apply security patch: release-12.0.1/security-patch-202505051005.patch

Co-authored-by: Isabel Matwawana <76437239+imatwawana@users.noreply.github.com>
Fixed broken links (#105796)

.air.toml

@@ -1,26 +0,0 @@
-[build]
-bin = "./bin/grafana"
-args_bin = ["server", "-profile", "-profile-addr=127.0.0.1", "-profile-port=6000", "-profile-block-rate=1", "-profile-mutex-rate=5", "-packaging=dev", "cfg:app_mode=development"]
-cmd = "make GO_BUILD_DEV=1 build-backend"
-exclude_regex = ["_test.go", "_gen.go"]
-exclude_unchanged = true
-follow_symlink = true
-include_dir = ["apps", "conf", "devenv/dev-dashboards", "pkg", "public/views"]
-include_ext = ["go", "ini", "toml", "html", "json"]
-pre_cmd = ["make gen-go"]
-stop_on_error = true
-send_interrupt = true
-kill_delay = 500
-
-[log]
-time = true
-
-[misc]
-clean_on_exit = false
-
-[proxy]
-enabled = false
-
-[screen]
-clear_on_rebuild = false
-keep_scroll = true

.betterer.eslint.config.js

@@ -10,7 +10,6 @@ const testingLibraryPlugin = require('eslint-plugin-testing-library');
 
 const grafanaConfig = require('@grafana/eslint-config/flat');
 const grafanaPlugin = require('@grafana/eslint-plugin');
-const grafanaI18nPlugin = require('@grafana/i18n/eslint-plugin');
 
 // Include the Grafana config and remove the rules,
 // as we just want to pull in all of the necessary configuration but not run the rules
@@ -66,7 +65,6 @@ module.exports = [
       'no-barrel-files': barrelPlugin,
       '@grafana': grafanaPlugin,
       'testing-library': testingLibraryPlugin,
-      '@grafana/i18n': grafanaI18nPlugin,
     },
     linterOptions: {
       // This reports unused disable directives that we can clean up but
@@ -98,58 +96,33 @@ module.exports = [
     },
   },
   {
-    files: ['**/*.{js,jsx,ts,tsx}'],
-    ignores: [
-      '**/*.{test,spec}.{ts,tsx}',
-      '**/__mocks__/**',
-      '**/public/test/**',
-      '**/mocks.{ts,tsx}',
-      '**/mocks/**/*.{ts,tsx}',
-      '**/spec/**/*.{ts,tsx}',
-    ],
+    files: ['**/*.{ts,tsx}'],
+    ignores: ['**/*.{test,spec}.{ts,tsx}', '**/__mocks__/**', '**/public/test/**', '**/mocks.{ts,tsx}'],
     rules: {
       '@typescript-eslint/consistent-type-assertions': ['error', { assertionStyle: 'never' }],
     },
   },
-  {
-    files: ['**/*.{js,jsx,ts,tsx}'],
-    ignores: [
-      '**/*.{test,spec}.{ts,tsx}',
-      '**/__mocks__/**',
-      '**/public/test/**',
-      '**/mocks.{ts,tsx}',
-      '**/spec/**/*.{ts,tsx}',
-    ],
-    rules: {
-      'no-restricted-syntax': [
-        'error',
-        {
-          selector: 'Identifier[name=localStorage]',
-          message: 'Direct usage of localStorage is not allowed. import store from @grafana/data instead',
-        },
-        {
-          selector: 'MemberExpression[object.name=localStorage]',
-          message: 'Direct usage of localStorage is not allowed. import store from @grafana/data instead',
-        },
-        {
-          selector:
-            'Program:has(ImportDeclaration[source.value="@grafana/ui"] ImportSpecifier[imported.name="Card"]) JSXOpeningElement[name.name="Card"]:not(:has(JSXAttribute[name.name="noMargin"]))',
-          message:
-            'Add noMargin prop to Card components to remove built-in margins. Use layout components like Stack or Grid with the gap prop instead for consistent spacing.',
-        },
-        {
-          selector:
-            'Program:has(ImportDeclaration[source.value="@grafana/ui"] ImportSpecifier[imported.name="Field"]) JSXOpeningElement[name.name="Field"]:not(:has(JSXAttribute[name.name="noMargin"]))',
-          message:
-            'Add noMargin prop to Field components to remove built-in margins. Use layout components like Stack or Grid with the gap prop instead for consistent spacing.',
-        },
-      ],
-    },
-  },
   {
     files: ['public/app/**/*.{ts,tsx}'],
     rules: {
       'no-barrel-files/no-barrel-files': 'error',
     },
   },
+  {
+    files: ['public/**/*.tsx', 'packages/grafana-ui/**/*.tsx'],
+    ignores: ['public/app/plugins/**', '**/*.story.tsx', '**/*.{test,spec}.{ts,tsx}', '**/__mocks__/', 'public/test'],
+    rules: {
+      '@grafana/no-untranslated-strings': [
+        'error',
+        {
+          forceFix: [
+            // Add paths here that are happy to be auto fixed by this rule,
+            // for example
+            // 'public/app/features/alerting'
+          ],
+        },
+      ],
+      '@grafana/no-translation-top-level': 'error',
+    },
+  },
 ];

.citools/README.md

@@ -1,41 +0,0 @@
-## API
-
-### Adding and Upgrading Tools
-
-To add a new tool, execute the installation script:
-
-```bash
-install.sh <tool>
-```
-
-#### Example
-
-The following command will add `lefthook` to the tracked tools if it is not already installed, or update its version:
-
-```bash
-install.sh github.com/evilmartians/lefthook@v1.11.10
-```
-
-Behind the scenes, the script performs a few simple steps:
-
-- Creates a Go module under the `.citools/src/<toolname>` directory to track the tool version and its dependencies.
-- Creates a reference to the tool binary in the `.citools/Variables.mk` file.
-
-### Using Tools in the Makefile
-
-Our Makefile imports `.citools/Variables.mk`, so you can call a tool binary using standard Make syntax.
-
-#### Example
-
-```make
-run:
-    $(bra) run
-```
-
-### Using Tracked Tools Without the Makefile
-
-If you want to use a tool outside of the Makefile, you can locate the tool binary by executing the following command:
-
-```bash
-GOWORK=off go tool -n -modfile=<path_to_modfile> <toolname>
-```

.citools/Variables.mk

@@ -1,34 +0,0 @@
-# Generated tool paths
-tools_dir := $(shell cd $(dir $(lastword $(MAKEFILE_LIST))) && pwd)
-src_dir := $(tools_dir)/src
-
-# Due to a race condition, after initial call to `go tool` golang may report a wrong binary location pointing to the invalid `/tmp/go-buildXXX` directory
-define compile_tool
-$(shell \
-  (cd $(src_dir)/$(1) \
-  && GOWORK=off go tool -n $(2) > /dev/null \
-  && GOWORK=off go tool -n $(2)) | sed 's/^[[:space:]]*//g'; \
-)
-endef
-
-
-# Tool: "bra"
-bra = "$(call compile_tool,bra,github.com/unknwon/bra)"
-
-# Tool: "cog"
-cog = "$(call compile_tool,cog,github.com/grafana/cog/cmd/cli)"
-
-# Tool: "cue"
-cue = "$(call compile_tool,cue,cuelang.org/go/cmd/cue)"
-
-# Tool: "golangci-lint"
-golangci-lint = "$(call compile_tool,golangci-lint,github.com/golangci/golangci-lint/v2/cmd/golangci-lint)"
-
-# Tool: "jb"
-jb = "$(call compile_tool,jb,github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb)"
-
-# Tool: "lefthook"
-lefthook = "$(call compile_tool,lefthook,github.com/evilmartians/lefthook)"
-
-# Tool: "swagger"
-swagger = "$(call compile_tool,swagger,github.com/go-swagger/go-swagger/cmd/swagger)"

.citools/bra/go.mod

@@ -1,6 +1,6 @@
 module bra
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/unknwon/bra
 
@@ -17,6 +17,6 @@ require (
 	github.com/unknwon/com v1.0.1 // indirect
 	github.com/unknwon/log v0.0.0-20200308114134-929b1006e34a // indirect
 	github.com/urfave/cli v1.22.16 // indirect
-	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
 )

.citools/bra/go.sum

@@ -56,8 +56,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20191020152052-9984515f0562/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/cog/go.mod

@@ -1,6 +1,6 @@
 module cog
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/grafana/cog/cmd/cli
 
@@ -17,7 +17,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d // indirect
-	github.com/grafana/cog v0.0.34 // indirect
+	github.com/grafana/cog v0.0.28 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
@@ -40,11 +40,11 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/yalue/merged_fs v1.3.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.45.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.26.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/cog/go.sum

@@ -27,8 +27,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d h1:hrXbGJ5jgp6yNITzs5o+zXq0V5yT3siNJ+uM8LGwWKk=
 github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d/go.mod h1:zmwwM/DRyQB7pfuBjTWII3CWtxcXh8LTwAYGfDfpR6s=
-github.com/grafana/cog v0.0.34 h1:tXtjIB0A0Y6jeZ5iAQBJIAz5vkAJsV0iEFfX94PH/+Q=
-github.com/grafana/cog v0.0.34/go.mod h1:UDstzYqMdgIROmbfkHL8fB9XWQO2lnf5z+4W/eJo4Dc=
+github.com/grafana/cog v0.0.28 h1:0+FNuxyfNWm1OBZPPjgBIno3nzR4gOpSxsVe34hdN7g=
+github.com/grafana/cog v0.0.28/go.mod h1:wZWsTLV7uX0jCbGpqvjawQ7JbaDVT9oW+PQhHwqanHc=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -85,20 +85,20 @@ github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4d
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/yalue/merged_fs v1.3.0 h1:qCeh9tMPNy/i8cwDsQTJ5bLr6IRxbs6meakNE5O+wyY=
 github.com/yalue/merged_fs v1.3.0/go.mod h1:WqqchfVYQyclV2tnR7wtRhBddzBvLVR83Cjw9BKQw0M=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.citools/cue/go.mod

@@ -1,6 +1,6 @@
 module cue
 
-go 1.25.3
+go 1.24.3
 
 tool cuelang.org/go/cmd/cue
 
@@ -25,13 +25,13 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/tetratelabs/wazero v1.6.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.45.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.26.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/cue/go.sum

@@ -53,20 +53,20 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tetratelabs/wazero v1.6.0 h1:z0H1iikCdP8t+q341xqepY4EWvHEw8Es7tlqiVzlP3g=
 github.com/tetratelabs/wazero v1.6.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.citools/generate.sh

@@ -1,36 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-TOOLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
-TOOLS_SRC_DIR="$TOOLS_DIR/src"
-TOOLS_MK="$TOOLS_DIR/Variables.mk"
-
-echo "# Generated tool paths" > "$TOOLS_MK"
-
-cat <<'EOL' >> "$TOOLS_MK"
-tools_dir := $(shell cd $(dir $(lastword $(MAKEFILE_LIST))) && pwd)
-src_dir := $(tools_dir)/src
-
-# Due to a race condition, after initial call to `go tool` golang may report a wrong binary location pointing to the invalid `/tmp/go-buildXXX` directory
-define compile_tool
-$(shell \
-  (cd $(src_dir)/$(1) \
-  && GOWORK=off go tool -n $(2) > /dev/null \
-  && GOWORK=off go tool -n $(2)) | sed 's/^[[:space:]]*//g'; \
-)
-endef
-
-EOL
-
-for tooldir in "$TOOLS_SRC_DIR"/*; do
-  [ -d "$tooldir" ] || continue
-  tool=$(basename "$tooldir")
-  fqtn=$(awk '/^tool / { print $2 }' "$tooldir/go.mod")
-
-  cat <<EOL >> "$TOOLS_MK"
-
-# Tool: "$tool"
-${tool} = "\$(call compile_tool,${tool},${fqtn})"
-EOL
-done

.citools/golangci-lint/go.mod

@@ -1,48 +1,41 @@
 module golangci-lint
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
 
 require (
 	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
 	4d63.com/gochecknoglobals v0.2.2 // indirect
-	codeberg.org/chavacava/garif v0.2.0 // indirect
-	dev.gaijin.team/go/exhaustruct/v4 v4.0.0 // indirect
-	dev.gaijin.team/go/golib v0.6.0 // indirect
-	github.com/4meepo/tagalign v1.4.3 // indirect
-	github.com/Abirdcfly/dupword v0.1.6 // indirect
-	github.com/AdminBenni/iota-mixing v1.0.0 // indirect
-	github.com/AlwxSin/noinlineerr v1.0.5 // indirect
-	github.com/Antonboom/errname v1.1.1 // indirect
-	github.com/Antonboom/nilnil v1.1.1 // indirect
-	github.com/Antonboom/testifylint v1.6.4 // indirect
+	github.com/4meepo/tagalign v1.4.2 // indirect
+	github.com/Abirdcfly/dupword v0.1.3 // indirect
+	github.com/Antonboom/errname v1.1.0 // indirect
+	github.com/Antonboom/nilnil v1.1.0 // indirect
+	github.com/Antonboom/testifylint v1.6.0 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
-	github.com/Djarvur/go-err113 v0.1.1 // indirect
+	github.com/Crocmagnon/fatcontext v0.7.1 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
-	github.com/MirrexOne/unqueryvet v1.2.1 // indirect
 	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
-	github.com/alecthomas/chroma/v2 v2.20.0 // indirect
 	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
-	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.5 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
-	github.com/alfatraining/structtag v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
-	github.com/alingse/nilnesserr v0.2.0 // indirect
-	github.com/ashanbrown/forbidigo/v2 v2.1.0 // indirect
-	github.com/ashanbrown/makezero/v2 v2.0.1 // indirect
+	github.com/alingse/nilnesserr v0.1.2 // indirect
+	github.com/ashanbrown/forbidigo v1.6.0 // indirect
+	github.com/ashanbrown/makezero v1.2.0 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bkielbasa/cyclop v1.2.3 // indirect
 	github.com/blizzy78/varnamelen v0.8.0 // indirect
-	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
-	github.com/bombsimon/wsl/v5 v5.2.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.6.0 // indirect
 	github.com/breml/bidichk v0.3.3 // indirect
 	github.com/breml/errchkjson v0.4.1 // indirect
-	github.com/butuzov/ireturn v0.4.0 // indirect
+	github.com/butuzov/ireturn v0.3.1 // indirect
 	github.com/butuzov/mirror v1.3.0 // indirect
 	github.com/catenacyber/perfsprint v0.9.1 // indirect
-	github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charithe/durationcheck v0.0.10 // indirect
 	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
@@ -50,20 +43,20 @@ require (
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/chavacava/garif v0.1.0 // indirect
 	github.com/ckaznocha/intrange v0.3.1 // indirect
 	github.com/curioswitch/go-reassign v0.3.0 // indirect
-	github.com/daixiang0/gci v0.13.7 // indirect
+	github.com/daixiang0/gci v0.13.6 // indirect
 	github.com/dave/dst v0.27.3 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/denis-tingaikin/go-header v0.5.0 // indirect
-	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/ettle/strcase v0.2.0 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/fatih/structtag v1.2.0 // indirect
-	github.com/firefart/nonamedreturns v1.0.6 // indirect
+	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.16 // indirect
+	github.com/ghostiam/protogetter v0.3.12 // indirect
 	github.com/go-critic/go-critic v0.13.0 // indirect
 	github.com/go-toolsmith/astcast v1.1.0 // indirect
 	github.com/go-toolsmith/astcopy v1.1.0 // indirect
@@ -72,53 +65,49 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/godoc-lint/godoc-lint v0.10.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
-	github.com/golangci/asciicheck v0.5.0 // indirect
 	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
-	github.com/golangci/go-printf-func-name v0.1.1 // indirect
+	github.com/golangci/go-printf-func-name v0.1.0 // indirect
 	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
-	github.com/golangci/golangci-lint/v2 v2.5.0 // indirect
+	github.com/golangci/golangci-lint/v2 v2.0.2 // indirect
 	github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
-	github.com/golangci/misspell v0.7.0 // indirect
-	github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe // indirect
-	github.com/golangci/plugin-module-register v0.1.2 // indirect
+	github.com/golangci/misspell v0.6.0 // indirect
+	github.com/golangci/plugin-module-register v0.1.1 // indirect
 	github.com/golangci/revgrep v0.8.0 // indirect
-	github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
-	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
+	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/gordonklaus/ineffassign v0.2.0 // indirect
+	github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.5.0 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jgautheron/goconst v1.8.2 // indirect
+	github.com/jgautheron/goconst v1.7.1 // indirect
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jjti/go-spancheck v0.6.5 // indirect
+	github.com/jjti/go-spancheck v0.6.4 // indirect
 	github.com/julz/importas v0.2.0 // indirect
 	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
 	github.com/kisielk/errcheck v1.9.0 // indirect
 	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
-	github.com/kulti/thelper v0.7.1 // indirect
-	github.com/kunwardeep/paralleltest v1.0.14 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.10 // indirect
 	github.com/lasiar/canonicalheader v1.1.2 // indirect
-	github.com/ldez/exptostd v0.4.4 // indirect
-	github.com/ldez/gomoddirectives v0.7.0 // indirect
-	github.com/ldez/grignotin v0.10.1 // indirect
-	github.com/ldez/tagliatelle v0.7.2 // indirect
-	github.com/ldez/usetesting v0.5.0 // indirect
+	github.com/ldez/exptostd v0.4.2 // indirect
+	github.com/ldez/gomoddirectives v0.6.1 // indirect
+	github.com/ldez/grignotin v0.9.0 // indirect
+	github.com/ldez/tagliatelle v0.7.1 // indirect
+	github.com/ldez/usetesting v0.4.2 // indirect
 	github.com/leonklingele/grouper v1.1.2 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/macabu/inamedparam v0.2.0 // indirect
-	github.com/manuelarte/embeddedstructfieldcheck v0.4.0 // indirect
-	github.com/manuelarte/funcorder v0.5.0 // indirect
 	github.com/maratori/testableexamples v1.0.0 // indirect
 	github.com/maratori/testpackage v1.1.1 // indirect
 	github.com/matoous/godox v1.1.0 // indirect
@@ -126,7 +115,7 @@ require (
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mgechev/revive v1.12.0 // indirect
+	github.com/mgechev/revive v1.7.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moricho/tparallel v0.3.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
@@ -134,10 +123,11 @@ require (
 	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/nishanths/exhaustive v0.12.0 // indirect
 	github.com/nishanths/predeclared v0.2.2 // indirect
-	github.com/nunnatsa/ginkgolinter v0.21.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/polyfloyd/go-errorlint v1.8.0 // indirect
+	github.com/polyfloyd/go-errorlint v1.7.1 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.63.0 // indirect
@@ -154,59 +144,59 @@ require (
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
-	github.com/securego/gosec/v2 v2.22.8 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
+	github.com/securego/gosec/v2 v2.22.2 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sonatard/noctx v0.4.0 // indirect
+	github.com/sonatard/noctx v0.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
-	github.com/spf13/afero v1.14.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/spf13/viper v1.20.1 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.11.1 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tetafro/godot v1.5.4 // indirect
+	github.com/tdakkota/asciicheck v0.4.1 // indirect
+	github.com/tetafro/godot v1.5.0 // indirect
 	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
-	github.com/timonwong/loggercheck v0.11.0 // indirect
-	github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
+	github.com/timonwong/loggercheck v0.10.1 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.10.0 // indirect
 	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
 	github.com/ultraware/funlen v0.2.0 // indirect
 	github.com/ultraware/whitespace v0.2.0 // indirect
 	github.com/uudashr/gocognit v1.2.0 // indirect
-	github.com/uudashr/iface v1.4.1 // indirect
+	github.com/uudashr/iface v1.3.1 // indirect
 	github.com/xen0n/gosmopolitan v1.3.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.3.0 // indirect
 	github.com/ykadowak/zerologlint v0.1.5 // indirect
 	gitlab.com/bosi/decorder v0.4.2 // indirect
-	go-simpler.org/musttag v0.14.0 // indirect
-	go-simpler.org/sloglint v0.11.1 // indirect
-	go.augendre.info/arangolint v0.2.0 // indirect
-	go.augendre.info/fatcontext v0.8.1 // indirect
+	go-simpler.org/musttag v0.13.0 // indirect
+	go-simpler.org/sloglint v0.9.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/net v0.45.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.6.1 // indirect
-	mvdan.cc/gofumpt v0.9.1 // indirect
+	mvdan.cc/gofumpt v0.7.0 // indirect
 	mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
 )

