sql"), resourceVersion is in microsecond format
-	// but key_path stores snowflake RV, so convert to snowflake
-	// For KV backend (namespace contains "-kv"), resourceVersion is already in snowflake format
-	isSqlBackend := strings.Contains(key.Namespace, "-sql")
-
-	var keyPathRV int64
-	if isSqlBackend {
-		// Convert microsecond RV to snowflake for key_path construction
-		keyPathRV = rvmanager.SnowflakeFromRv(resourceVersion)
-	} else {
-		// KV backend already provides snowflake RV
-		keyPathRV = resourceVersion
-	}
-
-	// Build the expected key_path using DataKey format: unified/data/group/resource/namespace/name/resourceVersion~action~folder
-	expectedKeyPath := fmt.Sprintf("unified/data/%s/%s/%s/%s/%d~%s~%s", key.Group, key.Resource, key.Namespace, key.Name, keyPathRV, action, expectedFolder)
-
 	var query string
 	if db.DriverName() == "postgres" {
-		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE key_path = $1"
+		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE namespace = $1 AND name = $2 AND resource_version = $3"
 	} else {
-		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE key_path = ?"
+		query = "SELECT key_path, resource_version, action, folder FROM resource_history WHERE namespace = ? AND name = ? AND resource_version = ?"
 	}
-	rows, err := db.QueryContext(ctx, query, expectedKeyPath)
+	rows, err := db.QueryContext(ctx, query, key.Namespace, key.Name, resourceVersion)
 	require.NoError(t, err)

 	require.True(t, rows.Next(), "Resource not found in resource_history table - both SQL and KV backends should write to this table")
@@ -236,6 +220,10 @@ func verifyKeyPath(t *testing.T, db sqldb.DB, ctx context.Context, key *resource
 	// Verify action suffix
 	require.Contains(t, keyPath, fmt.Sprintf("~%s~", action))

+	// Verify snowflake calculation
+	expectedSnowflake := (((resourceVersion / 1000) - snowflake.Epoch) << (snowflake.NodeBits + snowflake.StepBits)) + (resourceVersion % 1000)
+	require.Contains(t, keyPath, fmt.Sprintf("/%d~", expectedSnowflake), "actual RV: %d", actualRV)
+
 	// Verify folder if specified
 	if expectedFolder != "" {
 		require.Equal(t, expectedFolder, actualFolder)
@@ -504,10 +492,10 @@ func verifyResourceHistoryRecord(t *testing.T, record ResourceHistoryRecord, exp
 	}

 	// Validate previous_resource_version
-	// For KV backend operations, expectedPrevRV is now in snowflake format (returned by KV backend)
-	// but resource_history table stores microsecond RV, so we need to use IsRvEqual for comparison
+	// For KV backend operations, resource versions are stored as snowflake format
+	// but expectedPrevRV is in microsecond format, so we need to use IsRvEqual for comparison
 	if strings.Contains(record.Namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(expectedPrevRV, record.PreviousResourceVersion),
+		require.True(t, rvmanager.IsRvEqual(record.PreviousResourceVersion, expectedPrevRV),
 			"Previous resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedPrevRV, record.PreviousResourceVersion)
@@ -517,10 +505,9 @@ func verifyResourceHistoryRecord(t *testing.T, record ResourceHistoryRecord, exp
 	require.Equal(t, expectedGeneration, record.Generation)

 	// Validate resource_version
-	// For KV backend operations, expectedRV is now in snowflake format (returned by KV backend)
-	// but resource_history table stores microsecond RV, so we need to use IsRvEqual for comparison
+	// For KV backend operations, resource versions are stored as snowflake format
 	if strings.Contains(record.Namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(expectedRV, record.ResourceVersion),
+		require.True(t, rvmanager.IsRvEqual(record.ResourceVersion, expectedRV),
 			"Resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedRV, record.ResourceVersion)
@@ -587,7 +574,7 @@ func verifyResourceTable(t *testing.T, db sqldb.DB, namespace string, resources
 	// Resource version should match the expected version for test-resource-3 (updated version)
 	expectedRV := resourceVersions[2][1] // test-resource-3's update version
 	if strings.Contains(namespace, "-kv") {
-		require.True(t, rvmanager.IsRvEqual(expectedRV, record.ResourceVersion),
+		require.True(t, rvmanager.IsRvEqual(record.ResourceVersion, expectedRV),
 			"Resource version should match (KV backend snowflake format)")
 	} else {
 		require.Equal(t, expectedRV, record.ResourceVersion)
@@ -638,16 +625,9 @@ func verifyResourceVersionTable(t *testing.T, db sqldb.DB, namespace string, res

 	// The resource_version table should contain the latest RV for the group+resource
 	// It might be slightly higher due to RV manager operations, so check it's at least our max
-	// For KV backend, maxRV is in snowflake format but record.ResourceVersion is in microsecond format
-	// Use IsRvEqual for proper comparison between different RV formats
-	isKvBackend := strings.Contains(namespace, "-kv")
-	recordResourceVersion := record.ResourceVersion
-	if isKvBackend {
-		recordResourceVersion = rvmanager.SnowflakeFromRv(record.ResourceVersion)
-	}
-
-	require.Less(t, recordResourceVersion, int64(9223372036854775807), "resource_version should be reasonable")
-	require.Greater(t, recordResourceVersion, maxRV, "resource_version should be at least the latest RV we tracked")
+	require.GreaterOrEqual(t, record.ResourceVersion, maxRV, "resource_version should be at least the latest RV we tracked")
+	// But it shouldn't be too much higher (within a reasonable range)
+	require.LessOrEqual(t, record.ResourceVersion, maxRV+100, "resource_version shouldn't be much higher than expected")
 }

 // runTestCrossBackendConsistency tests basic consistency between SQL and KV backends (lightweight)
--- a/pkg/storage/unified/testing/storage_backend_test.go
+++ b/pkg/storage/unified/testing/storage_backend_test.go
@@ -38,6 +38,7 @@ func TestBadgerKVStorageBackend(t *testing.T) {

 func TestSQLKVStorageBackend(t *testing.T) {
 	skipTests := map[string]bool{
+		TestHappyPath:                 true,
 		TestWatchWriteEvents:          true,
 		TestList:                      true,
 		TestBlobSupport:               true,
@@ -50,24 +51,21 @@ func TestSQLKVStorageBackend(t *testing.T) {
 		TestGetResourceLastImportTime: true,
 		TestOptimisticLocking:         true,
 	}
-
-	t.Run("Without RvManager", func(t *testing.T) {
-		RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
-			backend, _ := NewTestSqlKvBackend(t, ctx, false)
-			return backend
-		}, &TestOptions{
-			NSPrefix:  "sqlkvstorage-test",
-			SkipTests: skipTests,
-		})
+	// without RvManager
+	RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
+		backend, _ := NewTestSqlKvBackend(t, ctx, false)
+		return backend
+	}, &TestOptions{
+		NSPrefix:  "sqlkvstorage-test",
+		SkipTests: skipTests,
 	})

-	t.Run("With RvManager", func(t *testing.T) {
-		RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
-			backend, _ := NewTestSqlKvBackend(t, ctx, true)
-			return backend
-		}, &TestOptions{
-			NSPrefix:  "sqlkvstorage-withrvmanager-test",
-			SkipTests: skipTests,
-		})
+	// with RvManager
+	RunStorageBackendTest(t, func(ctx context.Context) resource.StorageBackend {
+		backend, _ := NewTestSqlKvBackend(t, ctx, true)
+		return backend
+	}, &TestOptions{
+		NSPrefix:  "sqlkvstorage-withrvmanager-test",
+		SkipTests: skipTests,
 	})
 }
--- a/pkg/tests/apis/helper.go
+++ b/pkg/tests/apis/helper.go
@@ -14,7 +14,6 @@ import (
 	"testing"
 	"time"

-	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -208,10 +207,6 @@ func (c *K8sTestHelper) GetEnv() server.TestEnv {
 	return c.env
 }

-func (c *K8sTestHelper) SetGithubConnectionFactory(f githubConnection.GithubFactory) {
-	c.env.GithubConnectionFactory = f
-}
-
 func (c *K8sTestHelper) GetListenerAddress() string {
 	return c.listenerAddress
 }
--- a/pkg/tests/apis/openapi_snapshots/provisioning.grafana.app-v0alpha1.json
+++ b/pkg/tests/apis/openapi_snapshots/provisioning.grafana.app-v0alpha1.json
@@ -4559,7 +4559,7 @@
              }
            ]
          },
-          "token": {
+          "webhook": {
            "description": "Token is the reference of the token used to act as the Connection. This value is stored securely and cannot be read back",
            "default": {},
            "allOf": [
--- a/pkg/tests/apis/provisioning/connection_repositories_test.go
+++ b/pkg/tests/apis/provisioning/connection_repositories_test.go
@@ -2,13 +2,13 @@ package provisioning

 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"testing"

 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
@@ -20,7 +20,7 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {

 	helper := runGrafana(t)
 	ctx := context.Background()
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -39,12 +39,13 @@ func TestIntegrationProvisioning_ConnectionRepositories(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": privateKeyBase64,
+				"create": "someSecret",
 			},
 		},
 	}}
-	_, err := helper.CreateGithubConnection(t, ctx, connection)
-	require.NoError(t, err)
+
+	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+	require.NoError(t, err, "failed to create connection")

 	t.Run("endpoint returns not implemented", func(t *testing.T) {
 		var statusCode int
@@ -128,14 +129,14 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T

 	helper := runGrafana(t)
 	ctx := context.Background()
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
 		"apiVersion": "provisioning.grafana.app/v0alpha1",
 		"kind":       "Connection",
 		"metadata": map[string]any{
-			"name":      "connection-repositories-test",
+			"name":      "connection-repositories-type-test",
 			"namespace": "default",
 		},
 		"spec": map[string]any{
@@ -147,12 +148,13 @@ func TestIntegrationProvisioning_ConnectionRepositoriesResponseType(t *testing.T
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": privateKeyBase64,
+				"create": "someSecret",
 			},
 		},
 	}}
-	_, err := helper.CreateGithubConnection(t, ctx, connection)
-	require.NoError(t, err)
+
+	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+	require.NoError(t, err, "failed to create connection")

 	t.Run("verify ExternalRepositoryList type exists in API", func(t *testing.T) {
 		// Verify the type is registered and can be instantiated
--- a/pkg/tests/apis/provisioning/connection_status_auth_test.go
+++ b/pkg/tests/apis/provisioning/connection_status_auth_test.go
@@ -2,12 +2,12 @@ package provisioning

 import (
 	"context"
-	"encoding/base64"
 	"net/http"
 	"testing"

 	"github.com/stretchr/testify/require"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	"github.com/grafana/grafana/pkg/util/testutil"
@@ -18,7 +18,7 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {

 	helper := runGrafana(t)
 	ctx := context.Background()
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}

 	// Create a connection for testing
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -37,12 +37,13 @@ func TestIntegrationProvisioning_ConnectionStatusAuthorization(t *testing.T) {
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": privateKeyBase64,
+				"create": "someSecret",
 			},
 		},
 	}}
-	_, err := helper.CreateGithubConnection(t, ctx, connection)
-	require.NoError(t, err)
+
+	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
+	require.NoError(t, err, "failed to create connection")

 	t.Run("admin can GET connection status", func(t *testing.T) {
 		var statusCode int
--- a/pkg/tests/apis/provisioning/connection_test.go
+++ b/pkg/tests/apis/provisioning/connection_test.go
@@ -2,20 +2,11 @@ package provisioning

 import (
 	"context"
-	"encoding/base64"
-	"encoding/json"
 	"errors"
-	"fmt"
-	"net/http"
 	"testing"
 	"time"

-	"github.com/golang-jwt/jwt/v4"
-	"github.com/google/go-github/v70/github"
-	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
-	"github.com/grafana/grafana/pkg/extensions"
 	"github.com/grafana/grafana/pkg/util/testutil"
-	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -26,55 +17,12 @@ import (
 	clientset "github.com/grafana/grafana/apps/provisioning/pkg/generated/clientset/versioned"
 )