.citools/golangci-lint/go.sum

@@ -2,58 +2,46 @@
 4d63.com/gocheckcompilerdirectives v1.3.0/go.mod h1:ofsJ4zx2QAuIP/NO/NAh1ig6R1Fb18/GI7RVMwz7kAY=
 4d63.com/gochecknoglobals v0.2.2 h1:H1vdnwnMaZdQW/N+NrkT1SZMTBmcwHe9Vq8lJcYYTtU=
 4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0=
-codeberg.org/chavacava/garif v0.2.0 h1:F0tVjhYbuOCnvNcU3YSpO6b3Waw6Bimy4K0mM8y6MfY=
-codeberg.org/chavacava/garif v0.2.0/go.mod h1:P2BPbVbT4QcvLZrORc2T29szK3xEOlnl0GiPTJmEqBQ=
-dev.gaijin.team/go/exhaustruct/v4 v4.0.0 h1:873r7aNneqoBB3IaFIzhvt2RFYTuHgmMjoKfwODoI1Y=
-dev.gaijin.team/go/exhaustruct/v4 v4.0.0/go.mod h1:aZ/k2o4Y05aMJtiux15x8iXaumE88YdiB0Ai4fXOzPI=
-dev.gaijin.team/go/golib v0.6.0 h1:v6nnznFTs4bppib/NyU1PQxobwDHwCXXl15P7DV5Zgo=
-dev.gaijin.team/go/golib v0.6.0/go.mod h1:uY1mShx8Z/aNHWDyAkZTkX+uCi5PdX7KsG1eDQa2AVE=
-github.com/4meepo/tagalign v1.4.3 h1:Bnu7jGWwbfpAie2vyl63Zup5KuRv21olsPIha53BJr8=
-github.com/4meepo/tagalign v1.4.3/go.mod h1:00WwRjiuSbrRJnSVeGWPLp2epS5Q/l4UEy0apLLS37c=
-github.com/Abirdcfly/dupword v0.1.6 h1:qeL6u0442RPRe3mcaLcbaCi2/Y/hOcdtw6DE9odjz9c=
-github.com/Abirdcfly/dupword v0.1.6/go.mod h1:s+BFMuL/I4YSiFv29snqyjwzDp4b65W2Kvy+PKzZ6cw=
-github.com/AdminBenni/iota-mixing v1.0.0 h1:Os6lpjG2dp/AE5fYBPAA1zfa2qMdCAWwPMCgpwKq7wo=
-github.com/AdminBenni/iota-mixing v1.0.0/go.mod h1:i4+tpAaB+qMVIV9OK3m4/DAynOd5bQFaOu+2AhtBCNY=
-github.com/AlwxSin/noinlineerr v1.0.5 h1:RUjt63wk1AYWTXtVXbSqemlbVTb23JOSRiNsshj7TbY=
-github.com/AlwxSin/noinlineerr v1.0.5/go.mod h1:+QgkkoYrMH7RHvcdxdlI7vYYEdgeoFOVjU9sUhw/rQc=
-github.com/Antonboom/errname v1.1.1 h1:bllB7mlIbTVzO9jmSWVWLjxTEbGBVQ1Ff/ClQgtPw9Q=
-github.com/Antonboom/errname v1.1.1/go.mod h1:gjhe24xoxXp0ScLtHzjiXp0Exi1RFLKJb0bVBtWKCWQ=
-github.com/Antonboom/nilnil v1.1.1 h1:9Mdr6BYd8WHCDngQnNVV0b554xyisFioEKi30sksufQ=
-github.com/Antonboom/nilnil v1.1.1/go.mod h1:yCyAmSw3doopbOWhJlVci+HuyNRuHJKIv6V2oYQa8II=
-github.com/Antonboom/testifylint v1.6.4 h1:gs9fUEy+egzxkEbq9P4cpcMB6/G0DYdMeiFS87UiqmQ=
-github.com/Antonboom/testifylint v1.6.4/go.mod h1:YO33FROXX2OoUfwjz8g+gUxQXio5i9qpVy7nXGbxDD4=
+github.com/4meepo/tagalign v1.4.2 h1:0hcLHPGMjDyM1gHG58cS73aQF8J4TdVR96TZViorO9E=
+github.com/4meepo/tagalign v1.4.2/go.mod h1:+p4aMyFM+ra7nb41CnFG6aSDXqRxU/w1VQqScKqDARI=
+github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
+github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
+github.com/Antonboom/errname v1.1.0 h1:A+ucvdpMwlo/myWrkHEUEBWc/xuXdud23S8tmTb/oAE=
+github.com/Antonboom/errname v1.1.0/go.mod h1:O1NMrzgUcVBGIfi3xlVuvX8Q/VP/73sseCaAppfjqZw=
+github.com/Antonboom/nilnil v1.1.0 h1:jGxJxjgYS3VUUtOTNk8Z1icwT5ESpLH/426fjmQG+ng=
+github.com/Antonboom/nilnil v1.1.0/go.mod h1:b7sAlogQjFa1wV8jUW3o4PMzDVFLbTux+xnQdvzdcIE=
+github.com/Antonboom/testifylint v1.6.0 h1:6rdILVPt4+rqcvhid8w9wJNynKLUgqHNpFyM67UeXyc=
+github.com/Antonboom/testifylint v1.6.0/go.mod h1:k+nEkathI2NFjKO6HvwmSrbzUcQ6FAnbZV+ZRrnXPLI=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/Djarvur/go-err113 v0.1.1 h1:eHfopDqXRwAi+YmCUas75ZE0+hoBHJ2GQNLYRSxao4g=
-github.com/Djarvur/go-err113 v0.1.1/go.mod h1:IaWJdYFLg76t2ihfflPZnM1LIQszWOsFDh2hhhAVF6k=
+github.com/Crocmagnon/fatcontext v0.7.1 h1:SC/VIbRRZQeQWj/TcQBS6JmrXcfA+BU4OGSVUt54PjM=
+github.com/Crocmagnon/fatcontext v0.7.1/go.mod h1:1wMvv3NXEBJucFGfwOJBxSVWcoIO6emV215SMkW9MFU=
+github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
+github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 h1:Sz1JIXEcSfhz7fUi7xHnhpIE0thVASYjvosApmHuD2k=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1/go.mod h1:n/LSCXNuIYqVfBlVXyHfMQkZDdp1/mmxfSjADd3z1Zg=
 github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
 github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
-github.com/MirrexOne/unqueryvet v1.2.1 h1:M+zdXMq84g+E1YOLa7g7ExN3dWfZQrdDSTCM7gC+m/A=
-github.com/MirrexOne/unqueryvet v1.2.1/go.mod h1:IWwCwMQlSWjAIteW0t+28Q5vouyktfujzYznSIWiuOg=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.1 h1:vckeWVESWp6Qog7UZSARNqfu/cZqvki8zsuj3piCMx4=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.1/go.mod h1:q4DKzC4UcVaAvcfd41CZh0PWpGgzrVxUYBlgKNGquUo=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/chroma/v2 v2.20.0 h1:sfIHpxPyR07/Oylvmcai3X/exDlE8+FA820NTz+9sGw=
-github.com/alecthomas/chroma/v2 v2.20.0/go.mod h1:e7tViK0xh/Nf4BYHl00ycY6rV7b8iXBksI9E359yNmA=
 github.com/alecthomas/go-check-sumtype v0.3.1 h1:u9aUvbGINJxLVXiFvHUlPEaD7VDULsrxJb4Aq31NLkU=
 github.com/alecthomas/go-check-sumtype v0.3.1/go.mod h1:A8TSiN3UPRw3laIgWEUOHHLPa6/r9MtoigdlP5h3K/E=
-github.com/alecthomas/repr v0.5.1 h1:E3G4t2QbHTSNpPKBgMTln5KLkZHLOcU7r37J4pXBuIg=
-github.com/alecthomas/repr v0.5.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
-github.com/alexkohler/nakedret/v2 v2.0.6 h1:ME3Qef1/KIKr3kWX3nti3hhgNxw6aqN5pZmQiFSsuzQ=
-github.com/alexkohler/nakedret/v2 v2.0.6/go.mod h1:l3RKju/IzOMQHmsEvXwkqMDzHHvurNQfAgE1eVmT40Q=
+github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=
+github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
+github.com/alexkohler/nakedret/v2 v2.0.5 h1:fP5qLgtwbx9EJE8dGEERT02YwS8En4r9nnZ71RK+EVU=
+github.com/alexkohler/nakedret/v2 v2.0.5/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
-github.com/alfatraining/structtag v1.0.0 h1:2qmcUqNcCoyVJ0up879K614L9PazjBSFruTB0GOFjCc=
-github.com/alfatraining/structtag v1.0.0/go.mod h1:p3Xi5SwzTi+Ryj64DqjLWz7XurHxbGsq6y3ubePJPus=
 github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw=
 github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqrSP7t/cW5+I=
-github.com/alingse/nilnesserr v0.2.0 h1:raLem5KG7EFVb4UIDAXgrv3N2JIaffeKNtcEXkEWd/w=
-github.com/alingse/nilnesserr v0.2.0/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
-github.com/ashanbrown/forbidigo/v2 v2.1.0 h1:NAxZrWqNUQiDz19FKScQ/xvwzmij6BiOw3S0+QUQ+Hs=
-github.com/ashanbrown/forbidigo/v2 v2.1.0/go.mod h1:0zZfdNAuZIL7rSComLGthgc/9/n2FqspBOH90xlCHdA=
-github.com/ashanbrown/makezero/v2 v2.0.1 h1:r8GtKetWOgoJ4sLyUx97UTwyt2dO7WkGFHizn/Lo8TY=
-github.com/ashanbrown/makezero/v2 v2.0.1/go.mod h1:kKU4IMxmYW1M4fiEHMb2vc5SFoPzXvgbMR9gIp5pjSw=
+github.com/alingse/nilnesserr v0.1.2 h1:Yf8Iwm3z2hUUrP4muWfW83DF4nE3r1xZ26fGWUKCZlo=
+github.com/alingse/nilnesserr v0.1.2/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
+github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8gerOIVIY=
+github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
+github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU=
+github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -62,22 +50,20 @@ github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5
 github.com/bkielbasa/cyclop v1.2.3/go.mod h1:kHTwA9Q0uZqOADdupvcFJQtp/ksSnytRMe8ztxG8Fuo=
 github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M=
 github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
-github.com/bombsimon/wsl/v4 v4.7.0 h1:1Ilm9JBPRczjyUs6hvOPKvd7VL1Q++PL8M0SXBDf+jQ=
-github.com/bombsimon/wsl/v4 v4.7.0/go.mod h1:uV/+6BkffuzSAVYD+yGyld1AChO7/EuLrCF/8xTiapg=
-github.com/bombsimon/wsl/v5 v5.2.0 h1:PyCCwd3Q7abGs3e34IW4jLYlBS+FbsU6iK+Tb3NnDp4=
-github.com/bombsimon/wsl/v5 v5.2.0/go.mod h1:Gp8lD04z27wm3FANIUPZycXp+8huVsn0oxc+n4qfV9I=
+github.com/bombsimon/wsl/v4 v4.6.0 h1:ew2R/N42su553DKTYqt3HSxaQN+uHQPv4xZ2MBmwaW4=
+github.com/bombsimon/wsl/v4 v4.6.0/go.mod h1:uV/+6BkffuzSAVYD+yGyld1AChO7/EuLrCF/8xTiapg=
 github.com/breml/bidichk v0.3.3 h1:WSM67ztRusf1sMoqH6/c4OBCUlRVTKq+CbSeo0R17sE=
 github.com/breml/bidichk v0.3.3/go.mod h1:ISbsut8OnjB367j5NseXEGGgO/th206dVa427kR8YTE=
 github.com/breml/errchkjson v0.4.1 h1:keFSS8D7A2T0haP9kzZTi7o26r7kE3vymjZNeNDRDwg=
 github.com/breml/errchkjson v0.4.1/go.mod h1:a23OvR6Qvcl7DG/Z4o0el6BRAjKnaReoPQFciAl9U3s=
-github.com/butuzov/ireturn v0.4.0 h1:+s76bF/PfeKEdbG8b54aCocxXmi0wvYdOVsWxVO7n8E=
-github.com/butuzov/ireturn v0.4.0/go.mod h1:ghI0FrCmap8pDWZwfPisFD1vEc56VKH4NpQUxDHta70=
+github.com/butuzov/ireturn v0.3.1 h1:mFgbEI6m+9W8oP/oDdfA34dLisRFCj2G6o/yiI1yZrY=
+github.com/butuzov/ireturn v0.3.1/go.mod h1:ZfRp+E7eJLC0NQmk1Nrm1LOrn/gQlOykv+cVPdiXH5M=
 github.com/butuzov/mirror v1.3.0 h1:HdWCXzmwlQHdVhwvsfBb2Au0r3HyINry3bDWLYXiKoc=
 github.com/butuzov/mirror v1.3.0/go.mod h1:AEij0Z8YMALaq4yQj9CPPVYOyJQyiexpQEQgihajRfI=
 github.com/catenacyber/perfsprint v0.9.1 h1:5LlTp4RwTooQjJCvGEFV6XksZvWE7wCOUvjD2z0vls0=
 github.com/catenacyber/perfsprint v0.9.1/go.mod h1:q//VWC2fWbcdSLEY1R3l8n0zQCDPdE4IjZwyY1HMunM=
-github.com/ccojocar/zxcvbn-go v1.0.4 h1:FWnCIRMXPj43ukfX000kvBZvV6raSxakYr1nzyNrUcc=
-github.com/ccojocar/zxcvbn-go v1.0.4/go.mod h1:3GxGX+rHmueTUMvm5ium7irpyjmm7ikxYFOSJB21Das=
+github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
+github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charithe/durationcheck v0.0.10 h1:wgw73BiocdBDQPik+zcEoBG/ob8uyBHf2iyoHGPf5w4=
@@ -92,13 +78,15 @@ github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd h1:vy0G
 github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
+github.com/chavacava/garif v0.1.0 h1:2JHa3hbYf5D9dsgseMKAmc/MZ109otzgNFk5s87H9Pc=
+github.com/chavacava/garif v0.1.0/go.mod h1:XMyYCkEL58DF0oyW4qDjjnPWONs2HBqYKI+UIPD+Gww=
 github.com/ckaznocha/intrange v0.3.1 h1:j1onQyXvHUsPWujDH6WIjhyH26gkRt/txNlV7LspvJs=
 github.com/ckaznocha/intrange v0.3.1/go.mod h1:QVepyz1AkUoFQkpEqksSYpNpUo3c5W7nWh/s6SHIJJk=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
 github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
-github.com/daixiang0/gci v0.13.7 h1:+0bG5eK9vlI08J+J/NWGbWPTNiXPG4WhNLJOkSxWITQ=
-github.com/daixiang0/gci v0.13.7/go.mod h1:812WVN6JLFY9S6Tv76twqmNqevN0pa3SX3nih0brVzQ=
+github.com/daixiang0/gci v0.13.6 h1:RKuEOSkGpSadkGbvZ6hJ4ddItT3cVZ9Vn9Rybk6xjl8=
+github.com/daixiang0/gci v0.13.6/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
 github.com/dave/dst v0.27.3 h1:P1HPoMza3cMEquVf9kKy8yXsFirry4zEnWOdYPOoIzY=
 github.com/dave/dst v0.27.3/go.mod h1:jHh6EOibnHgcUW3WjKHisiooEkYwqpHLBSX1iOBhEyc=
 github.com/dave/jennifer v1.7.1 h1:B4jJJDHelWcDhlRQxWeo0Npa/pYKBLrirAQoTN45txo=
@@ -109,28 +97,28 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denis-tingaikin/go-header v0.5.0 h1:SRdnP5ZKvcO9KKRP1KJrhFR3RrlGuD+42t4429eC9k8=
 github.com/denis-tingaikin/go-header v0.5.0/go.mod h1:mMenU5bWrok6Wl2UsZjy+1okegmwQ3UgWl4V1D8gjlY=
-github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
-github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/ettle/strcase v0.2.0 h1:fGNiVF21fHXpX1niBgk0aROov1LagYsOwV/xqKDKR/Q=
 github.com/ettle/strcase v0.2.0/go.mod h1:DajmHElDSaX76ITe3/VHVyMin4LWSJN5Z909Wp+ED1A=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
-github.com/firefart/nonamedreturns v1.0.6 h1:vmiBcKV/3EqKY3ZiPxCINmpS431OcE1S47AQUwhrg8E=
-github.com/firefart/nonamedreturns v1.0.6/go.mod h1:R8NisJnSIpvPWheCq0mNRXJok6D8h7fagJTF8EMEwCo=
+github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA=
+github.com/firefart/nonamedreturns v1.0.5/go.mod h1:gHJjDqhGM4WyPt639SOZs+G89Ko7QKH5R5BhnO6xJhw=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fzipp/gocyclo v0.6.0 h1:lsblElZG7d3ALtGMx9fmxeTKZaLLpU8mET09yN4BBLo=
 github.com/fzipp/gocyclo v0.6.0/go.mod h1:rXPyn8fnlpa0R2csP/31uerbiVBugk5whMdlyaLkLoA=
-github.com/ghostiam/protogetter v0.3.16 h1:UkrisuJBYLnZW6FcYUNBDJOqY3X22RtoYMlCsiNlFFA=
-github.com/ghostiam/protogetter v0.3.16/go.mod h1:4SRRIv6PcjkIMpUkRUsP4TsUTqO/N3Fmvwivuc/sCHA=
+github.com/ghostiam/protogetter v0.3.12 h1:xTPjH97iKph27vXRRKV0OCke5sAMoHPbVeVstdzmCLE=
+github.com/ghostiam/protogetter v0.3.12/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
 github.com/go-critic/go-critic v0.13.0 h1:kJzM7wzltQasSUXtYyTl6UaPVySO6GkaR1thFnJ6afY=
 github.com/go-critic/go-critic v0.13.0/go.mod h1:M/YeuJ3vOCQDnP2SU+ZhjgRzwzcBW87JqLpMJLrZDLI=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
 github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
@@ -154,56 +142,53 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
 github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/godoc-lint/godoc-lint v0.10.0 h1:OcyrziBi18sQSEpib6NesVHEJ/Xcng97NunePBA48g4=
-github.com/godoc-lint/godoc-lint v0.10.0/go.mod h1:KleLcHu/CGSvkjUH2RvZyoK1MBC7pDQg4NxMYLcBBsw=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
-github.com/golangci/asciicheck v0.5.0 h1:jczN/BorERZwK8oiFBOGvlGPknhvq0bjnysTj4nUfo0=
-github.com/golangci/asciicheck v0.5.0/go.mod h1:5RMNAInbNFw2krqN6ibBxN/zfRFa9S6tA1nPdM0l8qQ=
 github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 h1:WUvBfQL6EW/40l6OmeSBYQJNSif4O11+bmWEz+C7FYw=
 github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32/go.mod h1:NUw9Zr2Sy7+HxzdjIULge71wI6yEg1lWQr7Evcu8K0E=
-github.com/golangci/go-printf-func-name v0.1.1 h1:hIYTFJqAGp1iwoIfsNTpoq1xZAarogrvjO9AfiW3B4U=
-github.com/golangci/go-printf-func-name v0.1.1/go.mod h1:Es64MpWEZbh0UBtTAICOZiB+miW53w/K9Or/4QogJss=
+github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU=
+github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d h1:viFft9sS/dxoYY0aiOTsLKO2aZQAPT4nlQCsimGcSGE=
 github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d/go.mod h1:ivJ9QDg0XucIkmwhzCDsqcnxxlDStoTl89jDMIoNxKY=
-github.com/golangci/golangci-lint/v2 v2.5.0 h1:BDRg4ASm4J1y/DSRY6zwJ5tr5Yy8ZqbZ79XrCeFxaQo=
-github.com/golangci/golangci-lint/v2 v2.5.0/go.mod h1:IJtWJBZkLbx7AVrIUzLd8Oi3ADtwaNpWbR3wthVWHcc=
+github.com/golangci/golangci-lint/v2 v2.0.2 h1:dMCC8ikPiLDvHMFy3+XypSAuGDBOLzwWqqamer+bWsY=
+github.com/golangci/golangci-lint/v2 v2.0.2/go.mod h1:ptNNMeGBQrbves0Qq38xvfdJg18PzxmT+7KRCOpm6i8=
 github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 h1:AkK+w9FZBXlU/xUmBtSJN1+tAI4FIvy5WtnUnY8e4p8=
 github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95/go.mod h1:k9mmcyWKSTMcPPvQUCfRWWQ9VHJ1U9Dc0R7kaXAgtnQ=
-github.com/golangci/misspell v0.7.0 h1:4GOHr/T1lTW0hhR4tgaaV1WS/lJ+ncvYCoFKmqJsj0c=
-github.com/golangci/misspell v0.7.0/go.mod h1:WZyyI2P3hxPY2UVHs3cS8YcllAeyfquQcKfdeE9AFVg=
-github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe h1:F1pK9tBy41i7eesBFkSNMldwtiAaWiU+3fT/24sTnNI=
-github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe/go.mod h1:CtTxAluxD2ng9aIT9bPrVoMuISFWCD+SaxtvYtdWA2k=
-github.com/golangci/plugin-module-register v0.1.2 h1:e5WM6PO6NIAEcij3B053CohVp3HIYbzSuP53UAYgOpg=
-github.com/golangci/plugin-module-register v0.1.2/go.mod h1:1+QGTsKBvAIvPvoY/os+G5eoqxWn70HYDm2uvUyGuVw=
+github.com/golangci/misspell v0.6.0 h1:JCle2HUTNWirNlDIAUO44hUsKhOFqGPoC4LZxlaSXDs=
+github.com/golangci/misspell v0.6.0/go.mod h1:keMNyY6R9isGaSAu+4Q8NMBwMPkh15Gtc8UCVoDtAWo=
+github.com/golangci/plugin-module-register v0.1.1 h1:TCmesur25LnyJkpsVrupv1Cdzo+2f7zX0H6Jkw1Ol6c=
+github.com/golangci/plugin-module-register v0.1.1/go.mod h1:TTpqoB6KkwOJMV8u7+NyXMrkwwESJLOkfl9TxR1DGFc=
 github.com/golangci/revgrep v0.8.0 h1:EZBctwbVd0aMeRnNUsFogoyayvKHyxlV3CdUA46FX2s=
 github.com/golangci/revgrep v0.8.0/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
-github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e h1:ai0EfmVYE2bRA5htgAG9r7s3tHsfjIhN98WshBTJ9jM=
-github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e/go.mod h1:Vrn4B5oR9qRwM+f54koyeH3yzphlecwERs0el27Fr/s=
-github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e h1:gD6P7NEo7Eqtt0ssnqSJNNndxe69DOQ24A5h7+i3KpM=
-github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e/go.mod h1:h+wZwLjUTJnm/P2rwlbJdRPZXOzaT36/FwnPnY2inzc=
+github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed h1:IURFTjxeTfNFP0hTEi1YKjB/ub8zkpaOqFFMApi2EAs=
+github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed/go.mod h1:XLXN8bNw4CGRPaqgl3bv/lhz7bsGPh4/xSaMTbo2vkQ=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18=
-github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA=
-github.com/gordonklaus/ineffassign v0.2.0 h1:Uths4KnmwxNJNzq87fwQQDDnbNb7De00VOk9Nu0TySs=
-github.com/gordonklaus/ineffassign v0.2.0/go.mod h1:TIpymnagPSexySzs7F9FnO1XFTy8IT3a59vmZp5Y9Lw=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/gordonklaus/ineffassign v0.1.0 h1:y2Gd/9I7MdY1oEIt+n+rowjBNDcLQq3RsH5hwJd0f9s=
+github.com/gordonklaus/ineffassign v0.1.0/go.mod h1:Qcp2HIAYhR7mNUVSIxZww3Guk4it82ghYcEXIAk+QT0=
 github.com/gostaticanalysis/analysisutil v0.7.1 h1:ZMCjoue3DtDWQ5WyU16YbjbQEQ3VuzwxALrpYd+HeKk=
 github.com/gostaticanalysis/analysisutil v0.7.1/go.mod h1:v21E3hY37WKMGSnbsw2S/ojApNWb6C1//mXO48CXbVc=
+github.com/gostaticanalysis/comment v1.4.1/go.mod h1:ih6ZxzTHLdadaiSnF5WY3dxUoXfXAlTaRzuaNDlSado=
 github.com/gostaticanalysis/comment v1.4.2/go.mod h1:KLUTGDv6HOCotCH8h2erHKmpci2ZoR8VPu34YA2uzdM=