-//nolint:gosec // Test RSA private key (generated for testing purposes only)
-const testPrivateKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
-MIIEoQIBAAKCAQBn1MuM5hIfH6d3TNStI1ofWv/gcjQ4joi9cFijEwVLuPYkF1nD
-KkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6m5T/sHfVSiEWAEUblh3cA34HVCmD
-cqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyjpKOXuojJ9wN9a17D2cYU5WkXjoDC
-4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7DA9T8yiZwIWPp5YesgsAPyQLCFPgM
-s77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQohUID0BIxE7G5quL069RuuCZWZkoF
-oPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmXAgMBAAECggEADSs4Bc7ITZo+Kytb
-bfol3AQ2n8jcRrANN7mgBE7NRSVYUouDnvUlbnCC2t3QXPwLdxQa11GkygLSQ2bg
-GeVDgq1o4GUJTcvxFlFCcpU/hEANI/DQsxNAQ/4wUGoLOlHaO3HPvwBblHA70gGe
-Ux/xpG+lMAFAiB0EHEwZ4M0mClBEOQv3NzaFTWuBHtIMS8eid7M1q5qz9+rCgZSL
-KBBHo0OvUbajG4CWl8SM6LUYapASGg+U17E+4xA3npwpIdsk+CbtX+vvX324n4kn
-0EkrJqCjv8M1KiCKAP+UxwP00ywxOg4PN+x+dHI/I7xBvEKe/x6BltVSdGA+PlUK
-02wagQKBgQDF7gdQLFIagPH7X7dBP6qEGxj/Ck9Qdz3S1gotPkVeq+1/UtQijYZ1
-j44up/0yB2B9P4kW091n+iWcyfoU5UwBua9dHvCZP3QH05LR1ZscUHxLGjDPBASt
-l2xSq0hqqNWBspb1M0eCY0Yxi65iDkj3xsI2iN35BEb1FlWdR5KGvwKBgQCGS0ce
-wASWbZIPU2UoKGOQkIJU6QmLy0KZbfYkpyfE8IxGttYVEQ8puNvDDNZWHNf+LP85
-c8iV6SfnWiLmu1XkG2YmJFBCCAWgJ8Mq2XQD8E+a/xcaW3NqlcC5+I2czX367j3r
-69wZSxRbzR+DCfOiIkrekJImwN183ZYy2cBbKQKBgFj86IrSMmO6H5Ft+j06u5ZD
-fJyF7Rz3T3NwSgkHWzbyQ4ggHEIgsRg/36P4YSzSBj6phyAdRwkNfUWdxXMJmH+a
-FU7frzqnPaqbJAJ1cBRt10QI1XLtkpDdaJVObvONTtjOC3LYiEkGCzQRYeiyFXpZ
-AU51gJ8JnkFotjtNR4KPAoGAehVREDlLcl0lnN0ZZspgyPk2Im6/iOA9KTH3xBZZ
-ZwWu4FIyiHA7spgk4Ep5R0ttZ9oMI3SIcw/EgONGOy8uw/HMiPwWIhEc3B2JpRiO
-CU6bb7JalFFyuQBudiHoyxVcY5PVovWF31CLr3DoJr4TR9+Y5H/U/XnzYCIo+w1N
-exECgYBFAGKYTIeGAvhIvD5TphLpbCyeVLBIq5hRyrdRY+6Iwqdr5PGvLPKwin5+
-+4CDhWPW4spq8MYPCRiMrvRSctKt/7FhVGL2vE/0VY3TcLk14qLC+2+0lnPVgnYn
-u5/wOyuHp1cIBnjeN41/pluOWFBHI9xLW3ExLtmYMiecJ8VdRA==
-----END RSA PRIVATE KEY-----`
-
-//nolint:gosec // Test RSA public key (generated for testing purposes only)
-const testPublicKeyPem = `-----BEGIN PUBLIC KEY-----
-MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBn1MuM5hIfH6d3TNStI1of
-Wv/gcjQ4joi9cFijEwVLuPYkF1nDKkSbaMGFUWiOTaB/H9fxmd/V2u04NlBY3av6
-m5T/sHfVSiEWAEUblh3cA34HVCmDcqyyVty5HLGJJlSs2C7W2x7yUc9ImzyDBsyj
-pKOXuojJ9wN9a17D2cYU5WkXjoDC4BHid61jn9WBTtPZXSgOdirwahNzxZQSIP7D
-A9T8yiZwIWPp5YesgsAPyQLCFPgMs77xz/CEUnEYQ35zI/k/mQrwKdQ/ZP8xLwQo
-hUID0BIxE7G5quL069RuuCZWZkoFoPiZbp7HSryz1+19jD3rFT7eHGUYvAyCnXmX
-AgMBAAE=
-----END PUBLIC KEY-----`
-
 func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 	testutil.SkipIntegrationTestInShortMode(t)

 	helper := runGrafana(t)
+	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))
-
-	decryptService := helper.GetEnv().DecryptService
-	require.NotNil(t, decryptService, "decrypt service not wired properly")

 	t.Run("should perform CRUDL requests on connection", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -93,12 +41,12 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
 		// CREATE
-		_, err := helper.CreateGithubConnection(t, ctx, connection)
+		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.NoError(t, err, "failed to create resource")

 		// READ
@@ -116,22 +64,6 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 		require.Contains(t, output.Object, "secure", "object should contain secure")
 		assert.Contains(t, output.Object["secure"], "privateKey", "secure should contain PrivateKey")

-		// Verifying token
-		assert.Contains(t, output.Object["secure"], "token", "token should be created")
-		secretName, found, err := unstructured.NestedString(output.Object, "secure", "token", "name")
-		require.NoError(t, err, "error getting secret name")
-		require.True(t, found, "secret name should exist: %v", output.Object)
-		decrypted, err := decryptService.Decrypt(ctx, "provisioning.grafana.app", output.GetNamespace(), secretName)
-		require.NoError(t, err, "decryption error")
-		require.Len(t, decrypted, 1)
-
-		val := decrypted[secretName].Value()
-		require.NotNil(t, val)
-		k := val.DangerouslyExposeAndConsumeValue()
-		valid, err := verifyToken(t, "123456", testPublicKeyPem, k)
-		require.NoError(t, err, "error verifying token: %s", k)
-		require.True(t, valid, "token should be valid: %s", k)
-
 		// LIST
 		list, err := helper.Connections.Resource.List(ctx, metav1.ListOptions{})
 		require.NoError(t, err, "failed to list resource")
@@ -149,22 +81,22 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			"spec": map[string]any{
 				"type": "github",
 				"github": map[string]any{
-					"appID":          "123456",
-					"installationID": "454546",
+					"appID":          "456789",
+					"installationID": "454545",
 				},
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
-		res, err := helper.UpdateGithubConnection(t, ctx, updatedConnection)
+		res, err := helper.Connections.Resource.Update(ctx, updatedConnection, metav1.UpdateOptions{})
 		require.NoError(t, err, "failed to update resource")
 		spec = res.Object["spec"].(map[string]any)
 		require.Contains(t, spec, "github")
 		githubInfo = spec["github"].(map[string]any)
-		assert.Equal(t, "454546", githubInfo["installationID"], "installationID should be updated")
+		assert.Equal(t, "456789", githubInfo["appID"], "appID should be updated")

 		// DELETE
 		require.NoError(t, helper.Connections.Resource.Delete(ctx, "connection", metav1.DeleteOptions{}), "failed to delete resource")
@@ -190,7 +122,7 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
@@ -223,12 +155,9 @@ func TestIntegrationProvisioning_ConnectionCRUDL(t *testing.T) {
 }

 func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
-	testutil.SkipIntegrationTestInShortMode(t)
-
 	helper := runGrafana(t)
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
 	ctx := context.Background()
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	t.Run("should fail when type is empty", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
@@ -243,13 +172,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "connection type \"\" is not supported")
+		assert.Contains(t, err.Error(), "type must be specified")
 	})

 	t.Run("should fail when type is invalid", func(t *testing.T) {
@@ -265,57 +194,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "connection type \"some-invalid-type\" is not supported")
-	})
-
-	t.Run("should fail when type is 'git'", func(t *testing.T) {
-		connection := &unstructured.Unstructured{Object: map[string]any{
-			"apiVersion": "provisioning.grafana.app/v0alpha1",
-			"kind":       "Connection",
-			"metadata": map[string]any{
-				"name":      "connection",
-				"namespace": "default",
-			},
-			"spec": map[string]any{
-				"type": "git",
-			},
-			"secure": map[string]any{
-				"privateKey": map[string]any{
-					"create": privateKeyBase64,
-				},
-			},
-		}}
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "connection type \"git\" is not supported")
-	})
-
-	t.Run("should fail when type is 'local'", func(t *testing.T) {
-		connection := &unstructured.Unstructured{Object: map[string]any{
-			"apiVersion": "provisioning.grafana.app/v0alpha1",
-			"kind":       "Connection",
-			"metadata": map[string]any{
-				"name":      "connection",
-				"namespace": "default",
-			},
-			"spec": map[string]any{
-				"type": "local",
-			},
-			"secure": map[string]any{
-				"privateKey": map[string]any{
-					"create": privateKeyBase64,
-				},
-			},
-		}}
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "connection type \"local\" is not supported")
+		assert.Contains(t, err.Error(), "spec.type: Unsupported value: \"some-invalid-type\"")
 	})

 	t.Run("should fail when type is github but 'github' field is not there", func(t *testing.T) {
@@ -331,13 +216,13 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 			},
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "invalid github connection")
+		assert.Contains(t, err.Error(), "github info must be specified for GitHub connection")
 	})

 	t.Run("should fail when type is github but private key is not there", func(t *testing.T) {
@@ -361,7 +246,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "privateKey must be specified for GitHub connection")
 	})

-	t.Run("should fail when type is github but a client Secret is also specified", func(t *testing.T) {
+	t.Run("should fail when type is github but a client Secret is specified", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
 			"kind":       "Connection",
@@ -378,7 +263,7 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "someSecret",
 				},
 				"clientSecret": map[string]any{
 					"create": "someSecret",
@@ -390,100 +275,6 @@ func TestIntegrationProvisioning_ConnectionValidation(t *testing.T) {
 		assert.Contains(t, err.Error(), "clientSecret is forbidden in GitHub connection")
 	})

-	t.Run("should fail when type is github and github API is unavailable", func(t *testing.T) {
-		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
-		connectionFactory.Client = ghmock.NewMockedHTTPClient(
-			ghmock.WithRequestMatchHandler(
-				ghmock.GetApp,
-				http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-					w.WriteHeader(http.StatusServiceUnavailable)
-					require.NoError(t, json.NewEncoder(w).Encode(github.ErrorResponse{
-						Response: &http.Response{
-							StatusCode: http.StatusServiceUnavailable,
-						},
-						Message: "Service unavailable",
-					}))
-				}),
-			),
-		)
-		helper.SetGithubConnectionFactory(connectionFactory)
-
-		connection := &unstructured.Unstructured{Object: map[string]any{
-			"apiVersion": "provisioning.grafana.app/v0alpha1",
-			"kind":       "Connection",
-			"metadata": map[string]any{
-				"name":      "connection",
-				"namespace": "default",
-			},
-			"spec": map[string]any{
-				"type": "github",
-				"github": map[string]any{
-					"appID":          "123456",
-					"installationID": "454545",
-				},
-			},
-			"secure": map[string]any{
-				"privateKey": map[string]any{
-					"create": privateKeyBase64,
-				},
-			},
-		}}
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "spec.token: Internal error: github is unavailable")
-	})
-
-	t.Run("should fail when type is github and returned app ID doesn't match given one", func(t *testing.T) {
-		var appID int64 = 123455
-		appSlug := "appSlug"
-		connectionFactory := helper.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
-		connectionFactory.Client = ghmock.NewMockedHTTPClient(
-			ghmock.WithRequestMatch(
-				ghmock.GetApp, github.App{
-					ID:   &appID,
-					Slug: &appSlug,
-				},
-			),
-		)
-		helper.SetGithubConnectionFactory(connectionFactory)
-
-		connection := &unstructured.Unstructured{Object: map[string]any{
-			"apiVersion": "provisioning.grafana.app/v0alpha1",
-			"kind":       "Connection",
-			"metadata": map[string]any{
-				"name":      "connection",
-				"namespace": "default",
-			},
-			"spec": map[string]any{
-				"type": "github",
-				"github": map[string]any{
-					"appID":          "123456",
-					"installationID": "454545",
-				},
-			},
-			"secure": map[string]any{
-				"privateKey": map[string]any{
-					"create": privateKeyBase64,
-				},
-			},
-		}}
-		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
-		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "spec.appID: Invalid value: \"123456\": appID mismatch")
-	})
-}
-
-func TestIntegrationProvisioning_ConnectionEnterpriseValidation(t *testing.T) {
-	testutil.SkipIntegrationTestInShortMode(t)
-
-	if !extensions.IsEnterprise {
-		t.Skip("Skipping integration test when not enterprise")
-	}
-
-	helper := runGrafana(t)
-	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
-	ctx := context.Background()
-
 	t.Run("should fail when type is bitbucket but 'bitbucket' field is not there", func(t *testing.T) {
 		connection := &unstructured.Unstructured{Object: map[string]any{
 			"apiVersion": "provisioning.grafana.app/v0alpha1",
@@ -503,7 +294,7 @@ func TestIntegrationProvisioning_ConnectionEnterpriseValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "invalid bitbucket connection")
+		assert.Contains(t, err.Error(), "bitbucket info must be specified in Bitbucket connection")
 	})

 	t.Run("should fail when type is bitbucket but client secret is not there", func(t *testing.T) {
@@ -573,7 +364,7 @@ func TestIntegrationProvisioning_ConnectionEnterpriseValidation(t *testing.T) {
 		}}
 		_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 		require.Error(t, err, "failed to create resource")
-		assert.Contains(t, err.Error(), "invalid gitlab connection")
+		assert.Contains(t, err.Error(), "gitlab info must be specified in Gitlab connection")
 	})

 	t.Run("should fail when type is gitlab but client secret is not there", func(t *testing.T) {
@@ -637,7 +428,6 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 	provisioningClient, err := clientset.NewForConfig(restConfig)
 	require.NoError(t, err)
 	connClient := provisioningClient.ProvisioningV0alpha1().Connections(namespace)
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	t.Run("health check gets updated after initial creation", func(t *testing.T) {
 		// Create a connection using unstructured (like other connection tests)
@@ -657,12 +447,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "test-private-key",
 				},
 			},
 		}}