 github.com/gostaticanalysis/comment v1.5.0 h1:X82FLl+TswsUMpMh17srGRuKaaXprTaytmEpgnKIDu8=
 github.com/gostaticanalysis/comment v1.5.0/go.mod h1:V6eb3gpCv9GNVqb6amXzEUX3jXLVK/AdA+IrAMSqvEc=
 github.com/gostaticanalysis/forcetypeassert v0.2.0 h1:uSnWrrUEYDr86OCxWa4/Tp2jeYDlogZiZHzGkWFefTk=
 github.com/gostaticanalysis/forcetypeassert v0.2.0/go.mod h1:M5iPavzE9pPqWyeiVXSFghQjljW1+l/Uke3PXHS6ILY=
+github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3Uqrmrcpk=
+github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A=
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
 github.com/gostaticanalysis/testutil v0.5.0 h1:Dq4wT1DdTwTGCQQv3rl3IvD5Ld0E6HiY+3Zh0sUGqw8=
 github.com/gostaticanalysis/testutil v0.5.0/go.mod h1:OLQSbuM6zw2EvCcXTz1lVq5unyoNft372msDY0nY5Hs=
@@ -220,12 +205,12 @@ github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUq
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jgautheron/goconst v1.8.2 h1:y0XF7X8CikZ93fSNT6WBTb/NElBu9IjaY7CCYQrCMX4=
-github.com/jgautheron/goconst v1.8.2/go.mod h1:A0oxgBCHy55NQn6sYpO7UdnA9p+h7cPtoOZUmvNIako=
+github.com/jgautheron/goconst v1.7.1 h1:VpdAG7Ca7yvvJk5n8dMwQhfEZJh95kl/Hl9S1OI5Jkk=
+github.com/jgautheron/goconst v1.7.1/go.mod h1:aAosetZ5zaeC/2EfMeRswtxUFBpe2Hr7HzkgX4fanO4=
 github.com/jingyugao/rowserrcheck v1.1.1 h1:zibz55j/MJtLsjP1OF4bSdgXxwL1b+Vn7Tjzq7gFzUs=
 github.com/jingyugao/rowserrcheck v1.1.1/go.mod h1:4yvlZSDb3IyDTUZJUmpZfm2Hwok+Dtp+nu2qOq+er9c=
-github.com/jjti/go-spancheck v0.6.5 h1:lmi7pKxa37oKYIMScialXUK6hP3iY5F1gu+mLBPgYB8=
-github.com/jjti/go-spancheck v0.6.5/go.mod h1:aEogkeatBrbYsyW6y5TgDfihCulDYciL1B7rG2vSsrU=
+github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpRRc=
+github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
 github.com/julz/importas v0.2.0 h1:y+MJN/UdL63QbFJHws9BVC5RpA2iq0kpjrFajTGivjQ=
 github.com/julz/importas v0.2.0/go.mod h1:pThlt589EnCYtMnmhmRYY/qn9lCf/frPOK+WMx3xiJY=
 github.com/karamaru-alpha/copyloopvar v1.2.1 h1:wmZaZYIjnJ0b5UoKDjUHrikcV0zuPyyxI4SVplLd2CI=
@@ -241,32 +226,28 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kulti/thelper v0.7.1 h1:fI8QITAoFVLx+y+vSyuLBP+rcVIB8jKooNSCT2EiI98=
-github.com/kulti/thelper v0.7.1/go.mod h1:NsMjfQEy6sd+9Kfw8kCP61W1I0nerGSYSFnGaxQkcbs=
-github.com/kunwardeep/paralleltest v1.0.14 h1:wAkMoMeGX/kGfhQBPODT/BL8XhK23ol/nuQ3SwFaUw8=
-github.com/kunwardeep/paralleltest v1.0.14/go.mod h1:di4moFqtfz3ToSKxhNjhOZL+696QtJGCFe132CbBLGk=
+github.com/kulti/thelper v0.6.3 h1:ElhKf+AlItIu+xGnI990no4cE2+XaSu1ULymV2Yulxs=
+github.com/kulti/thelper v0.6.3/go.mod h1:DsqKShOvP40epevkFrvIwkCMNYxMeTNjdWL4dqWHZ6I=
+github.com/kunwardeep/paralleltest v1.0.10 h1:wrodoaKYzS2mdNVnc4/w31YaXFtsc21PCTdvWJ/lDDs=
+github.com/kunwardeep/paralleltest v1.0.10/go.mod h1:2C7s65hONVqY7Q5Efj5aLzRCNLjw2h4eMc9EcypGjcY=
 github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4=
 github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI=
-github.com/ldez/exptostd v0.4.4 h1:58AtQjnLcT/tI5W/1KU7xE/O7zW9RAWB6c/ScQAnfus=
-github.com/ldez/exptostd v0.4.4/go.mod h1:QfdzPw6oHjFVdNV7ILoPu5sw3OZ3OG1JS0I5JN3J4Js=
-github.com/ldez/gomoddirectives v0.7.0 h1:EOx8Dd56BZYSez11LVgdj025lKwlP0/E5OLSl9HDwsY=
-github.com/ldez/gomoddirectives v0.7.0/go.mod h1:wR4v8MN9J8kcwvrkzrx6sC9xe9Cp68gWYCsda5xvyGc=
-github.com/ldez/grignotin v0.10.1 h1:keYi9rYsgbvqAZGI1liek5c+jv9UUjbvdj3Tbn5fn4o=
-github.com/ldez/grignotin v0.10.1/go.mod h1:UlDbXFCARrXbWGNGP3S5vsysNXAPhnSuBufpTEbwOas=
-github.com/ldez/tagliatelle v0.7.2 h1:KuOlL70/fu9paxuxbeqlicJnCspCRjH0x8FW+NfgYUk=
-github.com/ldez/tagliatelle v0.7.2/go.mod h1:PtGgm163ZplJfZMZ2sf5nhUT170rSuPgBimoyYtdaSI=
-github.com/ldez/usetesting v0.5.0 h1:3/QtzZObBKLy1F4F8jLuKJiKBjjVFi1IavpoWbmqLwc=
-github.com/ldez/usetesting v0.5.0/go.mod h1:Spnb4Qppf8JTuRgblLrEWb7IE6rDmUpGvxY3iRrzvDQ=
+github.com/ldez/exptostd v0.4.2 h1:l5pOzHBz8mFOlbcifTxzfyYbgEmoUqjxLFHZkjlbHXs=
+github.com/ldez/exptostd v0.4.2/go.mod h1:iZBRYaUmcW5jwCR3KROEZ1KivQQp6PHXbDPk9hqJKCQ=
+github.com/ldez/gomoddirectives v0.6.1 h1:Z+PxGAY+217f/bSGjNZr/b2KTXcyYLgiWI6geMBN2Qc=
+github.com/ldez/gomoddirectives v0.6.1/go.mod h1:cVBiu3AHR9V31em9u2kwfMKD43ayN5/XDgr+cdaFaKs=
+github.com/ldez/grignotin v0.9.0 h1:MgOEmjZIVNn6p5wPaGp/0OKWyvq42KnzAt/DAb8O4Ow=
+github.com/ldez/grignotin v0.9.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
+github.com/ldez/tagliatelle v0.7.1 h1:bTgKjjc2sQcsgPiT902+aadvMjCeMHrY7ly2XKFORIk=
+github.com/ldez/tagliatelle v0.7.1/go.mod h1:3zjxUpsNB2aEZScWiZTHrAXOl1x25t3cRmzfK1mlo2I=
+github.com/ldez/usetesting v0.4.2 h1:J2WwbrFGk3wx4cZwSMiCQQ00kjGR0+tuuyW0Lqm4lwA=
+github.com/ldez/usetesting v0.4.2/go.mod h1:eEs46T3PpQ+9RgN9VjpY6qWdiw2/QmfiDeWmdZdrjIQ=
 github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY=
 github.com/leonklingele/grouper v1.1.2/go.mod h1:6D0M/HVkhs2yRKRFZUoGjeDy7EZTfFBE9gl4kjmIGkA=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/macabu/inamedparam v0.2.0 h1:VyPYpOc10nkhI2qeNUdh3Zket4fcZjEWe35poddBCpE=
 github.com/macabu/inamedparam v0.2.0/go.mod h1:+Pee9/YfGe5LJ62pYXqB89lJ+0k5bsR8Wgz/C0Zlq3U=
-github.com/manuelarte/embeddedstructfieldcheck v0.4.0 h1:3mAIyaGRtjK6EO9E73JlXLtiy7ha80b2ZVGyacxgfww=
-github.com/manuelarte/embeddedstructfieldcheck v0.4.0/go.mod h1:z8dFSyXqp+fC6NLDSljRJeNQJJDWnY7RoWFzV3PC6UM=
-github.com/manuelarte/funcorder v0.5.0 h1:llMuHXXbg7tD0i/LNw8vGnkDTHFpTnWqKPI85Rknc+8=
-github.com/manuelarte/funcorder v0.5.0/go.mod h1:Yt3CiUQthSBMBxjShjdXMexmzpP8YGvGLjrxJNkO2hA=
 github.com/maratori/testableexamples v1.0.0 h1:dU5alXRrD8WKSjOUnmJZuzdxWOEQ57+7s93SLMxb2vI=
 github.com/maratori/testableexamples v1.0.0/go.mod h1:4rhjL1n20TUTT4vdh3RDqSizKLyXp7K2u6HgraZCGzE=
 github.com/maratori/testpackage v1.1.1 h1:S58XVV5AD7HADMmD0fNnziNHqKvSdDuEKdPD1rNTU04=
@@ -280,10 +261,11 @@ github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHP
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mgechev/revive v1.12.0 h1:Q+/kkbbwerrVYPv9d9efaPGmAO/NsxwW/nE6ahpQaCU=
-github.com/mgechev/revive v1.12.0/go.mod h1:VXsY2LsTigk8XU9BpZauVLjVrhICMOV3k1lpB3CXrp8=
+github.com/mgechev/revive v1.7.0 h1:JyeQ4yO5K8aZhIKf5rec56u0376h8AlKNQEmjfkjKlY=
+github.com/mgechev/revive v1.7.0/go.mod h1:qZnwcNhoguE58dfi96IJeSTPeZQejNeoMQLUZGi4SW4=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/moricho/tparallel v0.3.2 h1:odr8aZVFA3NZrNybggMkYO3rgPRcqjeQUlBBFVxKHTI=
@@ -298,12 +280,14 @@ github.com/nishanths/exhaustive v0.12.0 h1:vIY9sALmw6T/yxiASewa4TQcFsVYZQQRUQJhK
 github.com/nishanths/exhaustive v0.12.0/go.mod h1:mEZ95wPIZW+x8kC4TgC+9YCUgiST7ecevsVDTgc2obs=
 github.com/nishanths/predeclared v0.2.2 h1:V2EPdZPliZymNAn79T8RkNApBjMmVKh5XRpLm/w98Vk=
 github.com/nishanths/predeclared v0.2.2/go.mod h1:RROzoN6TnGQupbC+lqggsOlcgysk3LMK/HI84Mp280c=
-github.com/nunnatsa/ginkgolinter v0.21.0 h1:IYwuX+ajy3G1MezlMLB1BENRtFj16+Evyi4uki1NOOQ=
-github.com/nunnatsa/ginkgolinter v0.21.0/go.mod h1:QlzY9UP9zaqu58FjYxhp9bnjuwXwG1bfW5rid9ChNMw=
-github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
-github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
-github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
-github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
+github.com/nunnatsa/ginkgolinter v0.19.1 h1:mjwbOlDQxZi9Cal+KfbEJTCz327OLNfwNvoZ70NJ+c4=
+github.com/nunnatsa/ginkgolinter v0.19.1/go.mod h1:jkQ3naZDmxaZMXPWaS9rblH+i+GWXQCaS/JFIWcOH2s=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU=
+github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
+github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
+github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
@@ -311,13 +295,13 @@ github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJ
 github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
 github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
 github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/polyfloyd/go-errorlint v1.8.0 h1:DL4RestQqRLr8U4LygLw8g2DX6RN1eBJOpa2mzsrl1Q=
-github.com/polyfloyd/go-errorlint v1.8.0/go.mod h1:G2W0Q5roxbLCt0ZQbdoxQxXktTjwNyDbEaj3n7jvl4s=
+github.com/polyfloyd/go-errorlint v1.7.1 h1:RyLVXIbosq1gBdk/pChWA8zWYLsq9UEw7a1L5TVMCnA=
+github.com/polyfloyd/go-errorlint v1.7.1/go.mod h1:aXjNb1x2TNhoLsk26iv1yl7a+zTnXPhwEMtEXukiLR8=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
 github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
@@ -354,14 +338,14 @@ github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsF
 github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
 github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
-github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw=
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
-github.com/sashamelentyev/usestdlibvars v1.29.0 h1:8J0MoRrw4/NAXtjQqTHrbW9NN+3iMf7Knkq057v4XOQ=
-github.com/sashamelentyev/usestdlibvars v1.29.0/go.mod h1:8PpnjHMk5VdeWlVb4wCdrB8PNbLqZ3wBZTZWkrpZZL8=
-github.com/securego/gosec/v2 v2.22.8 h1:3NMpmfXO8wAVFZPNsd3EscOTa32Jyo6FLLlW53bexMI=
-github.com/securego/gosec/v2 v2.22.8/go.mod h1:ZAw8K2ikuH9qDlfdV87JmNghnVfKB1XC7+TVzk6Utto=
+github.com/sashamelentyev/usestdlibvars v1.28.0 h1:jZnudE2zKCtYlGzLVreNp5pmCdOxXUzwsMDBkR21cyQ=
+github.com/sashamelentyev/usestdlibvars v1.28.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
+github.com/securego/gosec/v2 v2.22.2 h1:IXbuI7cJninj0nRpZSLCUlotsj8jGusohfONMrHoF6g=
+github.com/securego/gosec/v2 v2.22.2/go.mod h1:UEBGA+dSKb+VqM6TdehR7lnQtIIMorYJ4/9CW1KVQBE=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
@@ -370,22 +354,21 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+Wwfd0XE=
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
-github.com/sonatard/noctx v0.4.0 h1:7MC/5Gg4SQ4lhLYR6mvOP6mQVSxCrdyiExo7atBs27o=
-github.com/sonatard/noctx v0.4.0/go.mod h1:64XdbzFb18XL4LporKXp8poqZtPKbCrqQ402CV+kJas=
+github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM=
+github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
-github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
-github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
@@ -393,27 +376,35 @@ github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRk
 github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4=
 github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/tdakkota/asciicheck v0.4.1 h1:bm0tbcmi0jezRA2b5kg4ozmMuGAFotKI3RZfrhfovg8=
+github.com/tdakkota/asciicheck v0.4.1/go.mod h1:0k7M3rCfRXb0Z6bwgvkEIMleKH3kXNz9UqJ9Xuqopr8=
 github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3 h1:f+jULpRQGxTSkNYKJ51yaw6ChIqO+Je8UqsTKN/cDag=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
-github.com/tetafro/godot v1.5.4 h1:u1ww+gqpRLiIA16yF2PV1CV1n/X3zhyezbNXC3E14Sg=
-github.com/tetafro/godot v1.5.4/go.mod h1:eOkMrVQurDui411nBY2FA05EYH01r14LuWY/NrVDVcU=
+github.com/tetafro/godot v1.5.0 h1:aNwfVI4I3+gdxjMgYPus9eHmoBeJIbnajOyqZYStzuw=
+github.com/tetafro/godot v1.5.0/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
 github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 h1:9LPGD+jzxMlnk5r6+hJnar67cgpDIz/iyD+rfl5r2Vk=
 github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67/go.mod h1:mkjARE7Yr8qU23YcGMSALbIxTQ9r9QBVahQOBRfU460=
-github.com/timonwong/loggercheck v0.11.0 h1:jdaMpYBl+Uq9mWPXv1r8jc5fC3gyXx4/WGwTnnNKn4M=
-github.com/timonwong/loggercheck v0.11.0/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8=
-github.com/tomarrell/wrapcheck/v2 v2.11.0 h1:BJSt36snX9+4WTIXeJ7nvHBQBcm1h2SjQMSlmQ6aFSU=
-github.com/tomarrell/wrapcheck/v2 v2.11.0/go.mod h1:wFL9pDWDAbXhhPZZt+nG8Fu+h29TtnZ2MW6Lx4BRXIU=
+github.com/timonwong/loggercheck v0.10.1 h1:uVZYClxQFpw55eh+PIoqM7uAOHMrhVcDoWDery9R8Lg=
+github.com/timonwong/loggercheck v0.10.1/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8=
+github.com/tomarrell/wrapcheck/v2 v2.10.0 h1:SzRCryzy4IrAH7bVGG4cK40tNUhmVmMDuJujy4XwYDg=
+github.com/tomarrell/wrapcheck/v2 v2.10.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
 github.com/ultraware/funlen v0.2.0 h1:gCHmCn+d2/1SemTdYMiKLAHFYxTYz7z9VIDRaTGyLkI=
@@ -422,8 +413,8 @@ github.com/ultraware/whitespace v0.2.0 h1:TYowo2m9Nfj1baEQBjuHzvMRbp19i+RCcRYrSW
 github.com/ultraware/whitespace v0.2.0/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
 github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
 github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
-github.com/uudashr/iface v1.4.1 h1:J16Xl1wyNX9ofhpHmQ9h9gk5rnv2A6lX/2+APLTo0zU=
-github.com/uudashr/iface v1.4.1/go.mod h1:pbeBPlbuU2qkNDn0mmfrxP2X+wjPMIQAy+r1MBXSXtg=
+github.com/uudashr/iface v1.3.1 h1:bA51vmVx1UIhiIsQFSNq6GZ6VPTk3WNMZgRiCe9R29U=
+github.com/uudashr/iface v1.3.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
 github.com/xen0n/gosmopolitan v1.3.0 h1:zAZI1zefvo7gcpbCOrPSHJZJYA9ZgLfJqtKzZ5pHqQM=
 github.com/xen0n/gosmopolitan v1.3.0/go.mod h1:rckfr5T6o4lBtM1ga7mLGKZmLxswUoH1zxHgNXOsEt4=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
@@ -444,14 +435,10 @@ gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo=
 gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8=
 go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ=
 go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28=
-go-simpler.org/musttag v0.14.0 h1:XGySZATqQYSEV3/YTy+iX+aofbZZllJaqwFWs+RTtSo=
-go-simpler.org/musttag v0.14.0/go.mod h1:uP8EymctQjJ4Z1kUnjX0u2l60WfUdQxCwSNKzE1JEOE=
-go-simpler.org/sloglint v0.11.1 h1:xRbPepLT/MHPTCA6TS/wNfZrDzkGvCCqUv4Bdwc3H7s=
-go-simpler.org/sloglint v0.11.1/go.mod h1:2PowwiCOK8mjiF+0KGifVOT8ZsCNiFzvfyJeJOIt8MQ=
-go.augendre.info/arangolint v0.2.0 h1:2NP/XudpPmfBhQKX4rMk+zDYIj//qbt4hfZmSSTcpj8=
-go.augendre.info/arangolint v0.2.0/go.mod h1:Vx4KSJwu48tkE+8uxuf0cbBnAPgnt8O1KWiT7bljq7w=
-go.augendre.info/fatcontext v0.8.1 h1:/T4+cCjpL9g71gJpcFAgVo/K5VFpqlN+NPU7QXxD5+A=
-go.augendre.info/fatcontext v0.8.1/go.mod h1:r3Qz4ZOzex66wfyyj5VZ1xUcl81vzvHQ6/GWzzlMEwA=
+go-simpler.org/musttag v0.13.0 h1:Q/YAW0AHvaoaIbsPj3bvEI5/QFP7w696IMUpnKXQfCE=
+go-simpler.org/musttag v0.13.0/go.mod h1:FTzIGeK6OkKlUDVpj0iQUXZLUO1Js9+mvykDQy9C5yM=
+go-simpler.org/sloglint v0.9.0 h1:/40NQtjRx9txvsB/RN022KsUJU+zaaSb/9q9BSefSrE=
+go-simpler.org/sloglint v0.9.0/go.mod h1:G/OrAF6uxj48sHahCzrbarVMptL2kjWTaUeC8+fOGww=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -470,19 +457,21 @@ golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 h1:Yl4H5w2RV7L/dvSHp2GerziT5K2CORgFINPaMFxWGWw=
-golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621/go.mod h1:4Mzdyp/6jzw9auFDJ3OMF5qksa7UvPnzKqTVGcb04ms=
+golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac h1:TSSpLIG4v+p0rPv1pNOQtl1I8knsO4S9trOxNMOLVP4=
+golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
-golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -492,12 +481,14 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.45.0 h1:RLBg5JKixCy82FtLJpeNlVM0nrSqpCRYzVU1n8kj0tM=
-golang.org/x/net v0.45.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -507,8 +498,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -524,16 +515,19 @@ golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
@@ -542,29 +536,33 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200329025819-fd4102a86c65/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
 golang.org/x/tools v0.0.0-20200724022722-7017fd6b1305/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200820010801-b793a1359eac/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1-0.20210205202024-ef80cdb6ec6d/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1-0.20210302220138-2ac05c832e1a/go.mod h1:9bzcO0MWcOuT0tm1iBGzDVPshzfwoVvREIui8C+MHqU=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE=
-golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w=
-golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
-golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
-golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
-golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -576,13 +574,14 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.6.1 h1:R094WgE8K4JirYjBaOpz/AvTyUu/3wbmAoskKN/pxTI=
 honnef.co/go/tools v0.6.1/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
-mvdan.cc/gofumpt v0.9.1 h1:p5YT2NfFWsYyTieYgwcQ8aKV3xRvFH4uuN/zB2gBbMQ=
-mvdan.cc/gofumpt v0.9.1/go.mod h1:3xYtNemnKiXaTh6R4VtlqDATFwBbdXI8lJvH/4qk7mw=
+mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU=
+mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo=
 mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 h1:WjUu4yQoT5BHT1w8Zu56SP8367OuBV5jvo+4Ulppyf8=
 mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4/go.mod h1:rthT7OuvRbaGcd5ginj6dA2oLE7YNlta9qhBNNdCaLE=

.citools/install.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-TOOLS_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-TOOLS_SRC_DIR="$TOOLS_BASE_DIR/src"
-
-IMPORT_PATH_WITH_VERSION="$1"
-
-if [[ "$IMPORT_PATH_WITH_VERSION" != *"@"* ]]; then
-  echo "Error: tool version must be specified (e.g., github.com/foo/bar@v1.2.3)"
-  exit 1
-fi
-
-TOOL_PATH="${IMPORT_PATH_WITH_VERSION%@*}"
-TOOL_NAME="${TOOL_PATH##*/}"
-
-TOOL_DIR="$TOOLS_SRC_DIR/$TOOL_NAME"
-MOD_FILE="$TOOL_DIR/go.mod"
-
-mkdir -p "$TOOL_DIR"
-cd "$TOOL_DIR"
-
-  # Create a new module if go.mod doesn't exist
-if [ ! -f go.mod ]; then
-  go mod init "$TOOL_NAME"
-fi
-
-go get -tool --modfile="$MOD_FILE" "$IMPORT_PATH_WITH_VERSION"
-echo "Installed $TOOL_NAME"
-echo "  Directory: $TOOL_DIR"
-echo "  Modfile: $MOD_FILE"
-
-exec "$TOOLS_BASE_DIR/generate.sh"

.citools/jb/go.mod

@@ -1,6 +1,6 @@
 module jb
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb
 
@@ -15,6 +15,6 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
 )

.citools/jb/go.sum

@@ -54,8 +54,8 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/lefthook/go.mod

@@ -1,6 +1,6 @@
 module lefthook
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/evilmartians/lefthook
 
@@ -18,7 +18,7 @@ require (
 	github.com/evilmartians/lefthook v1.4.8 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -43,9 +43,10 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

.citools/lefthook/go.sum

@@ -29,8 +29,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -91,14 +91,14 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
 golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 h1:8ajkpB4hXVftY5ko905id+dOnmorcS2CHNxxHLLDcFM=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61/go.mod h1:IfMagxm39Ys4ybJrDb7W3Ob8RwxftP0Yy+or/NVz1O8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

.citools/swagger/go.mod

@@ -1,6 +1,6 @@
 module swagger
 
-go 1.25.3
+go 1.24.3
 
 tool github.com/go-swagger/go-swagger/cmd/swagger
 
@@ -24,7 +24,7 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
@@ -51,12 +51,12 @@ require (
 	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.16.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
-	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
-	golang.org/x/tools v0.36.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

.citools/swagger/go.sum

@@ -41,8 +41,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37 h1:KFcZmKdZmapAog2+eL1buervAYrYolBZk7fMecPPDmo=
 github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37/go.mod h1:i1/E+d8iPNReSE7y04FaVu5OPKB3il5cn+T1Egogg3I=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -101,19 +101,19 @@ go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4
 go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
-golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
-golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

.drone.star

@@ -12,6 +12,7 @@ load("scripts/drone/events/main.star", "main_pipelines")
 load("scripts/drone/events/pr.star", "pr_pipelines")
 load(
     "scripts/drone/events/release.star",
+    "integration_test_pipelines",
     "publish_artifacts_pipelines",
     "publish_npm_pipelines",
     "publish_packages_pipeline",
@@ -37,6 +38,7 @@ def main(_ctx):
         publish_npm_pipelines() +
         publish_packages_pipeline() +
         rgm() +
+        integration_test_pipelines() +
         cronjobs() +
         secrets()
     )

.github/CODEOWNERS

@@ -48,10 +48,7 @@
 
 /docs/sources/developers/plugins/                                                 @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 
-/docs/sources/dashboards/share-dashboards-panels/_index.md                        @imatwawana @jtvdez
-/docs/sources/dashboards/share-dashboards-panels/shared-dashboards/index.md       @jtvdez
 /docs/sources/panels-visualizations/query-transform-data/transform-data/index.md  @imatwawana @baldm0mma
-/docs/sources/panels-visualizations/query-transform-data/sql-expressions/index.md  @lwandz13 @irenerl24
 # END Technical documentation
 
 # Backend code
@@ -70,7 +67,6 @@
 /scripts/go-workspace @grafana/grafana-app-platform-squad
 /scripts/ci/backend-tests @grafana/grafana-operator-experience-squad
 /hack/ @grafana/grafana-app-platform-squad
-/.air.toml @macabu
 
 /pkg/apis/provisioning @grafana/grafana-git-ui-sync-team
 /public/app/features/provisioning @grafana/grafana-git-ui-sync-team
@@ -82,7 +78,6 @@
 /apps/playlist/ @grafana/grafana-app-platform-squad
 /apps/investigations/ @fcjack @matryer @svennergr
 /apps/advisor/ @grafana/plugins-platform-backend
-/apps/iam/ @grafana/access-squad
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
 /pkg/apis/query @grafana/grafana-datasources-core-services
@@ -138,7 +133,7 @@
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
 /pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
-/pkg/services/correlations/ @grafana/datapro
+/pkg/services/correlations/ @grafana/dataviz-squad
 /pkg/services/dashboardimport/ @grafana/grafana-backend-group
 /pkg/services/dashboards/ @grafana/grafana-app-platform-squad
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
@@ -171,7 +166,7 @@
 /pkg/services/tag/ @grafana/grafana-search-and-storage
 /pkg/services/team/ @grafana/access-squad
 /pkg/services/temp_user/ @grafana/grafana-backend-group
-/pkg/services/updatemanager/ @grafana/grafana-backend-group
+/pkg/services/updatechecker/ @grafana/grafana-backend-group
 /pkg/services/user/ @grafana/access-squad
 /pkg/services/validations/ @grafana/grafana-backend-group
 /pkg/setting/ @grafana/grafana-backend-services-squad
@@ -179,7 +174,7 @@
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
 /pkg/tests/apis/query @grafana/grafana-datasources-core-services
 /pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
-/pkg/tests/api/correlations/ @grafana/datapro
+/pkg/tests/api/correlations/ @grafana/dataviz-squad
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
 /pkg/util/ @grafana/grafana-backend-group
@@ -193,8 +188,8 @@
 /devenv/docker/blocks/auth/ @grafana/identity-access-team
 
 # Logs code, developers environment
-/devenv/docker/blocks/loki* @grafana/oss-big-tent
-/devenv/docker/blocks/elastic* @grafana/partner-datasources
+/devenv/docker/blocks/loki* @grafana/observability-logs
+/devenv/docker/blocks/elastic* @grafana/aws-datasources
 /devenv/docker/blocks/self-instrumentation* @grafana/oss-big-tent
 
 /devenv/bulk-dashboards/ @grafana/dashboards-squad
@@ -231,7 +226,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad
 
-/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/aws-datasources
 /devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
@@ -261,11 +256,11 @@
 /devenv/docker/blocks/etcd @grafana/grafana-app-platform-squad
 /devenv/docker/blocks/grafana/ @grafana/grafana-as-code
 /devenv/docker/blocks/graphite/ @grafana/partner-datasources
+/devenv/docker/blocks/graphite09/ @grafana/partner-datasources
 /devenv/docker/blocks/graphite1/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb1/ @grafana/partner-datasources
 /devenv/docker/blocks/jaeger/ @grafana/oss-big-tent
-/devenv/docker/blocks/jaegeronly/ @grafana/grafana-operator-experience-squad
 /devenv/docker/blocks/maildev/ @grafana/alerting-frontend
 /devenv/docker/blocks/mariadb/ @grafana/oss-big-tent
 /devenv/docker/blocks/memcached/ @grafana/grafana-backend-group
@@ -335,8 +330,8 @@
 
 # Observability backend code
 /pkg/tsdb/prometheus/ @grafana/oss-big-tent
-/pkg/tsdb/elasticsearch/ @grafana/partner-datasources
-/pkg/tsdb/loki/ @grafana/oss-big-tent
+/pkg/tsdb/elasticsearch/ @grafana/aws-datasources
+/pkg/tsdb/loki/ @grafana/observability-logs
 /pkg/tsdb/tempo/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/grafana-pyroscope-datasource/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/parca/ @grafana/oss-big-tent
@@ -373,8 +368,8 @@
 /public/app/features/gops/ @grafana/alerting-frontend
 
 # Library Services
-/pkg/services/libraryelements/ @grafana/sharing-squad
-/pkg/services/librarypanels/ @grafana/sharing-squad
+/pkg/services/libraryelements/ @grafana/dashboards-squad
+/pkg/services/librarypanels/ @grafana/dashboards-squad
 
 # Plugins
 /pkg/api/pluginproxy/ @grafana/plugins-platform-backend
@@ -406,7 +401,7 @@
 # Packages
 /packages/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
 /packages/grafana-data/src/**/*logs* @grafana/observability-logs
-/packages/grafana-data/src/transformations/ @grafana/datapro
+/packages/grafana-data/src/transformations/ @grafana/dataviz-squad
 /packages/grafana-e2e-selectors/ @grafana/grafana-frontend-platform
 /packages/grafana-flamegraph/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/ @grafana/observability-logs
@@ -443,8 +438,6 @@
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
 /packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
 /packages/grafana-alerting/ @grafana/alerting-frontend
-/packages/grafana-i18n/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
-/packages/grafana-test-utils @grafana/grafana-frontend-platform
 
 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
@@ -472,7 +465,6 @@
 /stylelint.config.js @grafana/frontend-ops
 /tools/ @grafana/frontend-ops
 /lefthook.yml @grafana/frontend-ops
-/lefthook.rc @grafana/frontend-ops
 /.husky/pre-commit @grafana/frontend-ops
 /cypress.config.js @grafana/grafana-frontend-platform
 /.levignore.js @grafana/plugins-platform-frontend
@@ -488,7 +480,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/core/components/TimelineChart/ @grafana/dataviz-squad
 /public/app/core/components/Form/ @grafana/grafana-frontend-platform
 /public/app/core/components/OptionsUI/ @grafana/dashboards-squad @grafana/dataviz-squad
-/public/app/dev-utils.ts @grafana/grafana-frontend-platform
+
 