-		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
+		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)

@@ -711,12 +501,12 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 			},
 			"secure": map[string]any{
 				"privateKey": map[string]any{
-					"create": privateKeyBase64,
+					"create": "test-private-key-2",
 				},
 			},
 		}}

-		createdUnstructured, err := helper.CreateGithubConnection(t, ctx, connUnstructured)
+		createdUnstructured, err := helper.Connections.Resource.Create(ctx, connUnstructured, metav1.CreateOptions{})
 		require.NoError(t, err)
 		require.NotNil(t, createdUnstructured)

@@ -748,7 +538,7 @@ func TestIntegrationConnectionController_HealthCheckUpdates(t *testing.T) {
 		updatedUnstructured := latestUnstructured.DeepCopy()
 		githubSpec := updatedUnstructured.Object["spec"].(map[string]any)["github"].(map[string]any)
 		githubSpec["appID"] = "99999"
-		_, err = helper.UpdateGithubConnection(t, ctx, updatedUnstructured)
+		_, err = helper.Connections.Resource.Update(ctx, updatedUnstructured, metav1.UpdateOptions{})
 		require.NoError(t, err)

 		// Wait for reconciliation after spec change
@@ -776,7 +566,6 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 	helper := runGrafana(t)
 	ctx := context.Background()
 	createOptions := metav1.CreateOptions{FieldValidation: "Strict"}
-	privateKeyBase64 := base64.StdEncoding.EncodeToString([]byte(testPrivateKeyPEM))

 	// Create a connection first
 	connection := &unstructured.Unstructured{Object: map[string]any{
@@ -795,12 +584,12 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		},
 		"secure": map[string]any{
 			"privateKey": map[string]any{
-				"create": privateKeyBase64,
+				"create": "test-private-key",
 			},
 		},
 	}}

-	_, err := helper.CreateGithubConnection(t, ctx, connection)
+	_, err := helper.Connections.Resource.Create(ctx, connection, createOptions)
 	require.NoError(t, err, "failed to create connection")

 	t.Cleanup(func() {
@@ -942,27 +731,3 @@ func TestIntegrationProvisioning_RepositoryFieldSelectorByConnection(t *testing.
 		assert.Contains(t, names, "repo-with-different-connection")
 	})
 }
-
-func verifyToken(t *testing.T, appID, publicKey, token string) (bool, error) {
-	t.Helper()
-
-	// Parse the private key
-	key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKey))
-	if err != nil {
-		return false, err
-	}
-
-	parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (any, error) {
-		return key, nil
-	}, jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}))
-	if err != nil {
-		return false, err
-	}
-
-	claims, ok := parsedToken.Claims.(jwt.MapClaims)
-	if !ok || !parsedToken.Valid {
-		return false, fmt.Errorf("invalid token")
-	}
-
-	return claims.VerifyIssuer(appID, true), nil
-}
--- a/pkg/tests/apis/provisioning/helper_test.go
+++ b/pkg/tests/apis/provisioning/helper_test.go
@@ -10,14 +10,11 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"testing"
 	"text/template"
 	"time"

-	"github.com/google/go-github/v70/github"
-	"github.com/grafana/grafana/pkg/extensions"
 	ghmock "github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -33,7 +30,6 @@ import (
 	dashboardsV2beta1 "github.com/grafana/grafana/apps/dashboard/pkg/apis/dashboard/v2beta1"
 	folder "github.com/grafana/grafana/apps/folder/pkg/apis/folder/v1beta1"
 	provisioning "github.com/grafana/grafana/apps/provisioning/pkg/apis/provisioning/v0alpha1"
-	githubConnection "github.com/grafana/grafana/apps/provisioning/pkg/connection/github"
 	grafanarest "github.com/grafana/grafana/pkg/apiserver/rest"
 	"github.com/grafana/grafana/pkg/registry/apis/provisioning/jobs"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -703,18 +699,13 @@ func runGrafana(t *testing.T, options ...grafanaOption) *provisioningTestHelper
 		// (instance is needed for export jobs, folder for most operations)
 		ProvisioningAllowedTargets: []string{"folder", "instance"},
 	}
-
-	if extensions.IsEnterprise {
-		opts.ProvisioningRepositoryTypes = []string{"local", "github", "gitlab", "bitbucket"}
-	}
-
 	for _, o := range options {
 		o(&opts)
 	}
 	helper := apis.NewK8sTestHelper(t, opts)

-	// FIXME: keeping these lines here to keep the dependency around until we have tests which use this again.
-	helper.GetEnv().GithubRepoFactory.Client = ghmock.NewMockedHTTPClient()
+	// FIXME: keeping this line here to keep the dependency around until we have tests which use this again.
+	helper.GetEnv().GitHubFactory.Client = ghmock.NewMockedHTTPClient()

 	repositories := helper.GetResourceClient(apis.ResourceClientArgs{
 		User:      helper.Org1.Admin,
@@ -982,79 +973,6 @@ func (h *provisioningTestHelper) CleanupAllRepos(t *testing.T) {
 	}, waitTimeoutDefault, waitIntervalDefault, "repositories should be cleaned up between subtests")
 }

-func (h *provisioningTestHelper) CreateGithubConnection(
-	t *testing.T,
-	ctx context.Context,
-	connection *unstructured.Unstructured,
-) (*unstructured.Unstructured, error) {
-	t.Helper()
-
-	err := h.setGithubClient(t, connection)
-	if err != nil {
-		return nil, err
-	}
-
-	return h.Connections.Resource.Create(ctx, connection, metav1.CreateOptions{FieldValidation: "Strict"})
-}
-
-func (h *provisioningTestHelper) UpdateGithubConnection(
-	t *testing.T,
-	ctx context.Context,
-	connection *unstructured.Unstructured,
-) (*unstructured.Unstructured, error) {
-	t.Helper()
-
-	err := h.setGithubClient(t, connection)
-	if err != nil {
-		return nil, err
-	}
-
-	return h.Connections.Resource.Update(ctx, connection, metav1.UpdateOptions{FieldValidation: "Strict"})
-}
-
-func (h *provisioningTestHelper) setGithubClient(t *testing.T, connection *unstructured.Unstructured) error {
-	t.Helper()
-
-	objectSpec := connection.Object["spec"].(map[string]interface{})
-	githubObj := objectSpec["github"].(map[string]interface{})
-	appID := githubObj["appID"].(string)
-	id, err := strconv.ParseInt(appID, 10, 64)
-	if err != nil {
-		return err
-	}
-
-	appSlug := "someSlug"
-	connectionFactory := h.GetEnv().GithubConnectionFactory.(*githubConnection.Factory)
-	connectionFactory.Client = ghmock.NewMockedHTTPClient(
-		ghmock.WithRequestMatchHandler(
-			ghmock.GetApp,
-			http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-				w.WriteHeader(http.StatusOK)
-				app := github.App{
-					ID:   &id,
-					Slug: &appSlug,
-				}
-				_, _ = w.Write(ghmock.MustMarshal(app))
-			}),
-		),
-		ghmock.WithRequestMatchHandler(
-			ghmock.GetAppInstallationsByInstallationId,
-			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				id := r.URL.Query().Get("installation_id")
-				idInt, _ := strconv.ParseInt(id, 10, 64)
-				w.WriteHeader(http.StatusOK)
-				installation := github.Installation{
-					ID: &idInt,
-				}
-				_, _ = w.Write(ghmock.MustMarshal(installation))
-			}),
-		),
-	)
-	h.SetGithubConnectionFactory(connectionFactory)
-
-	return nil
-}
-
 func postHelper(t *testing.T, helper apis.K8sTestHelper, path string, body interface{}, user apis.User) (map[string]interface{}, int, error) {
 	return requestHelper(t, helper, http.MethodPost, path, body, user)
 }
--- a/pkg/tests/apis/provisioning/repository_test.go
+++ b/pkg/tests/apis/provisioning/repository_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"

-	"github.com/grafana/grafana/pkg/extensions"
 	provisioningAPIServer "github.com/grafana/grafana/pkg/registry/apis/provisioning"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -150,19 +149,10 @@ func TestIntegrationProvisioning_CreatingAndGetting(t *testing.T) {
 				}
 			}

-			if extensions.IsEnterprise {
-				assert.ElementsMatch(collect, []provisioning.RepositoryType{
-					provisioning.LocalRepositoryType,
-					provisioning.GitHubRepositoryType,
-					provisioning.BitbucketRepositoryType,
-					provisioning.GitLabRepositoryType,
-				}, settings.AvailableRepositoryTypes)
-			} else {
-				assert.ElementsMatch(collect, []provisioning.RepositoryType{
-					provisioning.LocalRepositoryType,
-					provisioning.GitHubRepositoryType,
-				}, settings.AvailableRepositoryTypes)
-			}
+			assert.ElementsMatch(collect, []provisioning.RepositoryType{
+				provisioning.LocalRepositoryType,
+				provisioning.GitHubRepositoryType,
+			}, settings.AvailableRepositoryTypes)
 		}, time.Second*10, time.Millisecond*100, "Expected settings to match")
 	})

--- a/pkg/tests/testinfra/testinfra.go
+++ b/pkg/tests/testinfra/testinfra.go
@@ -622,12 +622,6 @@ func CreateGrafDir(t *testing.T, opts GrafanaOpts) (string, string) {
 		_, err = provisioningSect.NewKey("allowed_targets", strings.Join(opts.ProvisioningAllowedTargets, "|"))
 		require.NoError(t, err)
 	}
-	if len(opts.ProvisioningRepositoryTypes) > 0 {
-		provisioningSect, err := getOrCreateSection("provisioning")
-		require.NoError(t, err)
-		_, err = provisioningSect.NewKey("repository_types", strings.Join(opts.ProvisioningRepositoryTypes, "|"))
-		require.NoError(t, err)
-	}
 	if opts.EnableSCIM {
 		scimSection, err := getOrCreateSection("auth.scim")
 		require.NoError(t, err)
@@ -737,7 +731,6 @@ type GrafanaOpts struct {
 	UnifiedStorageMaxPageSizeBytes        int
 	PermittedProvisioningPaths            string
 	ProvisioningAllowedTargets            []string
-	ProvisioningRepositoryTypes           []string
 	GrafanaComSSOAPIToken                 string
 	LicensePath                           string
 	EnableRecordingRules                  bool
--- a/public/app/core/components/AppChrome/MegaMenu/MegaMenu.tsx
+++ b/public/app/core/components/AppChrome/MegaMenu/MegaMenu.tsx
@@ -37,24 +37,9 @@ export const MegaMenu = memo(
    const pinnedItems = usePinnedItems();

    // Remove profile + help from tree
-    // For Alerting navigation, flatten the sidebar to show only top-level items (hide nested children/tabs)
    const navItems = navTree
      .filter((item) => item.id !== 'profile' && item.id !== 'help')
-      .map((item) => {
-        const enriched = enrichWithInteractionTracking(item, state.megaMenuDocked);
-        // If this is Alerting section, flatten children for sidebar display
-        // Children are still available in navIndex for breadcrumbs and page navigation
-        if (item.id === 'alerting' && enriched.children) {
-          return {
-            ...enriched,
-            children: enriched.children.map((child) => ({
-              ...child,
-              children: undefined, // Remove nested children from sidebar, but keep them for page navigation
-            })),
-          };
-        }
-        return enriched;
-      });
+      .map((item) => enrichWithInteractionTracking(item, state.megaMenuDocked));

    const bookmarksItem = navItems.find((item) => item.id === 'bookmarks');
    if (bookmarksItem) {
--- a/public/app/core/components/Breadcrumbs/utils.ts
+++ b/public/app/core/components/Breadcrumbs/utils.ts
@@ -35,18 +35,11 @@ export function buildBreadcrumbs(sectionNav: NavModelItem, pageNav?: NavModelIte

    if (shouldAddCrumb) {
      const activeChildIndex = node.children?.findIndex((child) => child.active) ?? -1;
-      // Add active tab to breadcrumbs if it exists and its URL is different from the node's URL
-      // This ensures tabs show in breadcrumbs (including the first tab) while preventing duplication
-      if (activeChildIndex >= 0) {
+      // Add tab to breadcrumbs if it's not the first active child
+      if (activeChildIndex > 0) {
        const activeChild = node.children?.[activeChildIndex];
        if (activeChild) {
-          // Only add the active child if its URL doesn't match the node's URL
-          // This prevents duplication when the pageNav is the active tab
-          const nodeUrl = node.url?.split('?')[0] ?? '';
-          const childUrl = activeChild.url?.split('?')[0] ?? '';
-          if (nodeUrl !== childUrl) {
-            crumbs.unshift({ text: activeChild.text, href: activeChild.url ?? '' });
-          }
+          crumbs.unshift({ text: activeChild.text, href: activeChild.url ?? '' });
        }
      }
      crumbs.unshift({ text: node.text, href: node.url ?? '' });
--- a/public/app/features/alerting/routes.tsx
+++ b/public/app/features/alerting/routes.tsx
@@ -56,17 +56,6 @@ export function getAlertingRoutes(cfg = config): RouteDescriptor[] {
          )
      ),
    },
-    {
-      path: '/alerting/time-intervals',
-      roles: evaluateAccess([
-        AccessControlAction.AlertingNotificationsRead,
-        AccessControlAction.AlertingNotificationsExternalRead,
-        ...PERMISSIONS_TIME_INTERVALS_READ,
-      ]),
-      component: importAlertingComponent(
-        () => import(/* webpackChunkName: "TimeIntervalsPage" */ 'app/features/alerting/unified/TimeIntervalsPage')
-      ),
-    },
    {
      path: '/alerting/routes/mute-timing/new',
      roles: evaluateAccess([
@@ -223,13 +212,6 @@ export function getAlertingRoutes(cfg = config): RouteDescriptor[] {
          )
      ),
    },
-    {
-      path: '/alerting/insights',
-      roles: evaluateAccess([AccessControlAction.AlertingRuleRead, AccessControlAction.AlertingRuleExternalRead]),
-      component: importAlertingComponent(
-        () => import(/* webpackChunkName: "InsightsPage" */ 'app/features/alerting/unified/insights/InsightsPage')
-      ),
-    },
    {
      path: '/alerting/recently-deleted/',
      roles: () => ['Admin'],
--- a/public/app/features/alerting/unified/AlertGroups.tsx
+++ b/public/app/features/alerting/unified/AlertGroups.tsx
@@ -14,7 +14,6 @@ import { AlertGroupFilter } from './components/alert-groups/AlertGroupFilter';
 import { useFilteredAmGroups } from './hooks/useFilteredAmGroups';
 import { useGroupedAlerts } from './hooks/useGroupedAlerts';
 import { useUnifiedAlertingSelector } from './hooks/useUnifiedAlertingSelector';
-import { useAlertActivityNav } from './navigation/useAlertActivityNav';
 import { useAlertmanager } from './state/AlertmanagerContext';
 import { fetchAlertGroupsAction } from './state/actions';
 import { NOTIFICATIONS_POLL_INTERVAL_MS } from './utils/constants';
@@ -114,9 +113,8 @@ const AlertGroups = () => {
 };

 function AlertGroupsPage() {
-  const { navId, pageNav } = useAlertActivityNav();
  return (
-    <AlertmanagerPageWrapper navId={navId || 'groups'} pageNav={pageNav} accessType="instance">
+    <AlertmanagerPageWrapper navId="groups" accessType="instance">
      <AlertGroups />
    </AlertmanagerPageWrapper>
  );
--- a/public/app/features/alerting/unified/NotificationPoliciesPage.test.tsx
+++ b/public/app/features/alerting/unified/NotificationPoliciesPage.test.tsx
@@ -140,35 +140,6 @@ const getRootRoute = async () => {
 };

 describe('NotificationPolicies', () => {
-  beforeEach(() => {
-    setupDataSources(dataSources.am);
-    grantUserPermissions([
-      AccessControlAction.AlertingNotificationsRead,
-      AccessControlAction.AlertingNotificationsWrite,
-      ...PERMISSIONS_NOTIFICATION_POLICIES,
-    ]);
-  });
-
-  it('shows only notification policies without internal tabs', async () => {
-    renderNotificationPolicies();
-
-    // Should show notification policies directly
-    expect(await ui.rootRouteContainer.find()).toBeInTheDocument();
-
-    // Should not have tabs
-    expect(screen.queryByRole('tab')).not.toBeInTheDocument();
-  });
-
-  it('does not show time intervals tab', async () => {
-    renderNotificationPolicies();
-
-    // Should show notification policies
-    expect(await ui.rootRouteContainer.find()).toBeInTheDocument();
-
-    // Should not show time intervals tab
-    expect(screen.queryByText(/time intervals/i)).not.toBeInTheDocument();
-  });
-
  // combobox hack :/
  beforeAll(() => {
    const mockGetBoundingClientRect = jest.fn(() => ({
--- a/public/app/features/alerting/unified/NotificationPoliciesPage.tsx
+++ b/public/app/features/alerting/unified/NotificationPoliciesPage.tsx
@@ -1,29 +1,115 @@
+import { css } from '@emotion/css';
+import { useState } from 'react';
+
+import { GrafanaTheme2, UrlQueryMap } from '@grafana/data';
+import { t } from '@grafana/i18n';
+import { Tab, TabContent, TabsBar, useStyles2 } from '@grafana/ui';
+import { useQueryParams } from 'app/core/hooks/useQueryParams';
+import { useMuteTimings } from 'app/features/alerting/unified/components/mute-timings/useMuteTimings';
 import { NotificationPoliciesList } from 'app/features/alerting/unified/components/notification-policies/NotificationPoliciesList';
+import { AlertmanagerAction, useAlertmanagerAbility } from 'app/features/alerting/unified/hooks/useAbilities';

 import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
 import { GrafanaAlertmanagerWarning } from './components/GrafanaAlertmanagerWarning';
-import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
+import { TimeIntervalsTable } from './components/mute-timings/MuteTimingsTable';
 import { useAlertmanager } from './state/AlertmanagerContext';
 import { withPageErrorBoundary } from './withPageErrorBoundary';

-const NotificationPoliciesContent = () => {
+enum ActiveTab {
+  NotificationPolicies = 'notification_policies',
+  TimeIntervals = 'time_intervals',
+}
+
+const NotificationPoliciesTabs = () => {
+  const styles = useStyles2(getStyles);
+
+  // Alertmanager logic and data hooks
  const { selectedAlertmanager = '' } = useAlertmanager();
+  const [policiesSupported, canSeePoliciesTab] = useAlertmanagerAbility(AlertmanagerAction.ViewNotificationPolicyTree);
+  const [timingsSupported, canSeeTimingsTab] = useAlertmanagerAbility(AlertmanagerAction.ViewTimeInterval);
+  const availableTabs = [
+    canSeePoliciesTab && ActiveTab.NotificationPolicies,
+    canSeeTimingsTab && ActiveTab.TimeIntervals,
+  ].filter((tab) => !!tab);
+  const { data: muteTimings = [] } = useMuteTimings({
+    alertmanager: selectedAlertmanager,
+    skip: !canSeeTimingsTab,
+  });
+
+  // Tab state management
+  const [queryParams, setQueryParams] = useQueryParams();
+  const { tab } = getActiveTabFromUrl(queryParams, availableTabs[0]);
+  const [activeTab, setActiveTab] = useState<ActiveTab>(tab);
+
+  const muteTimingsTabActive = activeTab === ActiveTab.TimeIntervals;
+  const policyTreeTabActive = activeTab === ActiveTab.NotificationPolicies;
+
+  const numberOfMuteTimings = muteTimings.length;
+
  return (
    <>
      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager} />
-      <NotificationPoliciesList />
+      <TabsBar>
+        {policiesSupported && canSeePoliciesTab && (
+          <Tab
+            label={t('alerting.notification-policies-tabs.label-notification-policies', 'Notification Policies')}
+            active={policyTreeTabActive}
+            onChangeTab={() => {
+              setActiveTab(ActiveTab.NotificationPolicies);
+              setQueryParams({ tab: ActiveTab.NotificationPolicies });
+            }}
+          />
+        )}
+        {timingsSupported && canSeeTimingsTab && (
+          <Tab
+            label={t('alerting.notification-policies-tabs.label-time-intervals', 'Time intervals')}
+            active={muteTimingsTabActive}
+            counter={numberOfMuteTimings}
+            onChangeTab={() => {
+              setActiveTab(ActiveTab.TimeIntervals);
+              setQueryParams({ tab: ActiveTab.TimeIntervals });
+            }}
+          />
+        )}
+      </TabsBar>
+      <TabContent className={styles.tabContent}>
+        {policyTreeTabActive && <NotificationPoliciesList />}
+        {muteTimingsTabActive && <TimeIntervalsTable />}
+      </TabContent>
    </>
  );
 };

-function NotificationPoliciesPage() {
-  const { navId, pageNav } = useNotificationConfigNav();
+const getStyles = (theme: GrafanaTheme2) => ({
+  tabContent: css({
+    marginTop: theme.spacing(2),
+  }),
+});

-  // Show only notification policies (no internal tabs)
-  // Time intervals are accessible via the sidebar navigation
+interface QueryParamValues {
+  tab: ActiveTab;
+}
+
+function getActiveTabFromUrl(queryParams: UrlQueryMap, defaultTab: ActiveTab): QueryParamValues {
+  let tab = defaultTab;
+
+  if (queryParams.tab === ActiveTab.NotificationPolicies) {
+    tab = ActiveTab.NotificationPolicies;
+  }
+
+  if (queryParams.tab === ActiveTab.TimeIntervals) {
+    tab = ActiveTab.TimeIntervals;
+  }
+
+  return {
+    tab,
+  };
+}
+
+function NotificationPoliciesPage() {
  return (
-    <AlertmanagerPageWrapper navId={navId || 'am-routes'} pageNav={pageNav} accessType="notification">
-      <NotificationPoliciesContent />
+    <AlertmanagerPageWrapper navId="am-routes" accessType="notification">
+      <NotificationPoliciesTabs />
    </AlertmanagerPageWrapper>
  );
 }
--- a/public/app/features/alerting/unified/Templates.tsx
+++ b/public/app/features/alerting/unified/Templates.tsx
@@ -1,52 +1,13 @@
 import { Route, Routes } from 'react-router-dom-v5-compat';

-import { Trans } from '@grafana/i18n';
-import { LinkButton, Stack, Text } from '@grafana/ui';
-
-import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
 import DuplicateMessageTemplate from './components/contact-points/DuplicateMessageTemplate';
 import EditMessageTemplate from './components/contact-points/EditMessageTemplate';
 import NewMessageTemplate from './components/contact-points/NewMessageTemplate';
-import { NotificationTemplates } from './components/contact-points/NotificationTemplates';
-import { AlertmanagerAction, useAlertmanagerAbility } from './hooks/useAbilities';
-import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
 import { withPageErrorBoundary } from './withPageErrorBoundary';