 /public/app/core/history/ @grafana/observability-traces-and-profiling
 /public/app/features/admin/ @grafana/identity-access-team
@@ -499,29 +491,32 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/actions/ @grafana/dataviz-squad
 /public/app/features/auth-config/ @grafana/identity-squad
 /public/app/features/annotations/ @grafana/dashboards-squad
+/public/app/features/api-keys/ @grafana/identity-squad
 /public/app/features/canvas/ @grafana/dataviz-squad
 /public/app/features/geo/ @grafana/dataviz-squad
 /public/app/features/visualization/data-hover/ @grafana/dataviz-squad
-/public/app/features/commandPalette/ @grafana/grafana-search-navigate-organise
+/public/app/features/commandPalette/ @grafana/grafana-frontend-platform
 /public/app/features/connections/ @grafana/plugins-platform-frontend
-/public/app/features/correlations/ @grafana/datapro
+/public/app/features/correlations/ @grafana/dataviz-squad
 /public/app/features/dashboard/ @grafana/dashboards-squad
-/public/app/features/dashboard/components/TransformationsEditor/ @grafana/datapro
+/public/app/features/dashboard/components/TransformationsEditor/ @grafana/dataviz-squad
 /public/app/features/dashboard-scene/ @grafana/dashboards-squad
-/public/app/features/scopes/ @grafana/grafana-operator-experience-squad
+/public/app/features/scopes/ @grafana/dashboards-squad
 /public/app/features/datasources/ @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
 /public/app/features/explore/ @grafana/observability-traces-and-profiling
 /public/app/features/expressions/ @grafana/grafana-datasources-core-services
-/public/app/features/folders/ @grafana/grafana-search-navigate-organise
+/public/app/features/folders/ @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
+/public/app/features/invites/ @grafana/grafana-frontend-platform
+/public/app/features/library-panels/ @grafana/dashboards-squad
 /public/app/features/logs/ @grafana/observability-logs
 /public/app/features/live/ @grafana/dashboards-squad
 /public/app/features/apiserver/ @grafana/grafana-app-platform-squad
 /public/app/features/manage-dashboards/ @grafana/dashboards-squad
-/public/app/features/notifications/ @grafana/grafana-search-navigate-organise
-/public/app/features/org/ @grafana/grafana-search-navigate-organise
+/public/app/features/notifications/ @grafana/grafana-frontend-platform
+/public/app/features/org/ @grafana/grafana-frontend-platform
 /public/app/features/panel/ @grafana/dashboards-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
@@ -529,27 +524,27 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/runtime/ @ryantxu
 /public/app/features/query/ @grafana/dashboards-squad
 /public/app/features/sandbox/ @grafana/grafana-frontend-platform
-/public/app/features/browse-dashboards/ @grafana/grafana-search-navigate-organise
-/public/app/features/search/ @grafana/grafana-search-navigate-organise
+/public/app/features/browse-dashboards/ @grafana/grafana-frontend-platform
+/public/app/features/search/ @grafana/grafana-frontend-platform
 /public/app/features/serviceaccounts/ @grafana/identity-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
 /public/app/features/trails/ @grafana/observability-metrics
-/public/app/features/transformers/ @grafana/datapro
+/public/app/features/transformers/ @grafana/dataviz-squad
 /public/app/features/transformers/timeSeriesTable/ @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
 /public/app/features/preferences/ @grafana/grafana-frontend-platform
-/public/app/features/bookmarks/ @grafana/grafana-search-navigate-organise
+/public/app/features/bookmarks/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
-/public/app/plugins/panel/annolist/ @grafana/dashboards-squad
+/public/app/plugins/panel/annolist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
 /public/app/plugins/panel/bargauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/dashlist/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/dashlist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/debug/ @ryantxu
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/gettingstarted/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
@@ -568,12 +563,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/canvas/ @grafana/dataviz-squad
 /public/app/plugins/panel/candlestick/ @grafana/dataviz-squad
 /public/app/plugins/panel/live/ @grafana/dashboards-squad
-/public/app/plugins/panel/news/ @grafana/dataviz-squad
+/public/app/plugins/panel/news/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/stat/ @grafana/dataviz-squad
-/public/app/plugins/panel/text/ @grafana/dataviz-squad
-/public/app/plugins/panel/welcome/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
-/public/app/routes/ @grafana/grafana-search-navigate-organise
+/public/app/routes/ @grafana/grafana-frontend-platform
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
@@ -601,6 +596,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/explore/NodeGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/FlameGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/TraceView/ @grafana/observability-traces-and-profiling
+/public/app/features/explore/QueryLibrary/ @grafana/grafana-frontend-platform
 
 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
@@ -609,7 +605,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/dev.ts @grafana/frontend-ops
 /public/app/core/utils/metrics.ts @grafana/plugins-platform-frontend
 /public/app/index.ts @grafana/frontend-ops
-/public/app/initApp.ts @grafana/frontend-ops
 /public/app/AppWrapper.tsx @grafana/frontend-ops
 /public/app/partials/ @grafana/grafana-frontend-platform
 
@@ -619,7 +614,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/circle-* @grafana/grafana-developer-enablement-squad
 /scripts/publish-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
 /scripts/validate-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
-/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad @grafana/datapro
+/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad
 /scripts/cli/ @grafana/grafana-frontend-platform
 /scripts/clean-git-or-error.sh @grafana/grafana-as-code
 /scripts/grafana-server/ @grafana/grafana-frontend-platform
@@ -642,11 +637,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/levitate-parse-json-report.js @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
 /scripts/codemods/explicit-barrel-imports.cjs @grafana/frontend-ops
-/scripts/rtk-client-generator/ @grafana/grafana-search-navigate-organise
 
-/scripts/**/generate-transformations* @grafana/datapro
+/scripts/**/generate-transformations* @grafana/dataviz-squad
 /scripts/webpack/ @grafana/frontend-ops
 /scripts/generate-a11y-report.sh @grafana/grafana-frontend-platform
+.pa11yci.conf.js @grafana/grafana-frontend-platform
+.pa11yci-pr.conf.js @grafana/grafana-frontend-platform
 .betterer.results @grafanabot
 .betterer.ts @grafana/grafana-frontend-platform
 
@@ -656,14 +652,14 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Core datasources
 /public/app/plugins/datasource/dashboard/ @grafana/dashboards-squad
 /public/app/plugins/datasource/cloudwatch/ @grafana/aws-datasources
-/public/app/plugins/datasource/elasticsearch/ @grafana/partner-datasources
+/public/app/plugins/datasource/elasticsearch/ @grafana/aws-datasources
 /public/app/plugins/datasource/grafana/ @grafana/grafana-frontend-platform
 /public/app/plugins/datasource/grafana-testdata-datasource/ @grafana/plugins-platform-frontend
 /public/app/plugins/datasource/azuremonitor/ @grafana/partner-datasources
 /public/app/plugins/datasource/graphite/ @grafana/partner-datasources
 /public/app/plugins/datasource/influxdb/ @grafana/partner-datasources
 /public/app/plugins/datasource/jaeger/ @grafana/oss-big-tent
-/public/app/plugins/datasource/loki/ @grafana/oss-big-tent @grafana/observability-logs
+/public/app/plugins/datasource/loki/ @grafana/observability-logs
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
@@ -680,23 +676,13 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Grafana Sharing Squad
 /public/app/features/dashboard-scene/sharing/ @grafana/sharing-squad
 /public/app/features/dashboard/components/ShareModal/ @grafana/sharing-squad
+/public/app/features/manage-dashboards/components/PublicDashboardListTable/ @grafana/sharing-squad
+/public/app/features/dashboard/containers/PublicDashboardPage.tsx @grafana/sharing-squad
 /public/app/features/manage-dashboards/components/SnapshotListTable.tsx @grafana/sharing-squad
+/pkg/api/render.go @grafana/sharing-squad
 /pkg/services/dashboardsnapshots/ @grafana/sharing-squad
-/public/app/features/explore/QueryLibrary/ @grafana/sharing-squad
-/public/app/features/library-panels/ @grafana/sharing-squad
-/public/app/features/invites/ @grafana/sharing-squad
-
-# Grafana Enterprise: Public Dashboards & Image Renderer
-/pkg/api/render.go @grafana/grafana-operator-experience-squad
-/pkg/services/publicdashboards/ @grafana/grafana-operator-experience-squad
-/pkg/services/rendering/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/containers/PublicDashboardPage* @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/PublicDashboard/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/PublicDashboardNotAvailable/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/ShareModal/SharePublicDashboard/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard-scene/sharing/public-dashboards/ @grafana/grafana-operator-experience-squad
-/public/app/features/manage-dashboards/components/PublicDashboardListTable/ @grafana/grafana-operator-experience-squad
-/public/app/features/manage-dashboards/PublicDashboardListPage.tsx* @grafana/grafana-operator-experience-squad
+/pkg/services/publicdashboards/ @grafana/sharing-squad
+/pkg/services/rendering/ @grafana/sharing-squad
 
 # SSE - Server Side Expressions
 /pkg/expr/ @grafana/grafana-datasources-core-services
@@ -710,11 +696,11 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/anonymous/ @grafana/identity-access-team
 /pkg/services/auth/ @grafana/identity-squad
 /pkg/services/authn/ @grafana/identity-squad
-/pkg/services/scimutil/ @grafana/identity-squad
 /pkg/services/authz/ @grafana/access-squad
 /pkg/services/signingkeys/ @grafana/identity-squad
 /pkg/services/dashboards/accesscontrol.go @grafana/access-squad
 /pkg/services/datasources/guardian/ @grafana/access-squad
+/pkg/services/guardian/ @grafana/access-squad
 /pkg/services/ldap/ @grafana/identity-squad
 /pkg/services/login/ @grafana/identity-squad
 /pkg/services/loginattempt/ @grafana/identity-squad
@@ -747,11 +733,11 @@ embed.go @grafana/grafana-as-code
 /pkg/kinds/ @grafana/grafana-as-code
 /pkg/registry/ @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
+/pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
 /pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
 /pkg/registry/apps/advisor @grafana/plugins-platform-backend
-/pkg/registry/apps/alerting @grafana/alerting-backend
 /pkg/codegen/ @grafana/grafana-as-code
 /pkg/codegen/generators @grafana/grafana-as-code
 /pkg/kinds/*/*_gen.go @grafana/grafana-as-code
@@ -767,15 +753,13 @@ embed.go @grafana/grafana-as-code
 /.github/commands.json @torkelo
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
+/.github/metrics-collector.json @torkelo
 /.github/pr-checks.json @tolzhabayev
 /.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
 /.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
+/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
 /.github/actions/setup-grafana-bench/ @Proximyst
-/.github/actions/build-package @grafana/grafana-developer-enablement-squad
-/.github/actions/change-detection @grafana/grafana-developer-enablement-squad
-/.github/workflows/actionlint-format.txt @grafana/grafana-developer-enablement-squad
-/.github/workflows/actionlint.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
 /.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
@@ -783,14 +767,12 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
 /.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
-/.github/workflows/backport-trigger.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/backport-workflow.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/create-next-release-branch.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/create-security-branch.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/codeowners-validator.yml @tolzhabayev
 /.github/workflows/codeql-analysis.yml @DanCech
 /.github/workflows/commands.yml @torkelo
@@ -802,15 +784,14 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
 /.github/workflows/lint-build-docs.yml @grafana/docs-tooling
+/.github/workflows/metrics-collector.yml @torkelo
 /.github/workflows/pr-checks.yml @tolzhabayev
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
-/.github/workflows/pr-external-labelling.yml @Proximyst
 /.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/pr-patch-check.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
-/.github/workflows/reject-gh-secrets.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
 /.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
@@ -819,44 +800,34 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
-/.github/workflows/scripts/create-security-branch/create-security-branch.sh @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
 /.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
 /.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
-/.github/workflows/e2e-dashboard-new-layouts.yml  @grafana/dashboards-squad
 /.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
-/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-operator-experience-squad
+/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
 /.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
-/.github/workflows/i18n-verify.yml @grafana/grafana-frontend-platform
-/.github/workflows/deploy-storybook-preview.yml @grafana/grafana-frontend-platform
-/.github/workflows/scripts/crowdin/create-tasks.ts @grafana/grafana-frontend-platform
+/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
-/.github/workflows/trufflehog.yml @Proximyst
 /.github/workflows/changelog.yml @zserge
-/.github/workflows/shellcheck.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/release-build.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/publish-artifact.yml @grafana/grafana-developer-enablement-squad
 /.github/actions/changelog @zserge
-/.github/workflows/swagger-gen.yml @grafana/grafana-backend-group
 /.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
 /.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
 /.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
 /.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
 /.github/zizmor.yml @grafana/grafana-developer-enablement-squad
-/.github/license_finder.yaml @bergquist
-/.github/actionlint.yaml @grafana/grafana-developer-enablement-squad
 
 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot

.github/actionlint.yaml

@@ -1,8 +0,0 @@
-# These are just aliases to github-hosted runners
-self-hosted-runner:
-  labels:
-    - github-hosted-ubuntu-arm64
-    - github-hosted-ubuntu-arm64-large
-    - github-hosted-ubuntu-x64-small
-    - github-hosted-ubuntu-x64-large
-    - github-hosted-windows-x64-large

.github/actions/build-package/action.yml

@@ -1,153 +0,0 @@
-name: Build and Package Grafana Enterprise / Pro
-description: Creates Grafana artifacts using Dagger & `pkg/build/daggerbuild`
-inputs:
-  artifacts:
-    description: |
-      Comma-delimited list of artifacts to build and package.
-      Artifacts follow a specific format of `{package-type}:{grafana-edition}:{architecture}`.
-      Not every combination of `package-type`, `grafana-edition`, and `architecture` are supported.
-      Examples:
-        * `grafana:linux/amd64:targz`, `grafana:linux/amd64:deb`
-        * `enterprise:linux/arm64:rpm, enterprise:linux/amd64:docker`
-        * `pro:docker:llinux/amd64`
-    required: true
-    type: string
-  grafana-path:
-    description: Path to a clone of the 'grafana' repo
-    default: grafana
-    type: string
-  grafana-enterprise-path:
-    description: Path to a clone of the 'grafana-enterprise' repo
-    default: grafana-enterprise
-    type: string
-  github-token:
-    type: string
-    required: true
-  version:
-    type: string
-    description: The version to embed in the grafana binary, example `v1.2.3`. If not provided, then the value in Grafana's package.json will be used
-    required: true
-  build-id:
-    type: string
-    description: an identifier number which can be traced back to the workflow run.
-    default: ${{github.run_id}}
-    required: false
-  patches-repo:
-    type: string
-    description: Repository to load for patches repo. If empty, patches won't be applied. Must be an HTTPS git URL.
-    required: false
-    default: ""
-  patches-ref:
-    type: string
-    description: git ref in the patches repo to check out.
-    required: false
-    default: main
-  patches-path:
-    type: string
-    description: Path in the repository where `.patch` files can be found.
-    required: false
-    default: main
-  checksum:
-    type: boolean
-    description: If true, then checksums will be produced for each file (with a '.sha256' extension)
-    required: false
-    default: false
-  verify:
-    type: boolean
-    description: If true, then the e2e smoke tests will run to verify the produced artifacts (--verify)
-    required: false
-    default: false
-  output:
-    type: string
-    description: Filename to redirect stdout to. Contains list of packages that were produced
-    default: packages.txt
-    required: false
-  docker-tag-format:
-    type: string
-    default: "{{ .version }}-{{ .arch }}"
-    description: Go template of Docker image tag
-    required: false
-  docker-tag-format-ubuntu:
-    type: string
-    default: "{{ .version }}-ubuntu-{{ .arch }}"
-    description: Go template of Docker image tag
-    required: false
-  docker-org:
-    type: string
-    description: Docker org of produced images
-    default: grafana
-    required: false
-  docker-registry:
-    type: string
-    description: Docker registry of produced images
-    default: docker.io
-    required: false
-  ubuntu-base:
-    type: string
-    default: 'ubuntu:22.04'
-    required: false
-  alpine-base:
-    type: string
-    default: 'alpine:3.22'
-    required: false
-outputs:
-  dist-dir:
-    description: Directory where artifacts are placed
-    value: ${{ steps.output.outputs.dist_dir }}
-  file:
-    description: Path to file containing list of artifacts produced
-    value: ${{ steps.output.outputs.file }}
-  grafana-commit:
-    description: Commit hash of the HEAD of the grafana repository used to build grafana.
-    value: ${{ steps.output.outputs.grafana_commit }}
-  enterprise-commit:
-    description: Commit hash of the HEAD of the grafana-enterprise repository used to build grafana.
-    value: ${{ steps.output.outputs.enterprise_commit }}
-  version:
-    description: The `grafana` version that was embedded in the binary
-    value: ${{ steps.output.outputs.version }}
-runs:
-  using: "composite"
-  steps:
-    - shell: bash
-      run: | # zizmor: ignore[github-env]
-        echo "GRAFANA_PATH=${{ github.workspace }}/${GRAFANA_DIR}" >> "$GITHUB_ENV"
-        echo "ENTERPRISE_PATH=${{ github.workspace }}/${ENTERPRISE_DIR}" >> "$GITHUB_ENV"
-      env:
-        GB_PATH: ${{ inputs.path }}
-        GRAFANA_DIR: ${{ inputs.grafana-path }}
-        ENTERPRISE_DIR: ${{ inputs.enterprise-path }}
-    - name: Build Grafana Enterprise packages
-      uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-      env:
-        VERSION: ${{ inputs.version }}
-        ARTIFACTS: ${{ inputs.artifacts }}
-        GITHUB_TOKEN: ${{ inputs.github-token }}
-        PATCHES_REPO: ${{ inputs.patches-repo }}
-        PATCHES_REF: ${{ inputs.patches-ref }}
-        PATCHES_PATH: ${{ inputs.patches-path }}
-        BUILD_ID: ${{ inputs.build-id }}
-        OUTFILE: ${{ inputs.output }}
-        DOCKER_ORG: ${{ inputs.docker-org }}
-        DOCKER_REGISTRY: ${{ inputs.docker-registry }}
-        TAG_FORMAT: ${{ inputs.docker-tag-format }}
-        UBUNTU_TAG_FORMAT: ${{ inputs.docker-tag-format-ubuntu }}
-        CHECKSUM: ${{ inputs.checksum }}
-        VERIFY: ${{ inputs.verify }}
-        ALPINE_BASE: ${{ inputs.alpine-base }}
-        UBUNTU_BASE: ${{ inputs.ubuntu-base }}
-      with:
-        verb: run
-        dagger-flags: --verbose=0
-        version: 0.18.8
-        args: go run -C ${GRAFANA_PATH} ./pkg/build/cmd artifacts --artifacts ${ARTIFACTS} --grafana-dir=${GRAFANA_PATH} --alpine-base=${ALPINE_BASE} --ubuntu-base=${UBUNTU_BASE} --enterprise-dir=${ENTERPRISE_PATH} --version=${VERSION} --patches-repo=${PATCHES_REPO} --patches-ref=${PATCHES_REF} --patches-path=${PATCHES_PATH} --build-id=${BUILD_ID} --tag-format="${TAG_FORMAT}" --ubuntu-tag-format="${UBUNTU_TAG_FORMAT}" --org=${DOCKER_ORG} --registry=${DOCKER_REGISTRY} --checksum=${CHECKSUM} --verify=${VERIFY} > $OUTFILE
-    - id: output
-      shell: bash
-      env:
-        OUTFILE: ${{ inputs.output }}
-      run: |
-        echo "dist_dir=dist" | tee -a $GITHUB_OUTPUT
-        echo "file=${OUTFILE}" | tee -a $GITHUB_OUTPUT
-        echo "grafana_commit=$(git -C ${GRAFANA_PATH} rev-parse HEAD)" | tee -a $GITHUB_OUTPUT
-        echo "enterprise_commit=$(git -C ${ENTERPRISE_PATH} rev-parse HEAD)" | tee -a $GITHUB_OUTPUT
-        echo "version=$(cat ${GRAFANA_BUILD_PATH}/dist/VERSION)" | tee -a $GITHUB_OUTPUT