-const TemplatesList = () => {
-  const [createTemplateSupported, createTemplateAllowed] = useAlertmanagerAbility(
-    AlertmanagerAction.CreateNotificationTemplate
-  );
-
-  return (
-    <>
-      <Stack direction="row" alignItems="center" justifyContent="space-between">
-        <Text variant="body" color="secondary">
-          <Trans i18nKey="alerting.notification-templates-tab.create-notification-templates-customize-notifications">
-            Create notification templates to customize your notifications.
-          </Trans>
-        </Text>
-        {createTemplateSupported && (
-          <LinkButton
-            icon="plus"
-            variant="primary"
-            href="/alerting/notifications/templates/new"
-            disabled={!createTemplateAllowed}
-          >
-            <Trans i18nKey="alerting.notification-templates-tab.add-notification-template-group">
-              Add notification template group
-            </Trans>
-          </LinkButton>
-        )}
-      </Stack>
-      <NotificationTemplates />
-    </>
-  );
-};
-
-function NotificationTemplatesRoutes() {
+function NotificationTemplates() {
  return (
    <Routes>
-      <Route path="" element={<TemplatesList />} />
      <Route path="new" element={<NewMessageTemplate />} />
      <Route path=":name/edit" element={<EditMessageTemplate />} />
      <Route path=":name/duplicate" element={<DuplicateMessageTemplate />} />
@@ -54,14 +15,4 @@ function NotificationTemplatesRoutes() {
  );
 }

-function NotificationTemplatesPage() {
-  const { navId, pageNav } = useNotificationConfigNav();
-
-  return (
-    <AlertmanagerPageWrapper navId={navId || 'receivers'} pageNav={pageNav} accessType="notification">
-      <NotificationTemplatesRoutes />
-    </AlertmanagerPageWrapper>
-  );
-}
-
-export default withPageErrorBoundary(NotificationTemplatesPage);
+export default withPageErrorBoundary(NotificationTemplates);
--- a/public/app/features/alerting/unified/TimeIntervalsPage.test.tsx
+++ b/public/app/features/alerting/unified/TimeIntervalsPage.test.tsx
@@ -1,65 +0,0 @@
-import { render, screen } from 'test/test-utils';
-
-import { configureStore } from 'app/store/configureStore';
-import { AccessControlAction } from 'app/types/accessControl';
-
-import TimeIntervalsPage from './TimeIntervalsPage';
-import { defaultConfig } from './components/mute-timings/mocks';
-import { setupMswServer } from './mockApi';
-import { grantUserPermissions, mockDataSource } from './mocks';
-import { setTimeIntervalsListEmpty } from './mocks/server/configure';
-import { setAlertmanagerConfig } from './mocks/server/entities/alertmanagers';
-import { setupDataSources } from './testSetup/datasources';
-import { DataSourceType, GRAFANA_RULES_SOURCE_NAME } from './utils/datasource';
-
-setupMswServer();
-
-const alertManager = mockDataSource({
-  name: 'Alertmanager',
-  type: DataSourceType.Alertmanager,
-});
-
-describe('TimeIntervalsPage', () => {
-  beforeEach(() => {
-    setupDataSources(alertManager);
-    setAlertmanagerConfig(GRAFANA_RULES_SOURCE_NAME, defaultConfig);
-    setTimeIntervalsListEmpty(); // Mock empty time intervals list so component renders
-    grantUserPermissions([
-      AccessControlAction.AlertingNotificationsRead,
-      AccessControlAction.AlertingTimeIntervalsRead,
-    ]);
-  });
-
-  it('renders time intervals table', async () => {
-    const mockNavIndex = {
-      'notification-config': {
-        id: 'notification-config',
-        text: 'Notification configuration',
-        url: '/alerting/notifications',
-      },
-      'notification-config-time-intervals': {
-        id: 'notification-config-time-intervals',
-        text: 'Time intervals',
-        url: '/alerting/time-intervals',
-      },
-    };
-    const store = configureStore({
-      navIndex: mockNavIndex,
-    });
-
-    render(<TimeIntervalsPage />, {
-      store,
-      historyOptions: {
-        initialEntries: ['/alerting/time-intervals'],
-      },
-    });
-
-    // Should show time intervals content
-    // When empty, it shows "You haven't created any time intervals yet"
-    // When loading, it shows "Loading time intervals..."
-    // When error, it shows "Error loading time intervals"
-    // All contain "time intervals" - use getAllByText since there are multiple matches (tab, description, empty state)
-    const timeIntervalsTexts = await screen.findAllByText(/time intervals/i, {}, { timeout: 5000 });
-    expect(timeIntervalsTexts.length).toBeGreaterThan(0);
-  });
-});
--- a/public/app/features/alerting/unified/TimeIntervalsPage.tsx
+++ b/public/app/features/alerting/unified/TimeIntervalsPage.tsx
@@ -1,31 +0,0 @@
-import { AlertmanagerPageWrapper } from './components/AlertingPageWrapper';
-import { GrafanaAlertmanagerWarning } from './components/GrafanaAlertmanagerWarning';
-import { TimeIntervalsTable } from './components/mute-timings/MuteTimingsTable';
-import { useNotificationConfigNav } from './navigation/useNotificationConfigNav';
-import { useAlertmanager } from './state/AlertmanagerContext';
-import { withPageErrorBoundary } from './withPageErrorBoundary';
-
-// Content component that uses AlertmanagerContext
-// This must be rendered within AlertmanagerPageWrapper
-function TimeIntervalsPageContent() {
-  const { selectedAlertmanager } = useAlertmanager();
-
-  return (
-    <>
-      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager!} />
-      <TimeIntervalsTable />
-    </>
-  );
-}
-
-function TimeIntervalsPage() {
-  const { navId, pageNav } = useNotificationConfigNav();
-
-  return (
-    <AlertmanagerPageWrapper navId={navId || 'am-routes'} pageNav={pageNav} accessType="notification">
-      <TimeIntervalsPageContent />
-    </AlertmanagerPageWrapper>
-  );
-}
-
-export default withPageErrorBoundary(TimeIntervalsPage);
--- a/public/app/features/alerting/unified/components/contact-points/ContactPoints.test.tsx
+++ b/public/app/features/alerting/unified/components/contact-points/ContactPoints.test.tsx
@@ -170,26 +170,6 @@ describe('contact points', () => {
      });
    });

-    test('shows only contact points without internal tabs', async () => {
-      renderWithProvider(<ContactPointsPageContents />);
-
-      // Should show contact points directly
-      expect(await screen.findByText(/create contact point/i)).toBeInTheDocument();
-
-      // Should not have tabs
-      expect(screen.queryByRole('tab')).not.toBeInTheDocument();
-    });
-
-    test('does not show templates tab', async () => {
-      renderWithProvider(<ContactPointsPageContents />);
-
-      // Should show contact points
-      expect(await screen.findByText(/create contact point/i)).toBeInTheDocument();
-
-      // Should not show templates tab
-      expect(screen.queryByText(/notification templates/i)).not.toBeInTheDocument();
-    });
-
    describe('templates tab', () => {
      it('does not show a warning for a "misconfigured" template', async () => {
        renderWithProvider(
@@ -278,6 +258,14 @@ describe('contact points', () => {
      // there should be view buttons though - one for provisioned, and one for the un-editable contact point
      const viewButtons = screen.getAllByRole('link', { name: /^view$/i });
      expect(viewButtons).toHaveLength(2);
+
+      // check buttons in Notification Templates
+      const notificationTemplatesTab = screen.getByRole('tab', { name: 'Notification Templates' });
+      await user.click(notificationTemplatesTab);
+      expect(screen.getByRole('link', { name: 'Add notification template group' })).toHaveAttribute(
+        'aria-disabled',
+        'true'
+      );
    });

    it('allows deleting when not disabled', async () => {
@@ -482,6 +470,11 @@ describe('contact points', () => {
      const viewButton = screen.getByRole('link', { name: /^view$/i });
      expect(viewButton).toBeInTheDocument();
      expect(viewButton).toBeEnabled();
+
+      // check buttons in Notification Templates
+      const notificationTemplatesTab = screen.getByRole('tab', { name: 'Notification Templates' });
+      await user.click(notificationTemplatesTab);
+      expect(screen.queryByRole('link', { name: 'Add notification template group' })).not.toBeInTheDocument();
    });
  });

--- a/public/app/features/alerting/unified/components/contact-points/ContactPoints.tsx
+++ b/public/app/features/alerting/unified/components/contact-points/ContactPoints.tsx
@@ -1,5 +1,19 @@
+import { useMemo } from 'react';
+
 import { Trans, t } from '@grafana/i18n';
-import { Alert, Button, EmptyState, LinkButton, LoadingPlaceholder, Pagination, Stack } from '@grafana/ui';
+import {
+  Alert,
+  Button,
+  EmptyState,
+  LinkButton,
+  LoadingPlaceholder,
+  Pagination,
+  Stack,
+  Tab,
+  TabContent,
+  TabsBar,
+  Text,
+} from '@grafana/ui';
 import { contextSrv } from 'app/core/services/context_srv';
 import { shouldUseK8sApi } from 'app/features/alerting/unified/utils/k8s/utils';
 import { makeAMLink, stringifyErrorLike } from 'app/features/alerting/unified/utils/misc';
@@ -8,7 +22,6 @@ import { AccessControlAction } from 'app/types/accessControl';
 import { AlertmanagerAction, useAlertmanagerAbility } from '../../hooks/useAbilities';
 import { usePagination } from '../../hooks/usePagination';
 import { useURLSearchParams } from '../../hooks/useURLSearchParams';
-import { useNotificationConfigNav } from '../../navigation/useNotificationConfigNav';
 import { useAlertmanager } from '../../state/AlertmanagerContext';
 import { isExtraConfig } from '../../utils/alertmanager/extraConfigs';
 import { GRAFANA_RULES_SOURCE_NAME } from '../../utils/datasource';
@@ -17,6 +30,7 @@ import { AlertmanagerPageWrapper } from '../AlertingPageWrapper';
 import { GrafanaAlertmanagerWarning } from '../GrafanaAlertmanagerWarning';

 import { ContactPoint } from './ContactPoint';
+import { NotificationTemplates } from './NotificationTemplates';
 import { ContactPointsFilter } from './components/ContactPointsFilter';
 import { GlobalConfigAlert } from './components/GlobalConfigAlert';
 import { useContactPointsWithStatus } from './useContactPoints';
@@ -85,7 +99,7 @@ const ContactPointsTab = () => {
  }

  return (
-    <Stack direction="column" gap={1}>
+    <>
      {/* TODO we can add some additional info here with a ToggleTip */}
      <Stack direction="row" alignItems="end" justifyContent="space-between">
        <ContactPointsFilter />
@@ -134,19 +148,109 @@ const ContactPointsTab = () => {
        <GlobalConfigAlert alertManagerName={selectedAlertmanager!} />
      )}
      {ExportDrawer}
-    </Stack>
+    </>
  );
 };

+const NotificationTemplatesTab = () => {
+  const [createTemplateSupported, createTemplateAllowed] = useAlertmanagerAbility(
+    AlertmanagerAction.CreateNotificationTemplate
+  );
+
+  return (
+    <>
+      <Stack direction="row" alignItems="center" justifyContent="space-between">
+        <Text variant="body" color="secondary">
+          <Trans i18nKey="alerting.notification-templates-tab.create-notification-templates-customize-notifications">
+            Create notification templates to customize your notifications.
+          </Trans>
+        </Text>
+        {createTemplateSupported && (
+          <LinkButton
+            icon="plus"
+            variant="primary"
+            href="/alerting/notifications/templates/new"
+            disabled={!createTemplateAllowed}
+          >
+            <Trans i18nKey="alerting.notification-templates-tab.add-notification-template-group">
+              Add notification template group
+            </Trans>
+          </LinkButton>
+        )}
+      </Stack>
+      <NotificationTemplates />
+    </>
+  );
+};
+
+const useTabQueryParam = (defaultTab: ActiveTab) => {
+  const [queryParams, setQueryParams] = useURLSearchParams();
+  const param = useMemo(() => {
+    const queryParam = queryParams.get('tab');
+
+    if (!queryParam || !Object.values(ActiveTab).map(String).includes(queryParam)) {
+      return defaultTab;
+    }
+
+    return queryParam || defaultTab;
+  }, [defaultTab, queryParams]);
+
+  const setParam = (tab: ActiveTab) => setQueryParams({ tab });
+  return [param, setParam] as const;
+};
+
 export const ContactPointsPageContents = () => {
  const { selectedAlertmanager } = useAlertmanager();
+  const [, canViewContactPoints] = useAlertmanagerAbility(AlertmanagerAction.ViewContactPoint);
+  const [, canCreateContactPoints] = useAlertmanagerAbility(AlertmanagerAction.CreateContactPoint);
+  const [, showTemplatesTab] = useAlertmanagerAbility(AlertmanagerAction.ViewNotificationTemplate);
+
+  const showContactPointsTab = canViewContactPoints || canCreateContactPoints;
+
+  // Depending on permissions, user may not have access to all tabs,
+  // but we can default to picking the first one that they definitely _do_ have access to
+  const defaultTab = [
+    showContactPointsTab && ActiveTab.ContactPoints,
+    showTemplatesTab && ActiveTab.NotificationTemplates,
+  ].filter((tab) => !!tab)[0];
+
+  const [activeTab, setActiveTab] = useTabQueryParam(defaultTab);
+
+  const { contactPoints } = useContactPointsWithStatus({
+    alertmanager: selectedAlertmanager!,
+  });
+
+  const showingContactPoints = activeTab === ActiveTab.ContactPoints;
+  const showNotificationTemplates = activeTab === ActiveTab.NotificationTemplates;