.github/actions/change-detection/action.yml

@@ -1,141 +0,0 @@
-name: Detect changed files
-description: Detects whether any matching files have changed in the current PR
-inputs:
-  self:
-    description: The path to the calling workflow (e.g. .github/workflows/backend-unit-tests.yml). It is regarded as any category.
-    required: true
-outputs:
-  self:
-    description: Whether the calling workflow has changed in any way
-    value: ${{ steps.changed-files.outputs.self_any_changed || 'true' }}
-  backend:
-    description: Whether the backend or self have changed in any way
-    value: ${{ steps.changed-files.outputs.backend_any_changed || 'true' }}
-  frontend:
-    description: Whether the frontend or self has changed in any way
-    value: ${{ steps.changed-files.outputs.frontend_any_changed || 'true' }}
-  e2e:
-    description: Whether the e2e tests or self have changed in any way
-    value: ${{ steps.changed-files.outputs.e2e_any_changed == 'true' ||
-      steps.changed-files.outputs.backend_any_changed == 'true' ||
-      steps.changed-files.outputs.frontend_any_changed == 'true' || 'true' }}
-  dev-tooling:
-    description: Whether the dev tooling or self have changed in any way
-    value: ${{ steps.changed-files.outputs.dev_tooling_any_changed || 'true' }}
-  docs:
-    description: Whether the docs or self have changed in any way
-    value: ${{ steps.changed-files.outputs.docs_any_changed || 'true' }}
-runs:
-  using: composite
-  steps:
-    # Assumption: We've done a checkout with the actions/checkout action.
-    # It must persist credentials to allow the changed-files action to get more history.
-    - name: Detect changes
-      id: changed-files
-      if: github.event_name == 'pull_request'
-      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46
-      with:
-        files_yaml: |
-          self:
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-          backend:
-            - '!*.md'
-            - '!docs/**'
-            - '!.github/**'
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - '**/go.mod'
-            - '**/go.sum'
-            - '**.go'
-            - 'pkg/**'
-            - '!pkg/**.md'
-            - 'apps/**'
-            - '!apps/**.md'
-            - 'build.sh'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - 'devenv/docker/blocks/*_tests/**'
-            - 'kindsv2/**'
-            - '${{ inputs.self }}'
-          frontend:
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - 'public/**'
-            - '**.js'
-            - '**.jsx'
-            - '**.ts'
-            - '**.tsx'
-            - '**.css'
-            - '**.mjs'
-            - 'yarn.lock'
-            - 'package.json'
-            - '!**.md'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - '.prettier*'
-            - '.betterer*'
-            - '.yarnrc.yml'
-            - 'eslint.config.js'
-            - 'jest.config.js'
-            - 'nx.json'
-            - 'tsconfig.json'
-            - '.yarn/**'
-            - '${{ inputs.self }}'
-          e2e:
-            - 'e2e/**'
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - 'emails/**'
-            - 'pkg/**'
-            - 'proto/**'
-            - '**/Makefile'
-            - 'scripts/**'
-            - '!scripts/drone/**'
-            - '!**.md'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - 'conf/**'
-            - 'cypress.config.js'
-            - '${{ inputs.self }}'
-          dev_tooling:
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - '**.sh'
-            - '.trivyignore'
-            - '.prettierrc.js'
-            - '**/Makefile'
-            - 'proto/**.yaml'
-            - 'pkg/build/**'
-            - 'pkg/wire/**'
-            - 'scripts/**'
-            - '!**.md'
-            - '.citools/**'
-            - '.bingo/**'
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-          docs:
-            - 'contribute/**'
-            - 'docs/**'
-            - '**.md'
-            - 'LICENSE'
-            - '.vale.ini'
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-    - name: Print all change groups
-      shell: bash
-      run: |
-        echo "Self: ${{ steps.changed-files.outputs.self_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.self_all_changed_files }}"
-        echo "Backend: ${{ steps.changed-files.outputs.backend_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.backend_all_changed_files }}"
-        echo "Frontend: ${{ steps.changed-files.outputs.frontend_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.frontend_all_changed_files }}"
-        echo "E2E: ${{ steps.changed-files.outputs.e2e_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.e2e_all_changed_files }}"
-        echo " --> ${{ steps.changed-files.outputs.backend_all_changed_files }}"
-        echo " --> ${{ steps.changed-files.outputs.frontend_all_changed_files }}"
-        echo "Dev Tooling: ${{ steps.changed-files.outputs.dev_tooling_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.dev_tooling_all_changed_files }}"
-        echo "Docs: ${{ steps.changed-files.outputs.docs_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.docs_all_changed_files }}"

.github/actions/changelog/index.js

@@ -1,7 +1,6 @@
-import {appendFileSync, writeFileSync} from 'fs';
-import {exec as execCallback} from 'node:child_process';
-import {promisify} from 'node:util';
-import {findPreviousVersion, semverParse} from "./semver.js";
+import { appendFileSync, writeFileSync } from 'fs';
+import { exec as execCallback } from 'node:child_process';
+import { promisify } from 'node:util';
 
 //
 // Github Action core utils: logging (notice + debug log levels), must escape
@@ -10,6 +9,35 @@ import {findPreviousVersion, semverParse} from "./semver.js";
 const escapeData = (s) => s.replace(/%/g, '%25').replace(/\r/g, '%0D').replace(/\n/g, '%0A');
 const LOG = (msg) => console.log(`::notice::${escapeData(msg)}`);
 
+//
+// Semver utils: parse, compare, sort etc (using official regexp)
+// https://regex101.com/r/Ly7O1x/3/
+//
+const semverRegExp =
+  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
+
+const semverParse = (tag) => {
+  const m = tag.match(semverRegExp);
+  if (!m) {
+    return;
+  }
+  const [_, major, minor, patch, prerelease] = m;
+  return [+major, +minor, +patch, prerelease, tag];
+};
+
+// semverCompare takes two parsed semver tags and comparest them more or less
+// according to the semver specs
+const semverCompare = (a, b) => {
+  for (let i = 0; i < 3; i++) {
+    if (a[i] !== b[i]) {
+      return a[i] < b[i] ? 1 : -1;
+    }
+  }
+  if (a[3] !== b[3]) {
+    return a[3] < b[3] ? 1 : -1;
+  }
+  return 0;
+};
 
 // Using `git tag -l` output find the tag (version) that goes semantically
 // right before the given version. This might not work correctly with some
@@ -17,32 +45,29 @@ const LOG = (msg) => console.log(`::notice::${escapeData(msg)}`);
 // into this action explicitly to avoid this step.
 const getPreviousVersion = async (version) => {
   const exec = promisify(execCallback);
-  const {stdout} = await exec('git for-each-ref --sort=-creatordate --format \'%(refname:short)\' refs/tags');
-
-  const parsedTags = stdout
+  const { stdout } = await exec('git tag -l');
+  const prev = stdout
     .split('\n')
     .map(semverParse)
-    .filter(Boolean);
-
-  const parsedVersion = semverParse(version);
-  const prev = findPreviousVersion(parsedTags, parsedVersion);
+    .filter((tag) => tag)
+    .sort(semverCompare)
+    .find((tag) => semverCompare(tag, semverParse(version)) > 0);
   if (!prev) {
     throw `Could not find previous git tag for ${version}`;
   }
-  return prev[5];
+  return prev[4];
 };
 
-
 // A helper for Github GraphQL API endpoint
 const graphql = async (ghtoken, query, variables) => {
-  const {env} = process;
+  const { env } = process;
   const results = await fetch('https://api.github.com/graphql', {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json',
       Authorization: `Bearer ${ghtoken}`,
     },
-    body: JSON.stringify({query, variables}),
+    body: JSON.stringify({ query, variables }),
   });
 
   const res = await results.json();
@@ -75,7 +100,7 @@ const getCommitishDate = async (name, owner, target) => {
         }
       }
     `,
-    {name, owner, target}
+    { name, owner, target }
   );
   return result.repository.object.committedDate;
 };
@@ -135,7 +160,7 @@ const getHistory = async (name, owner, from, to) => {
 
   let cursor;
   let nodes = [];
-  for (; ;) {
+  for (;;) {
     const result = await graphql(ghtoken, query, {
       name,
       owner,
@@ -145,7 +170,7 @@ const getHistory = async (name, owner, from, to) => {
     });
     LOG(`GraphQL: ${JSON.stringify(result)}`);
     nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
-    const {hasNextPage, endCursor} = result.repository.ref.compare.commits.pageInfo;
+    const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
     if (!hasNextPage) {
       break;
     }
@@ -161,7 +186,7 @@ const getHistory = async (name, owner, from, to) => {
 // PR grouping relies on Github labels only, not on the PR contents.
 const getChangeLogItems = async (name, owner, from, to) => {
   // check if a node contains a certain label
-  const hasLabel = ({labels}, label) => labels.nodes.some(({name}) => name === label);
+  const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
   // get all the PRs between the two "commitish" items
   const history = await getHistory(name, owner, from, to);
 
@@ -172,17 +197,17 @@ const getChangeLogItems = async (name, owner, from, to) => {
       return [];
     }
     const item = changes[0];
-    const {number, url, labels} = item;
+    const { number, url, labels } = item;
     const title = item.title.replace(/^\[[^\]]+\]:?\s*/, '');
     // for changelog PRs try to find a suitable category.
     // Note that we can not detect "deprecation notices" like that
     // as there is no suitable label yet.
-    const isBug = /fix/i.test(title) || hasLabel({labels}, 'type/bug');
-    const isBreaking = hasLabel({labels}, 'breaking change');
+    const isBug = /fix/i.test(title) || hasLabel({ labels }, 'type/bug');
+    const isBreaking = hasLabel({ labels }, 'breaking change');
     const isPlugin =
-      hasLabel({labels}, 'area/grafana/ui') ||
-      hasLabel({labels}, 'area/grafana/toolkit') ||
-      hasLabel({labels}, 'area/grafana/runtime');
+      hasLabel({ labels }, 'area/grafana/ui') ||
+      hasLabel({ labels }, 'area/grafana/toolkit') ||
+      hasLabel({ labels }, 'area/grafana/runtime');
     const author = item.commits.nodes[0].commit.author.user?.login;
     return {
       repo: name,
@@ -202,7 +227,7 @@ const getChangeLogItems = async (name, owner, from, to) => {
 // ======================================================
 
 LOG(`Changelog action started`);
-console.log(process.argv);
+
 const ghtoken = process.env.GITHUB_TOKEN || process.env.INPUT_GITHUB_TOKEN;
 if (!ghtoken) {
   throw 'GITHUB_TOKEN is not set and "github_token" input is empty';
@@ -261,15 +286,15 @@ const markdown = (changelog) => {
       : `### ${title}
 
 ${items
-        .map(
-          (item) =>
-            `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
-              item.repo === 'grafana-enterprise'
-                ? '(Enterprise)'
-                : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
-            }`
-        )
-        .join('\n')}
+  .map(
+    (item) =>
+      `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
+        item.repo === 'grafana-enterprise'
+          ? '(Enterprise)'
+          : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
+      }`
+  )
+  .join('\n')}
   `;
 
   // Render all present sections for the given changelog

.github/actions/changelog/semver.js

@@ -1,92 +0,0 @@
-//
-// Semver utils: parse, compare, sort etc (using official regexp)
-// https://regex101.com/r/Ly7O1x/3/
-//
-const semverRegExp =
-  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
-
-export function semverParse(tag) {
-  const m = tag.match(semverRegExp);
-  if (!m) {
-    return;
-  }
-  const [_, major, minor, patch, prerelease, build] = m;
-  return [+major, +minor, +patch, prerelease, build, tag];
-};
-
-// semverCompare takes two parsed semver tags and comparest them more or less
-// according to the semver specs
-export function semverCompare(a, b) {
-  for (let i = 0; i < 3; i++) {
-    if (a[i] !== b[i]) {
-      return a[i] < b[i] ? 1 : -1;
-    }
-  }
-  if (a[3] !== b[3]) {
-    return a[3] < b[3] ? 1 : -1;
-  }
-  return 0;
-};
-
-
-// Finds the highest version that is lower than the target version.
-//
-// This function relies on the following invariant: versions are sorted by the release date.
-// It will produce wrong result if invariant doesn't hold.
-export const findPreviousVersion = (versionByDate, target) => {
-  let prev = null;
-
-  for (let i = 0; i < versionByDate.length; i++) {
-    const version = versionByDate[i];
-
-    // version is greater than the target
-    if (semverCompare(target, version) > 0) {
-      continue;
-    }
-
-    // we came across the target version, all versions seen previously have greater release date.
-    if (semverCompare(target, version) === 0 && target[4] === version[4]) {
-      prev = null;
-      continue;
-    }
-
-    if (prev == null) {
-      prev = version;
-      continue;
-    }
-
-    if (semverCompare(prev, version) > 0) {
-      prev = version;
-    }
-  }
-
-  return prev;
-};
-
-
-const versionsByDate = [
-  "v10.4.19", "v12.0.1", "v11.6.2", "v11.5.5", "v11.4.5", "v11.3.7", "v11.2.10", "v12.0.0+security-01", "v11.2.9+security-01", "v11.3.6+security-01",
-  "v11.6.1+security-01", "v11.4.4+security-01", "v11.5.4+security-01", "v10.4.18+security-01", "v12.0.0", "v11.6.1",
-  "v11.5.4", "v11.4.4", "v11.3.6", "v11.2.9", "v10.4.18", "v11.6.0+security-01", "v11.5.3+security-01", "v11.4.3+security-01",
-  "v11.3.5+security-01", "v11.2.8+security-01", "v10.4.17+security-01", "v11.2.8", "v11.6.0", "v11.5.2", "v11.4.2",
-  "v11.3.4", "v11.2.7", "v11.1.12", "v11.0.11", "v10.4.16", "v11.5.1", "v11.5.0", "v11.3.3", "v11.1.11", "v11.2.6",
-  "v11.0.10", "v10.4.15", "v11.4.1", "v11.4.0", "v11.3.2", "v11.2.5", "v11.1.10", "v11.0.9", "v10.4.14", "v11.3.1",
-  "v11.2.4", "v11.1.9", "v11.0.8", "v10.4.13", "v11.0.2", "v10.4.6", "v10.3.8", "v10.2.9", "v11.1.0", "v11.0.1",
-  "v10.4.5", "v10.3.7", "v10.2.8", "v9.5.20", "v10.4.4", "v9.5.19", "v10.1.10", "v10.2.7", "v10.3.6", "v10.4.3",
-  "v11.0.0", "v10.4.2", "v11.0.0-preview", "v10.1.9", "v10.0.13", "v9.2.0", "v9.1.8",
-].map(semverParse);
-
-function test(version, expected) {
-  const v1 = semverParse(version);
-  const prev = findPreviousVersion(versionsByDate, v1);
-
-  const failureMessage = `FAIILED. Expected ${expected}, but was ${prev[5]}`;
-
-  console.log(`Test ${version}, ${prev[5] === expected ? 'PASSED' : failureMessage}`);
-}
-
-test("v11.5.4+security-01", "v11.5.4");
-test("v11.5.4", "v11.5.3+security-01");
-test("v12.0.0", "v11.6.1");
-test("v12.0.0+security-01", "v12.0.0");
-test("v11.0.0", "v11.0.0-preview");

.github/actions/setup-enterprise/action.yml

@@ -34,9 +34,9 @@ runs:
         GH_TOKEN: ${{ steps.generate_token.outputs.token }}
       run: |
         git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
-
+        
         cd ../grafana-enterprise
-
+        
         if git checkout ${GITHUB_HEAD_REF}; then
           echo "checked out ${GITHUB_HEAD_REF}"
         elif git checkout ${GITHUB_BASE_REF}; then
@@ -44,5 +44,5 @@ runs:
         else
           git checkout main
         fi
-
-        QUIET=1 ./build.sh
+        
+        ./build.sh

.github/actions/setup-node/action.yml

@@ -1,11 +0,0 @@
-name: Setup Node.js
-description: Sets up a node.js environment with presets for the Grafana repository.
-
-runs:
-  using: "composite"
-  steps:
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'

.github/actions/test-coverage-processor/action.yml

@@ -0,0 +1,50 @@
+name: 'Go Coverage Processor'
+description: 'Process Go test coverage files and generate reports'
+
+inputs:
+  test-type:
+    description: 'Type of test (e.g., be-unit, be-integration)'
+    required: true
+    type: string
+  coverage-file:
+    description: 'Path to the Go coverage file (.cov)'
+    required: true
+    type: string
+  codecov-token:
+    description: 'Token for CodeCov (required for CodeCov reporting)'
+    required: false
+    default: ''
+  codecov-flag:
+    description: 'Flag to categorize the upload to CodeCov'
+    required: false
+    default: ''
+  codecov-name:
+    description: 'Custom name for the upload to CodeCov'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Process Go coverage output
+      shell: bash
+      env:
+        COVERAGE_FILE: ${{ inputs.coverage-file }}
+      run: |
+        # Ensure valid coverage file even if empty
+        if [ ! -s "$COVERAGE_FILE" ]; then
+          echo "Coverage file is empty, creating a minimal valid file"
+          echo "mode: set" > "$COVERAGE_FILE"
+        fi
+
+    - name: Report coverage to CodeCov
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
+      if: inputs.codecov-token != ''
+      with:
+        files: ${{ inputs.coverage-file }}
+        flags: ${{ inputs.codecov-flag || inputs.test-type }}
+        name: ${{ inputs.codecov-name || inputs.test-type }}
+        slug: grafana/grafana
+        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
+        url: https://codecov-webhook.grafana-dev.net
+        token: ${{ inputs.codecov-token }}

.github/commands.json

@@ -128,7 +128,7 @@
     "name": "datasource/Loki",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/457"
+      "url": "https://github.com/orgs/grafana/projects/203"
     }
   },
   {
@@ -160,7 +160,7 @@
     "name": "datasource/Elasticsearch",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
+      "url": "https://github.com/orgs/grafana/projects/97"
     }
   },
   {
@@ -488,23 +488,7 @@
     "name": "area/transformations",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
-    }
-  },
-  {
-    "type": "label",
-    "name": "area/correlations",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
-    }
-  },
-  {
-    "type": "label",
-    "name": "area/expressions/sql",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
+      "url": "https://github.com/orgs/grafana/projects/56"
     }
   },
   {
@@ -664,7 +648,7 @@
     "name": "area/frontend/library-panels",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/482"
+      "url": "https://github.com/orgs/grafana/projects/202"
     }
   },
   {
@@ -896,7 +880,7 @@
     "name": "area/dashboard/library-panel",
     "action": "addToProject",
     "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/482"
+      "url": "https://github.com/orgs/grafana/projects/202"
     }
   },
   {
@@ -1210,13 +1194,5 @@
     "addToProject": {
       "url": "https://github.com/orgs/grafana/projects/699"
     }
-  },
-  {
-    "type": "label",
-    "name": "type/docs",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/69"
-    }
   }
 ]

.github/license_finder.yaml

@@ -1,128 +0,0 @@
----
-- - :permit
-  - MIT
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:11:50.696368005 Z
-- - :permit
-  - Apache 2.0
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
-- - :permit
-  - New BSD
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
-- - :permit
-  - Simplified BSD
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
-- - :permit
-  - Mozilla Public License 2.0
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
-- - :permit
-  - ISC
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 
-- - :license
-  - github.com/grafana/alerting
-  - GNU Affero GPL
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/advisor
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/alerting/notifications
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/dashboard
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/folder
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/investigations
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/apps/playlist
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/aggregator
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/apimachinery
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/apis/secret
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/apiserver
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/promlib
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
-- - :license
-  - github.com/grafana/grafana/pkg/semconv
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z