-  // Show only contact points (no internal tabs)
-  // Templates are accessible via the sidebar navigation
  return (
    <>
      <GrafanaAlertmanagerWarning currentAlertmanager={selectedAlertmanager!} />
-      <ContactPointsTab />
+      <Stack direction="column">
+        <TabsBar>
+          {showContactPointsTab && (
+            <Tab
+              label={t('alerting.contact-points-page-contents.label-contact-points', 'Contact Points')}
+              active={showingContactPoints}
+              counter={contactPoints.length}
+              onChangeTab={() => setActiveTab(ActiveTab.ContactPoints)}
+            />
+          )}
+          {showTemplatesTab && (
+            <Tab
+              label={t('alerting.contact-points-page-contents.label-notification-templates', 'Notification Templates')}
+              active={showNotificationTemplates}
+              onChangeTab={() => setActiveTab(ActiveTab.NotificationTemplates)}
+            />
+          )}
+        </TabsBar>
+        <TabContent>
+          <Stack direction="column">
+            {showingContactPoints && <ContactPointsTab />}
+            {showNotificationTemplates && <NotificationTemplatesTab />}
+          </Stack>
+        </TabContent>
+      </Stack>
    </>
  );
 };
@@ -178,9 +282,8 @@ const ContactPointsList = ({ contactPoints, search, pageSize = DEFAULT_PAGE_SIZE
 };

 function ContactPointsPage() {
-  const { navId, pageNav } = useNotificationConfigNav();
  return (
-    <AlertmanagerPageWrapper navId={navId || 'receivers'} pageNav={pageNav} accessType="notification">
+    <AlertmanagerPageWrapper navId="receivers" accessType="notification">
      <ContactPointsPageContents />
    </AlertmanagerPageWrapper>
  );
--- a/public/app/features/alerting/unified/components/rules/central-state-history/CentralAlertHistoryPage.tsx
+++ b/public/app/features/alerting/unified/components/rules/central-state-history/CentralAlertHistoryPage.tsx
@@ -1,13 +1,11 @@
-import { useInsightsNav } from '../../../navigation/useInsightsNav';
 import { withPageErrorBoundary } from '../../../withPageErrorBoundary';
 import { AlertingPageWrapper } from '../../AlertingPageWrapper';

 import { CentralAlertHistoryScene } from './CentralAlertHistoryScene';

 function HistoryPage() {
-  const { navId, pageNav } = useInsightsNav();
  return (
-    <AlertingPageWrapper navId={navId || 'alerts-history'} pageNav={pageNav} isLoading={false}>
+    <AlertingPageWrapper navId="alerts-history" isLoading={false}>
      <CentralAlertHistoryScene />
    </AlertingPageWrapper>
  );
--- a/public/app/features/alerting/unified/components/rules/deleted-rules/DeletedRulesPage.tsx
+++ b/public/app/features/alerting/unified/components/rules/deleted-rules/DeletedRulesPage.tsx
@@ -3,7 +3,6 @@ import { Alert } from '@grafana/ui';

 import { alertRuleApi } from '../../../api/alertRuleApi';
 import { GRAFANA_RULER_CONFIG } from '../../../api/featureDiscoveryApi';
-import { useAlertRulesNav } from '../../../navigation/useAlertRulesNav';
 import { stringifyErrorLike } from '../../../utils/misc';
 import { withPageErrorBoundary } from '../../../withPageErrorBoundary';
 import { AlertingPageWrapper } from '../../AlertingPageWrapper';
@@ -19,10 +18,9 @@ function DeletedrulesPage() {
    rulerConfig: GRAFANA_RULER_CONFIG,
    filter: {}, // todo: add filters, and limit?????
  });
-  const { navId, pageNav } = useAlertRulesNav();

  return (
-    <AlertingPageWrapper navId={navId || 'alerts/recently-deleted'} pageNav={pageNav} isLoading={isLoading}>
+    <AlertingPageWrapper navId="alerts/recently-deleted" isLoading={isLoading}>
      <>
        {error && (
          <Alert title={t('alerting.deleted-rules.errorloading', 'Failed to load alert deleted rules')}>
--- a/public/app/features/alerting/unified/home/Home.tsx
+++ b/public/app/features/alerting/unified/home/Home.tsx
@@ -1,24 +1,23 @@
-import { useMemo, useState } from 'react';
+import { useState } from 'react';

 import { t } from '@grafana/i18n';
 import { Box, Stack, Tab, TabContent, TabsBar } from '@grafana/ui';

 import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
+import { isLocalDevEnv } from '../utils/misc';
 import { withPageErrorBoundary } from '../withPageErrorBoundary';

 import GettingStarted, { WelcomeHeader } from './GettingStarted';
 import IRMCard from './IRMCard';
-import { getInsightsScenes } from './Insights';
+import { getInsightsScenes, insightsIsAvailable } from './Insights';
 import { PluginIntegrations } from './PluginIntegrations';
 import SyntheticMonitoringCard from './SyntheticMonitoringCard';

 function Home() {
-  // Insights tab is not shown on Home page - Insights is available via the sidebar menu instead
-  const insightsEnabled = false;
+  const insightsEnabled = insightsIsAvailable() || isLocalDevEnv();

  const [activeTab, setActiveTab] = useState<'insights' | 'overview'>(insightsEnabled ? 'insights' : 'overview');
-  // Memoize the scene so it's only created once and properly initialized
-  const insightsScene = useMemo(() => getInsightsScenes(), []);
+  const insightsScene = getInsightsScenes();

  return (
    <AlertingPageWrapper subTitle="Learn about problems in your systems moments after they occur" navId="alerting">
--- a/public/app/features/alerting/unified/insights/InsightsPage.tsx
+++ b/public/app/features/alerting/unified/insights/InsightsPage.tsx
@@ -1,44 +0,0 @@
-import { useMemo } from 'react';
-
-import { Trans, t } from '@grafana/i18n';
-
-import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
-import { getInsightsScenes, insightsIsAvailable } from '../home/Insights';
-import { useInsightsNav } from '../navigation/useInsightsNav';
-import { isLocalDevEnv } from '../utils/misc';
-import { withPageErrorBoundary } from '../withPageErrorBoundary';
-
-function InsightsPage() {
-  const insightsEnabled = insightsIsAvailable() || isLocalDevEnv();
-  const { navId, pageNav } = useInsightsNav();
-  // Memoize the scene so it's only created once and properly initialized
-  const insightsScene = useMemo(() => getInsightsScenes(), []);
-
-  if (!insightsEnabled) {
-    return (
-      <AlertingPageWrapper
-        navId={navId || 'insights'}
-        pageNav={pageNav}
-        subTitle={t('alerting.insights.subtitle', 'Analytics and history for alerting')}
-      >
-        <div>
-          <Trans i18nKey="alerting.insights.not-available">
-            Insights are not available. Please configure the required data sources.
-          </Trans>
-        </div>
-      </AlertingPageWrapper>
-    );
-  }
-
-  return (
-    <AlertingPageWrapper
-      navId={navId || 'insights'}
-      pageNav={pageNav}
-      subTitle={t('alerting.insights.subtitle', 'Analytics and history for alerting')}
-    >
-      <insightsScene.Component model={insightsScene} />
-    </AlertingPageWrapper>
-  );
-}
-
-export default withPageErrorBoundary(InsightsPage);
--- a/public/app/features/alerting/unified/navigation/useAlertActivityNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useAlertActivityNav.test.tsx
@@ -1,134 +0,0 @@
-import { renderHook } from '@testing-library/react';
-import { getWrapper } from 'test/test-utils';
-
-import { configureStore } from 'app/store/configureStore';
-
-import { useAlertActivityNav } from './useAlertActivityNav';
-
-describe('useAlertActivityNav', () => {
-  const mockNavIndex = {
-    'alert-activity': {
-      id: 'alert-activity',
-      text: 'Alert activity',
-      url: '/alerting/alerts',
-    },
-    'alert-activity-alerts': {
-      id: 'alert-activity-alerts',
-      text: 'Alerts',
-      url: '/alerting/alerts',
-    },
-    'alert-activity-groups': {
-      id: 'alert-activity-groups',
-      text: 'Active notifications',
-      url: '/alerting/groups',
-    },
-  };
-
-  const defaultPreloadedState = {
-    navIndex: mockNavIndex,
-  };
-
-  it('should return navigation with pageNav for Alerts tab', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/alerts'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
-
-    expect(result.current.navId).toBe('alert-activity');
-    expect(result.current.pageNav).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children).toBeDefined();
-    // The pageNav should represent Alert Activity (not the active tab) for consistent title
-    expect(result.current.pageNav?.text).toBe('Alert activity');
-  });
-
-  it('should return navigation with pageNav for Active notifications tab', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/groups'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
-
-    expect(result.current.navId).toBe('alert-activity');
-    expect(result.current.pageNav).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children).toBeDefined();
-    // The pageNav should represent Alert Activity (not the active tab) for consistent title
-    expect(result.current.pageNav?.text).toBe('Alert activity');
-  });
-
-  it('should set active tab based on current path', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/groups'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    const activeNotificationsTab = result.current.pageNav?.children?.find((tab) => tab.id === 'alert-activity-groups');
-    expect(activeNotificationsTab?.active).toBe(true);
-
-    // eslint-disable-next-line testing-library/no-node-access
-    const alertsTab = result.current.pageNav?.children?.find((tab) => tab.id === 'alert-activity-alerts');
-    expect(alertsTab?.active).toBe(false);
-  });
-
-  it('should filter tabs based on permissions', () => {
-    const limitedNavIndex = {
-      'alert-activity': mockNavIndex['alert-activity'],
-      'alert-activity-alerts': mockNavIndex['alert-activity-alerts'],
-      // Missing 'alert-activity-groups' - user doesn't have permission
-    };
-    const store = configureStore({
-      navIndex: limitedNavIndex,
-    });
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/alerts'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.length).toBe(1);
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.[0].id).toBe('alert-activity-alerts');
-  });
-
-  it('should return undefined when alert-activity nav is missing', () => {
-    const store = configureStore({
-      navIndex: {},
-    });
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/groups'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertActivityNav(), { wrapper });
-
-    expect(result.current.navId).toBeUndefined();
-    expect(result.current.pageNav).toBeUndefined();
-  });
-});
--- a/public/app/features/alerting/unified/navigation/useAlertActivityNav.ts
+++ b/public/app/features/alerting/unified/navigation/useAlertActivityNav.ts
@@ -1,57 +0,0 @@
-import { useLocation } from 'react-router-dom-v5-compat';
-
-import { NavModelItem } from '@grafana/data';
-import { t } from '@grafana/i18n';
-import { useSelector } from 'app/types/store';
-
-export function useAlertActivityNav() {
-  const location = useLocation();
-  const navIndex = useSelector((state) => state.navIndex);
-
-  const alertActivityNav = navIndex['alert-activity'];
-  if (!alertActivityNav) {
-    return {
-      navId: undefined,
-      pageNav: undefined,
-    };
-  }
-
-  // All available tabs
-  const allTabs = [
-    {
-      id: 'alert-activity-alerts',
-      text: t('alerting.navigation.alerts', 'Alerts'),
-      url: '/alerting/alerts',
-      active: location.pathname === '/alerting/alerts',
-      icon: 'bell',
-      parentItem: alertActivityNav,
-    },
-    {
-      id: 'alert-activity-groups',
-      text: t('alerting.navigation.active-notifications', 'Active notifications'),
-      url: '/alerting/groups',
-      active: location.pathname === '/alerting/groups',
-      icon: 'layer-group',
-      parentItem: alertActivityNav,
-    },
-  ].filter((tab) => {
-    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
-    const navItem = navIndex[tab.id];
-    return navItem !== undefined;
-  });
-
-  // Create pageNav structure following the same pattern as useNotificationConfigNav
-  // Keep "Alert Activity" as the pageNav (not the active tab) so the title and subtitle stay consistent
-  // The tabs are children, and the breadcrumb utility will add the active tab to breadcrumbs
-  // (including the first tab, after our fix to the breadcrumb utility)
-  const pageNav: NavModelItem = {
-    ...alertActivityNav,
-    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    children: allTabs as NavModelItem[],
-  };
-
-  return {
-    navId: 'alert-activity',
-    pageNav,
-  };
-}
--- a/public/app/features/alerting/unified/navigation/useAlertRulesNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useAlertRulesNav.test.tsx
@@ -1,95 +0,0 @@
-import { renderHook } from '@testing-library/react';
-import { getWrapper } from 'test/test-utils';
-
-import { configureStore } from 'app/store/configureStore';
-
-import { useAlertRulesNav } from './useAlertRulesNav';
-
-describe('useAlertRulesNav', () => {
-  const mockNavIndex = {
-    'alert-rules': {
-      id: 'alert-rules',
-      text: 'Alert rules',
-      url: '/alerting/list',
-      icon: 'list-ul' as const,
-    },
-    'alert-rules-list': {
-      id: 'alert-rules-list',
-      text: 'Alert rules',
-      url: '/alerting/list',
-    },
-    'alert-rules-recently-deleted': {
-      id: 'alert-rules-recently-deleted',
-      text: 'Recently deleted',
-      url: '/alerting/recently-deleted',
-    },
-  };
-
-  const defaultPreloadedState = {
-    navIndex: mockNavIndex,
-  };
-
-  it('should return navigation with pageNav', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/list'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
-
-    expect(result.current.navId).toBe('alert-rules');
-    expect(result.current.pageNav).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.length).toBeGreaterThan(0);
-  });
-
-  it('should filter tabs based on permissions', () => {
-    const limitedNavIndex = {
-      'alert-rules': mockNavIndex['alert-rules'],
-      'alert-rules-list': mockNavIndex['alert-rules-list'],
-      // Missing 'alert-rules-recently-deleted' - user doesn't have permission
-    };
-    const store = configureStore({
-      navIndex: limitedNavIndex,
-    });
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/list'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.length).toBe(1);
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.[0].id).toBe('alert-rules-list');
-  });
-
-  it('should set active tab based on current path', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/recently-deleted'],
-      },
-    });
-
-    const { result } = renderHook(() => useAlertRulesNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    const recentlyDeletedTab = result.current.pageNav?.children?.find(
-      (tab) => tab.id === 'alert-rules-recently-deleted'
-    );
-    expect(recentlyDeletedTab?.active).toBe(true);
-  });
-});
--- a/public/app/features/alerting/unified/navigation/useAlertRulesNav.ts
+++ b/public/app/features/alerting/unified/navigation/useAlertRulesNav.ts
@@ -1,54 +0,0 @@
-import { useLocation } from 'react-router-dom-v5-compat';
-
-import { NavModelItem } from '@grafana/data';
-import { t } from '@grafana/i18n';
-import { useSelector } from 'app/types/store';
-
-export function useAlertRulesNav() {
-  const location = useLocation();
-  const navIndex = useSelector((state) => state.navIndex);
-
-  const alertRulesNav = navIndex['alert-rules'];
-  if (!alertRulesNav) {
-    return {
-      navId: undefined,
-      pageNav: undefined,
-    };
-  }
-
-  // All available tabs
-  const allTabs = [
-    {
-      id: 'alert-rules-list',
-      text: t('alerting.navigation.alert-rules', 'Alert rules'),
-      url: '/alerting/list',
-      active: location.pathname === '/alerting/list',
-      icon: 'list-ul',
-      parentItem: alertRulesNav,
-    },
-    {
-      id: 'alert-rules-recently-deleted',
-      text: t('alerting.navigation.recently-deleted', 'Recently deleted'),
-      url: '/alerting/recently-deleted',
-      active: location.pathname === '/alerting/recently-deleted',
-      icon: 'trash-alt',
-      parentItem: alertRulesNav,
-    },
-  ].filter((tab) => {
-    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
-    const navItem = navIndex[tab.id];
-    return navItem !== undefined;
-  });
-
-  // Create pageNav that represents the Alert rules page with tabs as children
-  const pageNav: NavModelItem = {
-    ...alertRulesNav,
-    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    children: allTabs as NavModelItem[],
-  };
-
-  return {
-    navId: 'alert-rules',
-    pageNav,
-  };
-}
--- a/public/app/features/alerting/unified/navigation/useInsightsNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useInsightsNav.test.tsx
@@ -1,90 +0,0 @@
-import { renderHook } from '@testing-library/react';
-import { getWrapper } from 'test/test-utils';
-
-import { configureStore } from 'app/store/configureStore';
-
-import { useInsightsNav } from './useInsightsNav';
-
-describe('useInsightsNav', () => {
-  const mockNavIndex = {
-    insights: {
-      id: 'insights',
-      text: 'Insights',
-      url: '/alerting/insights',
-    },
-    'insights-system': {
-      id: 'insights-system',
-      text: 'System Insights',
-      url: '/alerting/insights',
-    },
-    'insights-history': {
-      id: 'insights-history',
-      text: 'Alert state history',
-      url: '/alerting/history',
-    },
-  };
-
-  const defaultPreloadedState = {
-    navIndex: mockNavIndex,
-  };
-
-  it('should return navigation with pageNav', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/insights'],
-      },
-    });
-
-    const { result } = renderHook(() => useInsightsNav(), { wrapper });
-
-    expect(result.current.navId).toBe('insights');
-    expect(result.current.pageNav).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children).toBeDefined();
-  });
-
-  it('should set active tab based on current path', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/history'],
-      },
-    });
-
-    const { result } = renderHook(() => useInsightsNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    const historyTab = result.current.pageNav?.children?.find((tab) => tab.id === 'insights-history');
-    expect(historyTab?.active).toBe(true);
-  });
-
-  it('should filter tabs based on permissions', () => {
-    const limitedNavIndex = {
-      insights: mockNavIndex.insights,
-      'insights-system': mockNavIndex['insights-system'],
-      // Missing 'insights-history' - user doesn't have permission
-    };
-    const store = configureStore({
-      navIndex: limitedNavIndex,
-    });
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/insights'],
-      },
-    });
-
-    const { result } = renderHook(() => useInsightsNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.length).toBe(1);
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.[0].id).toBe('insights-system');
-  });
-});
--- a/public/app/features/alerting/unified/navigation/useInsightsNav.ts
+++ b/public/app/features/alerting/unified/navigation/useInsightsNav.ts
@@ -1,54 +0,0 @@
-import { useLocation } from 'react-router-dom-v5-compat';
-
-import { NavModelItem } from '@grafana/data';
-import { t } from '@grafana/i18n';
-import { useSelector } from 'app/types/store';
-
-export function useInsightsNav() {
-  const location = useLocation();
-  const navIndex = useSelector((state) => state.navIndex);
-
-  const insightsNav = navIndex.insights;
-  if (!insightsNav) {
-    return {
-      navId: undefined,
-      pageNav: undefined,
-    };
-  }
-
-  // All available tabs
-  const allTabs = [
-    {
-      id: 'insights-system',
-      text: t('alerting.navigation.system-insights', 'System Insights'),
-      url: '/alerting/insights',
-      active: location.pathname === '/alerting/insights',
-      icon: 'chart-line',
-      parentItem: insightsNav,
-    },
-    {
-      id: 'insights-history',
-      text: t('alerting.navigation.alert-state-history', 'Alert state history'),
-      url: '/alerting/history',
-      active: location.pathname === '/alerting/history',
-      icon: 'history',
-      parentItem: insightsNav,
-    },
-  ].filter((tab) => {
-    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
-    const navItem = navIndex[tab.id];
-    return navItem !== undefined;
-  });
-
-  // Create pageNav that represents the Insights page with tabs as children
-  const pageNav: NavModelItem = {
-    ...insightsNav,
-    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    children: allTabs as NavModelItem[],
-  };
-
-  return {
-    navId: 'insights',
-    pageNav,
-  };
-}
--- a/public/app/features/alerting/unified/navigation/useNotificationConfigNav.test.tsx
+++ b/public/app/features/alerting/unified/navigation/useNotificationConfigNav.test.tsx
@@ -1,102 +0,0 @@
-import { renderHook } from '@testing-library/react';
-import { getWrapper } from 'test/test-utils';
-
-import { configureStore } from 'app/store/configureStore';
-
-import { useNotificationConfigNav } from './useNotificationConfigNav';
-
-describe('useNotificationConfigNav', () => {
-  const mockNavIndex = {
-    'notification-config': {
-      id: 'notification-config',
-      text: 'Notification configuration',
-      url: '/alerting/notifications',
-    },
-    'notification-config-contact-points': {
-      id: 'notification-config-contact-points',
-      text: 'Contact points',
-      url: '/alerting/notifications',
-    },
-    'notification-config-policies': {
-      id: 'notification-config-policies',
-      text: 'Notification policies',
-      url: '/alerting/routes',
-    },
-    'notification-config-templates': {
-      id: 'notification-config-templates',
-      text: 'Notification templates',
-      url: '/alerting/notifications/templates',
-    },
-    'notification-config-time-intervals': {
-      id: 'notification-config-time-intervals',
-      text: 'Time intervals',
-      url: '/alerting/time-intervals',
-    },
-  };
-
-  const defaultPreloadedState = {
-    navIndex: mockNavIndex,
-  };
-
-  it('should return navigation with pageNav', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/notifications'],
-      },
-    });
-
-    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
-
-    expect(result.current.navId).toBe('notification-config');
-    expect(result.current.pageNav).toBeDefined();
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children).toBeDefined();
-  });
-
-  it('should detect time intervals tab from path', () => {
-    const store = configureStore(defaultPreloadedState);
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/time-intervals'],
-      },
-    });
-
-    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    const timeIntervalsTab = result.current.pageNav?.children?.find(
-      (tab) => tab.id === 'notification-config-time-intervals'
-    );
-    expect(timeIntervalsTab?.active).toBe(true);
-  });
-
-  it('should filter tabs based on permissions', () => {
-    const limitedNavIndex = {
-      'notification-config': mockNavIndex['notification-config'],
-      'notification-config-contact-points': mockNavIndex['notification-config-contact-points'],
-      // Missing other tabs - user doesn't have permission
-    };
-    const store = configureStore({
-      navIndex: limitedNavIndex,
-    });
-    const wrapper = getWrapper({
-      store,
-      renderWithRouter: true,
-      historyOptions: {
-        initialEntries: ['/alerting/notifications'],
-      },
-    });
-
-    const { result } = renderHook(() => useNotificationConfigNav(), { wrapper });
-
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.length).toBe(1);
-    // eslint-disable-next-line testing-library/no-node-access
-    expect(result.current.pageNav?.children?.[0].id).toBe('notification-config-contact-points');
-  });
-});
--- a/public/app/features/alerting/unified/navigation/useNotificationConfigNav.ts
+++ b/public/app/features/alerting/unified/navigation/useNotificationConfigNav.ts
@@ -1,86 +0,0 @@
-import { useLocation } from 'react-router-dom-v5-compat';
-
-import { NavModelItem } from '@grafana/data';
-import { t } from '@grafana/i18n';
-import { useSelector } from 'app/types/store';
-
-export function useNotificationConfigNav() {
-  const location = useLocation();
-  const navIndex = useSelector((state) => state.navIndex);
-
-  const notificationConfigNav = navIndex['notification-config'];
-  if (!notificationConfigNav) {
-    // Fallback to legacy navIds
-    if (location.pathname.includes('/alerting/notifications/templates')) {
-      return {
-        navId: 'receivers',
-        pageNav: undefined,
-      };
-    }
-    if (location.pathname === '/alerting/routes') {
-      return {
-        navId: 'am-routes',
-        pageNav: undefined,
-      };
-    }
-    return {
-      navId: 'receivers',
-      pageNav: undefined,
-    };
-  }
-
-  // Check if we're on the time intervals page
-  const isTimeIntervalsTab = location.pathname === '/alerting/time-intervals';
-
-  // All available tabs
-  const allTabs = [
-    {
-      id: 'notification-config-contact-points',
-      text: t('alerting.navigation.contact-points', 'Contact points'),
-      url: '/alerting/notifications',
-      active: location.pathname === '/alerting/notifications' && !location.pathname.includes('/templates'),
-      icon: 'comment-alt-share',
-      parentItem: notificationConfigNav,
-    },
-    {
-      id: 'notification-config-policies',
-      text: t('alerting.navigation.notification-policies', 'Notification policies'),
-      url: '/alerting/routes',
-      active: location.pathname === '/alerting/routes' && !isTimeIntervalsTab,
-      icon: 'sitemap',
-      parentItem: notificationConfigNav,
-    },
-    {
-      id: 'notification-config-templates',
-      text: t('alerting.navigation.notification-templates', 'Notification templates'),
-      url: '/alerting/notifications/templates',
-      active: location.pathname.includes('/alerting/notifications/templates'),
-      icon: 'file-alt',
-      parentItem: notificationConfigNav,
-    },
-    {
-      id: 'notification-config-time-intervals',
-      text: t('alerting.navigation.time-intervals', 'Time intervals'),
-      url: '/alerting/time-intervals',
-      active: isTimeIntervalsTab,
-      icon: 'clock-nine',
-      parentItem: notificationConfigNav,
-    },
-  ].filter((tab) => {
-    // Filter based on permissions - if nav item doesn't exist, user doesn't have permission
-    const navItem = navIndex[tab.id];
-    return navItem !== undefined;
-  });
-
-  // Create pageNav that represents the Notification configuration page with tabs as children
-  const pageNav: NavModelItem = {
-    ...notificationConfigNav,
-    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    children: allTabs as NavModelItem[],
-  };
-
-  return {
-    navId: 'notification-config',
-    pageNav,
-  };
-}
--- a/public/app/features/alerting/unified/rule-list/RuleList.v1.tsx
+++ b/public/app/features/alerting/unified/rule-list/RuleList.v1.tsx
@@ -20,7 +20,6 @@ import { shouldUsePrometheusRulesPrimary } from '../featureToggles';
 import { useCombinedRuleNamespaces } from '../hooks/useCombinedRuleNamespaces';
 import { useFilteredRules, useRulesFilter } from '../hooks/useFilteredRules';
 import { useUnifiedAlertingSelector } from '../hooks/useUnifiedAlertingSelector';
-import { useAlertRulesNav } from '../navigation/useAlertRulesNav';
 import { fetchAllPromAndRulerRulesAction, fetchAllPromRulesAction, fetchRulerRulesAction } from '../state/actions';
 import { RULE_LIST_POLL_INTERVAL_MS } from '../utils/constants';
 import { GRAFANA_RULES_SOURCE_NAME, getAllRulesSourceNames } from '../utils/datasource';
@@ -116,14 +115,11 @@ const RuleListV1 = () => {