.github/metrics-collector.json

@@ -0,0 +1,32 @@
+{
+  "queries": [
+    {
+      "name": "type_bug",
+      "query": "label:\"type/bug\" is:issue is:open"
+    },
+    {
+      "name": "type_docs",
+      "query": "label:\"type/docs\" is:issue is:open"
+    },
+    {
+      "name": "needs_investigation",
+      "query": "label:\"needs investigation\" is:issue is:open"
+    },
+    {
+      "name": "needs_more_info",
+      "query": "label:\"needs more info\" is:issue is:open"
+    },
+    {
+      "name": "triage_needs_confirmation",
+      "query": "label:\"triage/needs-confirmation\" is:issue is:open"
+    },
+    {
+      "name": "unlabeled",
+      "query": "is:open is:issue no:label"
+    },
+    {
+      "name": "open_prs",
+      "query": "is:open is:pull-request"
+    }
+  ]
+}

.github/pr-commands.json

@@ -253,6 +253,38 @@
     "action": "updateLabel",
     "addLabel": "area/alerting"
   },
+  {
+    "type": "label",
+    "name": "area/alerting",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/52"
+    }
+  },
+  {
+    "type": "author",
+    "name": "pr/external",
+    "notMemberOf": {
+      "org": "grafana"
+    },
+    "ignoreList": [
+      "renovate[bot]",
+      "dependabot[bot]",
+      "grafana-delivery-bot[bot]",
+      "grafanabot",
+      "alerting-team[bot]"
+    ],
+    "action": "updateLabel",
+    "addLabel": "pr/external"
+  },
+  {
+    "type": "label",
+    "name": "type/docs",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/69"
+    }
+  },
   {
     "type": "changedfiles",
     "matches": [
@@ -413,71 +445,5 @@
     ],
     "action": "updateLabel",
     "addLabel": "area/panel/table"
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/azuremonitor/**/*",
-      "pkg/tsdb/azuremonitor/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/graphite/**/*",
-      "pkg/tsdb/graphite/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/influxdb/**/*",
-      "pkg/tsdb/influx/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/elasticsearch/**/*",
-      "pkg/tsdb/elasticsearch/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/cloud-monitoring/**/*",
-      "pkg/tsdb/cloud-monitoring/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/opentsdb/**/*",
-      "pkg/tsdb/opentsdb/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
   }
 ]

.github/renovate.json5

@@ -2,15 +2,6 @@
   extends: ["config:recommended"],
   enabledManagers: ["npm"],
   ignoreDeps: [
-    // ignoring these until we can upgrade to react 19
-    // see epic here: https://github.com/grafana/grafana/issues/98813
-    '@types/react',
-    '@types/react-dom',
-    'eslint-plugin-react-hooks',
-    'react',
-    'react-dom',
-    'react-refresh',
-
     "@types/history", // this can be removed entirely when we upgrade history since v5 exposes types directly
     "history", // we should bump this together with react-router-dom (see https://github.com/grafana/grafana/issues/76744)
     "react-router", // we should bump this together with history and react-router-dom

.github/workflows/actionlint-format.txt

@@ -1,66 +0,0 @@
-{
-    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-    "version": "2.1.0",
-    "runs": [
-        {
-            "tool": {
-                "driver": {
-                    "name": "GitHub Actions lint",
-                    "version": {{ getVersion | json }},
-                    "informationUri": "https://github.com/rhysd/actionlint",
-                    "rules": [
-                        {{$first := true}}
-                        {{range $ := allKinds }}
-                            {{if $first}}{{$first = false}}{{else}},{{end}}
-                            {
-                                "id": {{json $.Name}},
-                                "name": {{$.Name | toPascalCase | json}},
-                                "defaultConfiguration": {
-                                    "level": "error"
-                                },
-                                "properties": {
-                                    "description": {{json $.Description}},
-                                    "queryURI": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
-                                },
-                                "fullDescription": {
-                                    "text": {{json $.Description}}
-                                },
-                                "helpUri": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
-                            }
-                        {{end}}
-                    ]
-                }
-            },
-            "results": [
-                {{$first := true}}
-                {{range $ := .}}
-                    {{if $first}}{{$first = false}}{{else}},{{end}}
-                    {
-                        "ruleId": {{json $.Kind}},
-                        "message": {
-                            "text": {{json $.Message}}
-                        },
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {
-                                        "uri": {{json $.Filepath}},
-                                        "uriBaseId": "%SRCROOT%"
-                                    },
-                                    "region": {
-                                        "startLine": {{$.Line}},
-                                        "startColumn": {{$.Column}},
-                                        "endColumn": {{$.EndColumn}},
-                                        "snippet": {
-                                            "text": {{json $.Snippet}}
-                                        }
-                                    }
-                                }
-                            }
-                        ]
-                    }
-                {{end}}
-            ]
-        }
-    ]
-}

.github/workflows/actionlint.yml

@@ -1,60 +0,0 @@
-# This workflow depends on the ./actionlint-format.txt file. It is MIT licensed (thanks, rhysd!): https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
-name: Actionlint
-
-on:
-  push:
-    branches:
-      - main
-      - release-*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-jobs:
-  run-actionlint:
-    name: Lint GitHub Actions files
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # to check out the code
-      actions: read # to read the workflow files
-      security-events: write # for uploading the SARIF report
-
-    env:
-      ACTIONLINT_VERSION: 1.7.7
-      # curl -LXGET https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt | grep linux_amd64
-      CHECKSUM: 023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      # GitHub Actions only runs x86_64. This will break if that assumption changes.
-      - name: Download Actionlint
-        run: |
-          set -euo pipefail
-          curl -OLXGET https://github.com/rhysd/actionlint/releases/download/v"${ACTIONLINT_VERSION}"/actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          echo "${CHECKSUM}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
-          tar xzf actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          test -f actionlint
-          chmod +x actionlint
-
-      - name: Run Actionlint
-        run: ./actionlint -format "$(cat .github/workflows/actionlint-format.txt)" | tee results.sarif
-
-      - name: Upload to GitHub security events
-        if: success() || failure()
-        # If there are security problems, GitHub will automatically comment on the PR for us.
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
-        with:
-          sarif_file: results.sarif
-          category: actionlint

.github/workflows/alerting-update-module.yml

@@ -37,7 +37,7 @@ jobs:
         id: current-commit
         run: |
           FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
-          echo "from_commit=$FROM_COMMIT" >> "$GITHUB_OUTPUT"
+          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
 
       - name: Get current branch name
         id: current-branch-name
@@ -47,14 +47,14 @@ jobs:
         id: latest-commit
         env:
           GH_TOKEN: ${{ github.token }}
-          BRANCH: ${{ steps.current-branch-name.outputs.name }}
         run: |
-          TO_COMMIT="$(gh api repos/grafana/alerting/commits/"$BRANCH" --jq '.sha')"
+          BRANCH="${{ steps.current-branch-name.outputs.name }}"
+          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
            if [ -z "$TO_COMMIT" ]; then
             echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
             exit 1
           fi
-          echo "to_commit=$TO_COMMIT" >> "$GITHUB_OUTPUT"
+          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
 
       - name: Compare commit hashes
         run: |
@@ -74,31 +74,26 @@ jobs:
         id: check-commits
         env:
           GH_TOKEN: ${{ github.token }}
-          FROM_COMMIT: ${{ steps.current-commit.outputs.from_commit }}
-          TO_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
         run: |
-          # get all commits that contains 'Alerting:' in the message
-          ALERTING_COMMITS="$(gh api repos/grafana/alerting/compare/"$FROM_COMMIT"..."$TO_COMMIT" \
-            --jq '.commits[].commit.message | split("\n")[0]')" || true
-
+          # get all commits that contains 'Alerting:' in the message          
+          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
+            --jq '.commits[].commit.message | split("\n")[0]') || true
+          
           # Use printf instead of echo -e for better multiline handling
           printf "%s\n" "$ALERTING_COMMITS"
-
+          
           # make the list for markdown and replace PR numbers with links
-          ALERTING_COMMITS_FORMATTED="$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)"
-
-          {
-            echo "alerting_commits<<EOF"
-            echo "$ALERTING_COMMITS_FORMATTED"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
+          
+          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
+          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Update alerting module
         env:
           GOSUMDB: off
-          PINNED_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
         run: |
-          go get github.com/grafana/alerting@"$PINNED_COMMIT"
+          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
           make update-workspace
 
       - id: get-secrets
@@ -129,7 +124,7 @@ jobs:
             Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
             <details>
             <summary>Commits</summary>
-
+            
             ${{ steps.check-commits.outputs.alerting_commits }}
 
             </details>
@@ -137,10 +132,6 @@ jobs:
             Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
       - name: Add PR URL to Summary
         if: steps.create-pr.outputs.pull-request-url != ''
-        env:
-          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
         run: |
-          {
-            echo "## Pull Request Created"
-            echo "🔗 [View Pull Request]($PR_URL)"
-          } >> "$GITHUB_STEP_SUMMARY"
+          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
+          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY

.github/workflows/analytics-events-report.yml

@@ -3,13 +3,9 @@ name: Analytics Events Report
 on:
   workflow_dispatch:
 
-permissions: {}
-
 jobs:
   generate-report:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/backend-unit-tests.yml

@@ -2,10 +2,16 @@ name: Backend Unit Tests
 
 on:
   pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
   push:
     branches:
       - main
       - release-*.*.*
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,29 +20,10 @@ concurrency:
 permissions: {}
 
 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.backend }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/backend-unit-tests.yml
-
   grafana:
-    # Run this workflow only for PRs from forks
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
     # the `pr-backend-unit-tests-enterprise` workflow will run instead
-    needs: detect-changes
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
     strategy:
       matrix:
         shard: [
@@ -60,18 +47,18 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
+      - name: Generate Go code
+        run: make gen-go
       - name: Run unit tests
         env:
           SHARD: ${{ matrix.shard }}
         run: |
-          set -euo pipefail
           readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
           go test -short -timeout=30m "${PACKAGES[@]}"
 
   grafana-enterprise:
     # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    needs: detect-changes
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     strategy:
       matrix:
         shard: [
@@ -86,7 +73,6 @@ jobs:
       contents: read
       id-token: write
     steps:
-      # Set up repository clone
       - name: Checkout code
         uses: actions/checkout@v4
         with:
@@ -99,48 +85,11 @@ jobs:
         uses: ./.github/actions/setup-enterprise
         with:
           github-app-name: 'grafana-ci-bot'
-
-      # Prepare what we need to upload test results
-      - run: echo "RESULTS_FILE=$(date --rfc-3339=seconds --utc | sed -s 's/ /-/g')_${SHARD/\//_}.xml" >> "$GITHUB_ENV"
-        env:
-          SHARD: ${{ matrix.shard }}
-      - run: go install github.com/jstemmer/go-junit-report/v2@85bf4716ac1f025f2925510a9f5e9f5bb347c009
-
-      # Run code
+      - name: Generate Go code
+        run: make gen-go
       - name: Run unit tests
         env:
           SHARD: ${{ matrix.shard }}
         run: |
-          set -euo pipefail
-
           readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
-          # This tee requires pipefail to be set, otherwise `go test`'s exit code is thrown away.
-          # That means having no `-o pipefail` => failing tests => exit code 0, which is wrong.
           go test -short -timeout=30m "${PACKAGES[@]}"
-
-  # This is the job that is actually required by rulesets.
-  # We need to require EITHER the OSS or the Enterprise job to pass.
-  # However, if one is skipped, GitHub won't flat-map the shards,
-  #   so they won't be accepted by a ruleset.
-  required-backend-unit-tests:
-    needs:
-      - grafana
-      - grafana-enterprise
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All backend unit tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"

.github/workflows/backport-trigger.yml

@@ -1,47 +0,0 @@
-# We need secrets to backport, but they're not available for actions ran by forks.
-# So this workflow is used as a 'trigger', which the backport-workflow.yml will with
-# via workflow_run
-
-name: Backport (trigger)
-on:
-  pull_request:
-    types:
-      - closed
-      - labeled
-
-permissions: {}
-
-jobs:
-  trigger:
-    # Only run this job if the PR has been merged and has a label containing "backport v"
-    if: |
-      github.repository == 'grafana/grafana' &&
-      github.event.pull_request.merged == true &&
-      contains(join(github.event.pull_request.labels.*.name, ','), 'backport v')
-    runs-on: ubuntu-latest
-    steps:
-      # TODO: save this as job summary instead?
-      - name: Trigger
-        run: |
-          echo "Triggering workflow"
-          echo "See https://github.com/${{ github.repository }}/actions/workflows/workflow_run.yml for progress"
-
-      # Create a JSON artifact with details of this PR to pass to the backport workflow.
-      # The { action: 'labelled', label: 'backport-1.23.x' } can only be determined from this event payload,
-      # and is needed to do a backport after a PR has been merged
-      #
-      # Important that we don't run *anything* from the PR which could modify the backport_data.json file
-      - name: Create action data
-        run: |
-          jq '{
-            action: .action,
-            label: .label.name,
-            pr_number: .number,
-          }' "$GITHUB_EVENT_PATH" > /tmp/pr_info.json
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: pr_info
-          path: /tmp/pr_info.json
-          retention-days: 1

.github/workflows/backport-workflow.yml

@@ -1,88 +0,0 @@
-# Runs the actual backport, after being triggered by the backport-trigger.yml workflow.
-
-name: Backport (workflow)
-run-name: "Backport for ${{ github.event.workflow_run.head_branch }} #${{ github.event.workflow_run.run_number }}"
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] backport-trigger.yml does not run any user code
-    workflows: ["Backport (trigger)"]
-    types:
-      - completed
-
-permissions: {}
-
-jobs:
-  backport:
-    # Only run this job if the triggering workflow was not skipped (and on grafana repo)
-    if: github.repository == 'grafana/grafana' && github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      actions: read
-    steps:
-      - name: Get vault secrets
-        id: secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          export_env: false
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ fromJSON(steps.secrets.outputs.secrets).APP_PEM }}
-
-      - name: Download PR info artifact
-        uses: actions/download-artifact@v4
-        id: download-pr-info
-        with:
-          github-token: ${{ github.token }}
-          run-id: ${{ github.event.workflow_run.id }}
-          name: pr_info
-
-      - name: Get PR info
-        id: pr-info
-        env:
-          PR_INFO_FILE: ${{ steps.download-pr-info.outputs.download-path }}/pr_info.json
-        # jq-magic to convert the JSON object into a list of key=value pairs for $GITHUB_OUTPUT
-        run:
-          jq -r 'to_entries[] | select(.value | type != "object") | "\(.key)=\(.value)"' "$PR_INFO_FILE" >> "$GITHUB_OUTPUT"
-
-      - name: Print PR info
-        env:
-          PR_ACTION: ${{ steps.pr-info.outputs.action }}
-          PR_LABEL: ${{ steps.pr-info.outputs.label }}
-          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
-        run: |
-          echo "PR action: $PR_ACTION"
-          echo "PR label: $PR_LABEL"
-          echo "PR number: $PR_NUMBER"
-
-      - name: Checkout Grafana
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-          fetch-depth: 2
-          fetch-tags: false
-          token: ${{ steps.generate_token.outputs.token }}
-          persist-credentials: true
-
-      - name: Configure git user
-        run: |
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local --add --bool push.autoSetupRemote true
-
-      - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@dev
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          # If triggered by being labelled, only backport that label.
-          # Otherwise, the action will backport all labels.
-          pr_label: ${{ steps.pr-info.outputs.action == 'labeled' && steps.pr-info.outputs.label || '' }}
-          pr_number: ${{ steps.pr-info.outputs.pr_number }}
-          repo_owner: ${{ github.repository_owner }}
-          repo_name: ${{ github.event.repository.name }}

.github/workflows/backport.yml

@@ -0,0 +1,32 @@
+name: Backport PR Creator
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  main:
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4 # 4.2.2
+        with:
+          persist-credentials: false
+      - run: git config --local user.name "github-actions[bot]"
+      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
+      - run: git config --local --add --bool push.autoSetupRemote true
+      - name: Set remote URL
+        env:
+          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
+      - name: Run backport
+        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/bump-version.yml

@@ -13,29 +13,17 @@ on:
         required: false
 
 permissions:
-  id-token: write
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
   bump-version:
     runs-on: ubuntu-latest
     steps:
-      - uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana"]'
-          permissions: '{"contents": "write", "pull_requests": "write", "workflows": "write"}'
       - name: Checkout Grafana
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
         with:
-          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
       - name: Update package.json versions
         uses: ./pkg/build/actions/bump-version
         with:
@@ -47,13 +35,13 @@ jobs:
           DRY_RUN: ${{ inputs.dry_run }}
           REF_NAME: ${{ github.ref_name }}
           RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          git config --local user.name "grafana-delivery-bot[bot]"
-          git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
           git checkout -b "bump-version/${RUN_ID}/${VERSION}"
           git add .
           git commit -m "bump version ${VERSION}"
           git push
-          gh pr create --dry-run="$DRY_RUN" -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
+          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"

.github/workflows/changelog.yml

@@ -22,10 +22,11 @@ on:
         required: false
         default: false
         type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
 
   workflow_dispatch:
     inputs:
@@ -49,10 +50,6 @@ on:
         required: false
         default: false
         type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"
 
 permissions: {}
 
@@ -70,32 +67,25 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: "Checkout Grafana repo"
         uses: "actions/checkout@v4"
         with:
           ref: main
           sparse-checkout: |
             .github/workflows
-            .github/actions
             CHANGELOG.md
             .nvmrc
             .prettierignore
             .prettierrc.js
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -106,20 +96,7 @@ jobs:
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
       - name: "Create branch"
-        run: |
-          if [[ "$WORK_BRANCH" == '' ]]; then
-            git switch -c "changelog/${RUN_ID}/${VERSION}"
-            exit 0
-          fi
-
-          # Checkout the changelog branch if exists, otherwise create a new one
-          if git show-ref --verify --quiet "refs/remotes/origin/$WORK_BRANCH"; then
-            git switch --track "origin/$WORK_BRANCH"
-          else
-            git switch -c "$WORK_BRANCH"
-          fi
-        env:
-          WORK_BRANCH: ${{ inputs.work_branch }}
+        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
       - name: "Generate changelog"
         id: changelog
         uses: ./.github/actions/changelog
@@ -163,29 +140,16 @@ jobs:
       - name: "Commit changelog changes"
         run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
       - name: "git push"
-        if: inputs.dry_run != true
+        if: ${{ inputs.dry_run }} != true
         run: git push
       - name: "Create changelog PR"
-        run: |
-          if gh pr view &>/dev/null; then
-            echo "Changelog pr has already been created"
-          else
-
-            gh pr create \
-              --dry-run="${DRY_RUN}" \
-              --label "no-backport" \
-              --label "no-changelog" \
-              -B "${TARGET}" \
-              --title "Release: update changelog for ${TARGET}" \
-              --body "Changelog changes for release versions:"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: "Add release version to PR description"
-        if: inputs.dry_run != true
-        run: |
-          gh pr view --json body --jq .body > pr_body.md
-          echo " -  ${VERSION}" >> pr_body.md
-          gh pr edit --body-file pr_body.md
+        run: >
+          gh pr create \
+            --dry-run=${DRY_RUN} \
+            --label "no-backport" \
+            --label "no-changelog" \
+            -B "${TARGET}" \
+            --title "Release: update changelog for ${VERSION}" \
+            --body "Changelog changes for release ${VERSION}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeowners-validator.yml

@@ -4,13 +4,9 @@ on:
   pull_request:
     branches: [ main ]
 
-permissions: {}
-
 jobs:
   codeowners-validator:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       # Checks-out your repository, which is validated in the next step
       - uses: actions/checkout@v4
@@ -27,7 +23,7 @@ jobs:
 
           # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
           experimental_checks: "notowned,avoid-shadowing"
-
+          
           # The repository path in which CODEOWNERS file should be validated."
           repository_path: "."
 