  const combinedNamespaces: CombinedRuleNamespace[] = useCombinedRuleNamespaces();
  const filteredNamespaces = useFilteredRules(combinedNamespaces, filterState);
-  const { navId, pageNav } = useAlertRulesNav();
-
  return (
    // We don't want to show the Loading... indicator for the whole page.
    // We show separate indicators for Grafana-managed and Cloud rules
    <AlertingPageWrapper
-      navId={navId}
-      pageNav={pageNav}
+      navId="alert-list"
      isLoading={false}
      renderTitle={(title) => <RuleListPageTitle title={title} />}
      actions={<RuleListActionButtons hasAlertRulesCreated={hasAlertRulesCreated} />}
--- a/public/app/features/alerting/unified/rule-list/RuleList.v2.tsx
+++ b/public/app/features/alerting/unified/rule-list/RuleList.v2.tsx
@@ -13,7 +13,6 @@ import { useListViewMode } from '../components/rules/Filter/RulesViewModeSelecto
 import { AIAlertRuleButtonComponent } from '../enterprise-components/AI/AIGenAlertRuleButton/addAIAlertRuleButton';
 import { AlertingAction, useAlertingAbility } from '../hooks/useAbilities';
 import { useRulesFilter } from '../hooks/useFilteredRules';
-import { useAlertRulesNav } from '../navigation/useAlertRulesNav';
 import { getRulesDataSources } from '../utils/datasource';

 import { FilterView } from './FilterView';
@@ -124,12 +123,10 @@ export function RuleListActions() {

 export default function RuleListPage() {
  const { isApplying } = useApplyDefaultSearch();
-  const { navId, pageNav } = useAlertRulesNav();

  return (
    <AlertingPageWrapper
-      navId={navId}
-      pageNav={pageNav}
+      navId="alert-list"
      renderTitle={(title) => <RuleListPageTitle title={title} />}
      isLoading={isApplying}
      actions={<RuleListActions />}
--- a/public/app/features/alerting/unified/triage/Triage.tsx
+++ b/public/app/features/alerting/unified/triage/Triage.tsx
@@ -1,16 +1,23 @@
+import { t } from '@grafana/i18n';
 import { UrlSyncContextProvider } from '@grafana/scenes';
 import { withErrorBoundary } from '@grafana/ui';

 import { AlertingPageWrapper } from '../components/AlertingPageWrapper';
-import { useAlertActivityNav } from '../navigation/useAlertActivityNav';

 import { TriageScene, triageScene } from './scene/TriageScene';

 export const TriagePage = () => {
-  const { navId, pageNav } = useAlertActivityNav();
-
  return (
-    <AlertingPageWrapper navId={navId || 'alert-alerts'} pageNav={pageNav}>
+    <AlertingPageWrapper
+      navId="alert-alerts"
+      subTitle={t(
+        'alerting.pages.triage.subtitle',
+        'See what is currently alerting and explore historical data to investigate current or past issues.'
+      )}
+      pageNav={{
+        text: t('alerting.pages.triage.title', 'Alerts'),
+      }}
+    >
      <UrlSyncContextProvider scene={triageScene} updateUrlOnInit={true} createBrowserHistorySteps={true}>
        <TriageScene key={triageScene.state.key} />
      </UrlSyncContextProvider>
--- a/public/app/features/dashboard-scene/scene/VariableControls.test.tsx
+++ b/public/app/features/dashboard-scene/scene/VariableControls.test.tsx
@@ -1,84 +0,0 @@
-import { render, screen } from '@testing-library/react';
-
-import { VariableHide } from '@grafana/data';
-import { SceneGridLayout, SceneVariable, SceneVariableSet, ScopesVariable, TextBoxVariable } from '@grafana/scenes';
-
-import { DashboardScene } from './DashboardScene';
-import { VariableControls } from './VariableControls';
-import { DefaultGridLayoutManager } from './layout-default/DefaultGridLayoutManager';
-
-jest.mock('@grafana/runtime', () => {
-  const runtime = jest.requireActual('@grafana/runtime');
-  return {
-    ...runtime,
-    config: {
-      ...runtime.config,
-      featureToggles: {
-        dashboardNewLayouts: true,
-      },
-    },
-  };
-});
-
-describe('VariableControls', () => {
-  it('should not render scopes variable', () => {
-    const variables = [new ScopesVariable({})];
-    const dashboard = buildScene(variables);
-    dashboard.activate();
-
-    render(<VariableControls dashboard={dashboard} />);
-
-    expect(screen.queryByText('__scopes')).not.toBeInTheDocument();
-  });
-
-  it('should not render regular hidden variables', () => {
-    const hiddenVariable = new TextBoxVariable({
-      name: 'HiddenVar',
-      hide: VariableHide.hideVariable,
-    });
-    const variables = [hiddenVariable];
-    const dashboard = buildScene(variables);
-    dashboard.activate();
-
-    render(<VariableControls dashboard={dashboard} />);
-
-    expect(screen.queryByText('HiddenVar')).not.toBeInTheDocument();
-  });
-
-  it('should render regular hidden variables in edit mode', async () => {
-    const hiddenVariable = new TextBoxVariable({
-      name: 'HiddenVar',
-      hide: VariableHide.hideVariable,
-    });
-    const variables = [hiddenVariable];
-    const dashboard = buildScene(variables);
-    dashboard.activate();
-
-    dashboard.setState({ isEditing: true });
-    render(<VariableControls dashboard={dashboard} />);
-
-    expect(await screen.findByText('HiddenVar')).toBeInTheDocument();
-  });
-
-  it('should not render variables hidden in controls menu in edit mode', async () => {
-    const dashboard = buildScene([new TextBoxVariable({ name: 'TextVarControls', hide: VariableHide.inControlsMenu })]);
-    dashboard.activate();
-
-    dashboard.setState({ isEditing: true });
-    render(<VariableControls dashboard={dashboard} />);
-
-    expect(screen.queryByText('TextVarControls')).not.toBeInTheDocument();
-  });
-});
-
-function buildScene(variables: SceneVariable[] = []) {
-  const dashboard = new DashboardScene({
-    $variables: new SceneVariableSet({ variables }),
-    body: new DefaultGridLayoutManager({
-      grid: new SceneGridLayout({
-        children: [],
-      }),
-    }),
-  });
-  return dashboard;
-}
--- a/public/app/features/dashboard-scene/scene/VariableControls.tsx
+++ b/public/app/features/dashboard-scene/scene/VariableControls.tsx
@@ -39,9 +39,8 @@ export function VariableControls({ dashboard }: { dashboard: DashboardScene }) {
    ? restVariables.filter((v) => v.state.hide !== VariableHide.inControlsMenu)
    : variables.filter(
        (v) =>
-          // used for scopes variables, should always be hidden
          // if we're editing in dynamic dashboards, still shows hidden variable but greyed out
-          (!v.UNSAFE_renderAsHidden && isEditingNewLayouts && v.state.hide === VariableHide.hideVariable) ||
+          (isEditingNewLayouts && v.state.hide === VariableHide.hideVariable) ||
          v.state.hide !== VariableHide.inControlsMenu
      );

--- a/public/locales/en-US/grafana.json
+++ b/public/locales/en-US/grafana.json
@@ -938,6 +938,10 @@
      "label-search-by-name-or-type": "Search by name or type",
      "placeholder-search": "Search"
    },
+    "contact-points-page-contents": {
+      "label-contact-points": "Contact Points",
+      "label-notification-templates": "Notification Templates"
+    },
    "contact-points-tab": {
      "aria-label-add-contact-point": "add contact point",
      "aria-label-export-all": "export all",
@@ -1641,9 +1645,7 @@
    "insights": {
      "monitor-status-of-system": "Monitor the status of your system",
      "monitor-status-system-tooltip": "Alerting insights provides pre-built dashboards to monitor your alerting data.",
-      "monitor-status-system-tooltip-identify": "You can identify patterns in why things go wrong and discover trends in alerting performance within your organization.",
-      "not-available": "Insights are not available. Please configure the required data sources.",
-      "subtitle": "Analytics and history for alerting"
+      "monitor-status-system-tooltip-identify": "You can identify patterns in why things go wrong and discover trends in alerting performance within your organization."
    },
    "insights-menu-button-renderer": {
      "aria-label-rate-this-panel": "Rate this panel",
@@ -1926,18 +1928,6 @@
      "select-group": "Select group",
      "select-namespace": "Select namespace"
    },
-    "navigation": {
-      "active-notifications": "Active notifications",
-      "alert-rules": "Alert rules",
-      "alert-state-history": "Alert state history",
-      "alerts": "Alerts",
-      "contact-points": "Contact points",
-      "notification-policies": "Notification policies",
-      "notification-templates": "Notification templates",
-      "recently-deleted": "Recently deleted",
-      "system-insights": "System Insights",
-      "time-intervals": "Time intervals"
-    },
    "need-help-info": {
      "need-help": "Need help?"
    },
@@ -1986,6 +1976,10 @@
      "title-error-loading-alertmanager-config": "Error loading Alertmanager config",
      "title-notification-policies-have-changed": "Notification policies have changed"
    },
+    "notification-policies-tabs": {
+      "label-notification-policies": "Notification Policies",
+      "label-time-intervals": "Time intervals"
+    },
    "notification-policy-drawer": {
      "view-notification-policy-tree": "View notification policy tree"
    },
@@ -2051,6 +2045,12 @@
      "body-selected-alertmanager-not-found": "The selected Alertmanager no longer exists or you may not have permission to access it. You can select a different Alertmanager from the dropdown.",
      "title-selected-alertmanager-not-found": "Selected Alertmanager not found."
    },
+    "pages": {
+      "triage": {
+        "subtitle": "See what is currently alerting and explore historical data to investigate current or past issues.",
+        "title": "Alerts"
+      }
+    },
    "panel-alert-tab-content": {
      "alert": {
        "title-errors-loading-rules": "Errors loading rules"
Author	SHA1	Message	Date
Will Browne	c86b05ec10	make update-workspace	2026-01-12 16:46:54 +00:00
Will Browne	0102c0447b	set in spec	2026-01-12 16:45:24 +00:00
Will Browne	c065ba3a6f	add alias ids to meta API	2026-01-12 16:36:01 +00:00