@@ -41,4 +37,4 @@ jobs:
           owner_checker_allow_unowned_patterns: "false"
 
           # Specifies whether only teams are allowed as owners of files.
-          owner_checker_owners_must_be_teams: "false"
+          owner_checker_owners_must_be_teams: "false"          

.github/workflows/codeql-analysis.yml

@@ -33,9 +33,8 @@ jobs:
       fail-fast: false
       matrix:
         # Override automatic language detection by changing the below list
-        # Supported options are listed here
-        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
-        language: ['actions', 'javascript', 'go']
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript', 'go', 'python']
         # Learn more...
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 

.github/workflows/commands.yml

@@ -24,7 +24,7 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ "${{ github.repository }}" == "grafana/grafana" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
@@ -42,15 +42,15 @@ jobs:
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
 
-      - name: Generate token
+      - name: "Generate token"
         id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
 
       - name: Checkout Actions
         uses: actions/checkout@v4 # v4.2.2
@@ -65,6 +65,6 @@ jobs:
       - name: Run Commands
         uses: ./actions/commands
         with:
-          metricsWriteAPIKey: ""
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
           token: ${{ steps.generate_token.outputs.token }}
           configPath: commands

.github/workflows/community-release.yml

@@ -11,6 +11,11 @@ on:
         required: false
         default: false
         description: When enabled, this workflow will print a preview instead of creating an actual post.
+    secrets:
+      GRAFANA_MISC_STATS_API_KEY:
+        required: true
+      GRAFANABOT_FORUM_KEY:
+        required: true
   workflow_dispatch:
     inputs:
       version:
@@ -25,25 +30,17 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/community_release path in Vault
-          repo_secrets: |
-            GRAFANABOT_FORUM_KEY=community_release:GRAFANABOT_FORUM_KEY
-
       - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main
+        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}
-          community_api_key: ${{ env.GRAFANABOT_FORUM_KEY }}
+          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
           community_api_username: grafanabot
           dry_run: ${{ inputs.dry_run }}

.github/workflows/core-plugins-build-and-release.yml

@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
       - name: Verify inputs
         run: |
-          if [ -z "$PLUGIN_ID" ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
       - id: get-secrets
         uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
@@ -72,13 +72,13 @@ jobs:
         shell: bash
         id: get_dir
         run: |
-          dir="$(dirname \
-            "$(grep -Elir --include=plugin.json --exclude-dir=dist \
-              '"id": "'"${PLUGIN_ID}"'"' \
+          dir=$(dirname \
+            $(egrep -lir --include=plugin.json --exclude-dir=dist \
+              '"id": "${PLUGIN_ID}"' \
               public/app/plugins \
-            )" \
-          )"
-          echo "dir=${dir}" >> "$GITHUB_OUTPUT"
+            ) \
+          )
+          echo "dir=${dir}" >> $GITHUB_OUTPUT
       - name: Install frontend dependencies
         shell: bash
         working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -88,17 +88,17 @@ jobs:
         shell: sh
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
-          mkdir -pv ./bin
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v"$GRABPL_VERSION"/grabpl
+          [ ! -d ./bin ] && mkdir -pv ./bin || true
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
           chmod 0755 ./bin/grabpl
       - name: Check backend
         id: check_backend
         shell: bash
         run: |
-          if grep -Eqr --include=main.go 'datasource.Manage\('"$PLUGIN_ID" pkg/tsdb; then
-            echo "has_backend=true" >> "$GITHUB_OUTPUT"
+          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
+            echo "has_backend=true" >> $GITHUB_OUTPUT
           else
-            echo "has_backend=false" >> "$GITHUB_OUTPUT"
+            echo "has_backend=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup golang environment
         uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
@@ -149,8 +149,6 @@ jobs:
       - name: build:frontend
         shell: bash
         id: build_frontend
-        env:
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
         run: |
           command="plugin:build:commit"
           if [ "$GITHUB_REF" != "refs/heads/main" ]; then
@@ -158,15 +156,15 @@ jobs:
             command="plugin:build"
           fi
           yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
-          version="$(jq -r .info.version "$OUTPUT_DIR"/dist/plugin.json)"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
+          version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
+          echo "version=${version}" >> $GITHUB_OUTPUT
       - name: build:backend
         if: steps.check_backend.outputs.has_backend == 'true'
         shell: bash
         env:
           VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
-          make build-plugin-go PLUGIN_ID="$PLUGIN_ID"
+          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
       - name: package
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
@@ -179,17 +177,16 @@ jobs:
         env:
           GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
           VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCOM_API: ${{ env.GCOM_API }}
         run: |
-          api_res="$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            "$GCOM_API/api/plugins/$PLUGIN_ID?version=$VERSION" \
-            -H 'accept: application/json')"
-          api_res_code="$(echo "$api_res" | jq -r .code)"
+          api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
+            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
+            -H 'accept: application/json')
+          api_res_code=$(echo $api_res | jq -r .code)
           if [ "$api_res_code" = "NotFound" ]; then
             echo "No existing release found"
           else
             echo "Expecting a missing release, got:"
-            echo "$api_res"
+            echo $api_res
             exit 1
           fi
       - name: store build artifacts
@@ -200,46 +197,55 @@ jobs:
       - name: Publish release to Google Cloud Storage
         working-directory: ${{ steps.get_dir.outputs.dir }}
         env:
-          VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+          VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
           echo "Publish release to Google Cloud Storage:"
-          set -x
           touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/windows"
-          gsutil -m cp -r ci/packages/*linux* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/linux"
-          gsutil -m cp -r ci/packages/*darwin* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/darwin"
-          gsutil -m cp -r ci/packages/*any* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any"
+          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
+          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
+          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
+          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
       - name: Publish new plugin version on grafana.com
         if: steps.check_backend.outputs.has_backend == 'true'
         working-directory: ${{ steps.get_dir.outputs.dir }}
         env:
           GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
           VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCOM_API: ${{ env.GCOM_API }}
         run: |
           echo "Publish new plugin version on grafana.com:"
           echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          jq -n '{"url": env.OUTPUT_URL}' > body.json
-          osarchs=(linux_amd64 linux_arm64 linux_arm windows_amd64 darwin_amd64 darwin_arm64)
-          for osarch in "${osarchs[@]}"; do
-            echo "Processing $osarch"
-            KEY="${osarch//_/-}" \
-            OSARCH="$osarch" \
-            jq -s '. as $i | .[0] | .download[env.KEY] = {
-              "url": "https://storage.googleapis.com/\(env.GCP_BUCKET)/\(env.PLUGIN_ID)/release/\(env.VERSION)/linux/\(env.PLUGIN_ID)-\(env.VERSION).\(env.OSARCH).zip",
-              "md5": $i[1].plugin.md5
-            }' body.json ci/packages/info-"$osarch".json > tmp.json && mv tmp.json body.json
-          done
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
+            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
+            \"download\": {
+              \"linux-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"linux-arm64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
+              },
+              \"linux-arm\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
+              },
+              \"windows-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"darwin-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"darwin-arm64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
+                \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
+              }
+            }
+          }"`
+          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
             echo "Failed to publish plugin version. Got:"
-            echo "$result"
+            echo $result
             exit 1
           fi
       - name: Publish new plugin version on grafana.com (frontend only)
@@ -248,29 +254,20 @@ jobs:
         env:
           GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
           VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCOM_API: ${{ env.GCOM_API }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
         run: |
           echo "Publish new plugin version on grafana.com:"
           echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          DOWNLOAD_URL="https://storage.googleapis.com/$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip" \
-          MD5_CHECKSUM="$(jq -r '.plugin.md5' ci/packages/info-any.json)" \
-          jq -rn '{
-            "url": env.OUTPUT_URL,
-            "download": {
-              "any": {
-                "url": env.DOWNLOAD_URL,
-                "md5": env.MD5_CHECKSUM
+          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
+            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
+            \"download\": {
+              \"any\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
+                \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
               }
             }
-          }' > body.json
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+          }"`
+          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
             echo "Failed to publish plugin version. Got:"
-            echo "$result"
+            echo $result
             exit 1
           fi

.github/workflows/create-next-release-branch.yml

@@ -10,6 +10,11 @@ on:
         description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
         type: string
         required: true
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
     outputs:
       branch:
         description: The new branch that was created
@@ -22,32 +27,23 @@ on:
         description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
         type: string
         required: true
-
-permissions:
-  contents: read
-  id-token: write
-
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
 jobs:
   main:
     runs-on: ubuntu-latest
     outputs:
       branch: ${{ steps.branch.outputs.branch }}
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: "[\"grafana\", \"grafana-enterprise\"]"
-          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Create release branch
         id: branch
         uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]

.github/workflows/create-security-branch.yml

@@ -1,79 +0,0 @@
-name: Create security branch
-on:
-  workflow_call:
-    inputs:
-      release_branch:
-        type: string
-        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
-        required: true
-      security_branch_number:
-        type: string
-        description: 'The security branch number (e.g., 01)'
-        required: false
-        default: '01'
-      repository:
-        type: string
-        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
-        required: true
-    outputs:
-      branch:
-        description: The new security branch that was created
-        value: ${{ jobs.main.outputs.branch }}
-  workflow_dispatch:
-    inputs:
-      release_branch:
-        type: string
-        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.3+security-01` being created)
-        required: true
-      security_branch_number:
-        type: string
-        description: 'The security branch number (e.g., 01)'
-        required: false
-        default: '01'
-      repository:
-        type: string
-        description: 'The repository to create the security branch in (e.g., grafana/grafana-security-mirror)'
-        required: true
-
-permissions:
-  contents: write
-  id-token: write
-
-jobs:
-  main:
-    runs-on: ubuntu-latest
-    outputs:
-      branch: ${{ steps.branch.outputs.branch }}
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          repository: ${{ inputs.repository }}
-          ref: ${{ inputs.release_branch }}
-
-      - name: Create security branch
-        id: branch
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          INPUT_RELEASE_BRANCH: ${{ inputs.release_branch }}
-          INPUT_SECURITY_BRANCH_NUMBER: ${{ inputs.security_branch_number }}
-          INPUT_REPOSITORY: ${{ inputs.repository }}
-        run: |
-          chmod +x .github/workflows/scripts/create-security-branch/create-security-branch.sh
-          .github/workflows/scripts/create-security-branch/create-security-branch.sh

.github/workflows/create-security-patch-from-security-mirror.yml

@@ -25,5 +25,4 @@ jobs:
       patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
       patch_repo: "grafana/grafana-security-patches"
       patch_prefix: "${{ github.event.pull_request.number }}"
-      sender: "${{ github.event.pull_request.user.login }}"
     secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/dashboards-issue-add-label.yml

@@ -11,7 +11,7 @@ env:
   ORGANIZATION: ${{ github.repository_owner }}
   REPO: ${{ github.event.repository.name }}
   TARGET_PROJECT: 202
-  LABEL_IDS: "LA_kwDOAOaWjc8AAAABT38U-A"
+  LABEL_IDs: "LA_kwDOAOaWjc8AAAABT38U-A"
 
 concurrency:
   group: issue-label-when-in-project-${{ github.event.number }}
@@ -26,26 +26,25 @@ jobs:
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
 
-      - name: Generate token
+      - name: "Generate token"
         id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
       - name: Check if issue is in target project
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
           TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
         run: |
-          # shellcheck disable=SC2016 # we don't want the $s to be expanded
           gh api graphql -f query='
-            query($org: String!, $repo: String!, $issueNumber: Int!) {
+            query($org: String!, $repo: String!) {
               repository(name: $repo, owner: $org) {
-                issue (number: $issueNumber) {
+                issue (number: $ISSUE_NUMBER) {
                   id
                   projectItems(first:20) {
                     nodes {
@@ -56,18 +55,15 @@ jobs:
                   }
                 }
               }
-            }' -f org="$ORGANIZATION" -f repo="$REPO" -F issueNumber="$ISSUE_NUMBER" > projects_data.json
+            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
 
-            {
-              echo "IN_TARGET_PROJ=$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json)"
-              echo "ITEM_ID=$(jq '.data.repository.issue.id' projects_data.json)"
-            } >> "$GITHUB_ENV"
+            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
       - name: Set up label array
         if: env.IN_TARGET_PROJ
         env:
           LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
-          # shellcheck disable=SC2153 # we define the variable on the line above in 'read'
           IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
           for item in "${LABEL_IDs[@]}"; do
             echo "Item: $item"
@@ -78,7 +74,6 @@ jobs:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
           LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
-          # shellcheck disable=SC2016 # we don't want the $s to be expanded
           gh api graphql -f query='
             mutation ($labelableId: ID!, $labelIds: [ID!]!) {
               addLabelsToLabelable(
@@ -86,4 +81,4 @@ jobs:
               ) {
                   clientMutationId
               }
-            }' -f labelableId="$ITEM_ID" -f labelIds="$LABEL_IDS"
+            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS

.github/workflows/deploy-pr-preview.yml

@@ -9,8 +9,6 @@ on:
     paths:
       - "docs/sources/**"
 
-permissions: {}
-
 jobs:
   deploy-pr-preview:
     permissions:

.github/workflows/deploy-storybook-preview.yml

@@ -1,93 +0,0 @@
-name: Deploy Storybook preview
-
-on:
-  pull_request:
-    paths:
-      - 'packages/grafana-ui/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  deploy-storybook-preview:
-    name: Deploy Storybook preview
-    runs-on: ubuntu-latest
-    # Don't run from forks for the moment. If we find this useful we can do the workflow_run dance
-    # to make it work for forks.
-    if: github.event.pull_request.head.repo.fork == false
-    permissions:
-      contents: read
-      id-token: write
-
-    env:
-      BUCKET_NAME: grafana-storybook-previews
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-
-      - name: Cache node_modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            node_modules
-          key: node_modules-${{ hashFiles('yarn.lock') }}
-          restore-keys: |
-            node_modules-
-
-      - name: Install dependencies
-        env:
-          # If the PR isn't from a fork then don't use the slower yarn checks
-          YARN_ENABLE_HARDENED_MODE: ${{ github.event.pull_request.head.repo.fork == false && '1' || '0' }}
-        run: yarn install --immutable
-
-      - name: Build storybook
-        run: yarn storybook:build
-
-      # Create the GCS folder name for the preview. Creates a consistent name for all deploys for the PR.
-      # Matches format of `pr_<PR_NUMBER>_<SANITIZED_BRANCH>`.
-      # Where `SANITIZED_BRANCH` is the branch name with only alphanumeric and hyphens, limited to 30 characters.
-      - name: Create deploy name
-        id: create-deploy-name
-        env:
-          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Convert branch name to only contain alphanumeric and hyphens
-          SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr -cs "[:alnum:]-" "-" | sed "s/^-//;s/-$//")
-
-          # Check if SANITIZED_BRANCH is empty and fail if it is
-          if [ -z "$SANITIZED_BRANCH" ]; then
-            echo "Error: Branch name resulted in empty string after sanitization"
-            exit 1
-          fi
-
-          echo "deploy-name=pr_${PR_NUMBER}_${SANITIZED_BRANCH:0:30}" >> "$GITHUB_OUTPUT"
-
-      - name: Upload Storybook
-        uses: grafana/shared-workflows/actions/push-to-gcs@main
-        with:
-          environment: prod
-          bucket: ${{ env.BUCKET_NAME }}
-          bucket_path: ${{ steps.create-deploy-name.outputs.deploy-name }}
-          path: packages/grafana-ui/dist/storybook
-          service_account: github-gf-storybook-preview@grafanalabs-workload-identity.iam.gserviceaccount.com
-          parent: false
-
-      - name: Write summary
-        env:
-          DEPLOY_NAME: ${{ steps.create-deploy-name.outputs.deploy-name }}
-        run: |
-          echo "## Storybook preview deployed! 🚀" >> $GITHUB_STEP_SUMMARY
-          echo "Check it out at https://storage.googleapis.com/${BUCKET_NAME}/${DEPLOY_NAME}/index.html" >> $GITHUB_STEP_SUMMARY

.github/workflows/detect-breaking-changes-levitate.yml

@@ -12,8 +12,6 @@ on:
   pull_request:
     paths:
       - 'packages/**'
-      - '.nvmrc'
-      - '.github/workflows/detect-breaking-changes-levitate.yml'
     branches:
       - 'main'
 
@@ -33,10 +31,9 @@ jobs:
         with:
           path: './pr'
           persist-credentials: false
-
       - uses: actions/setup-node@v4
         with:
-          node-version-file: './pr/.nvmrc'
+          node-version: 22.11.0
 
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
@@ -84,11 +81,10 @@ jobs:
         with:
           path: './base'
           ref: ${{ github.event.pull_request.base.ref }}
-          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:
-          node-version-file: './base/.nvmrc'
+          node-version: 22.11.0
 
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
@@ -133,12 +129,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
       - uses: actions/setup-node@v4
         with:
-          node-version-file: '.nvmrc'
+          node-version: 22.11.0
 
       - name: Get built packages from pr
         uses: actions/download-artifact@v4
@@ -158,15 +151,13 @@ jobs:
 
       - id: 'auth'
         uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
-        if: github.event.pull_request.head.repo.full_name == github.repository
         with:
-          workload_identity_provider: projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider
-          service_account: github-plugins-data-levitate@grafanalabs-workload-identity.iam.gserviceaccount.com
+          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
+          service_account: ${{ secrets.LEVITATE_SA }}
           project_id: 'grafanalabs-global'
 
       - name: 'Set up Cloud SDK'
         uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
-        if: github.event.pull_request.head.repo.full_name == github.repository
         with:
           version: '>= 363.0.0'
           project_id: 'grafanalabs-global'
@@ -177,16 +168,11 @@ jobs:
         run: ./scripts/check-breaking-changes.sh
         env:
           FORCE_COLOR: 3
-          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} # used in check-breaking-changes.sh and levitate-parse-json-report.js
 
       - name: Persisting the check output
         run: |
             mkdir -p ./levitate
-            echo "{ \"exit_code\": ${IS_BREAKING}, \"message\": \"${MESSAGE}\", \"pr_number\": \"${PR_NUMBER}\" }" > ./levitate/result.json
-        env:
-          IS_BREAKING: ${{ steps.breaking-changes.outputs.is_breaking }}
-          MESSAGE: ${{ steps.breaking-changes.outputs.message }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json
 
       - name: Upload check output as artifact
         uses: actions/upload-artifact@v4
@@ -202,27 +188,16 @@ jobs:
     permissions:
       contents: read
       id-token: write
-    if: github.event.pull_request.head.repo.full_name == github.repository
 
     steps:
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana in vault
-          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
-
-      - name: Generate token
+      - name: "Generate token"
         id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
 
       - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
 
       - name: 'Download artifact'
         uses: actions/download-artifact@v4
@@ -230,7 +205,7 @@ jobs:
           name: levitate
 
       - name: Parsing levitate result
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         id: levitate-run
         with:
           script: |
@@ -241,7 +216,7 @@ jobs:
       # Check if label exists
       - name: Check if "levitate breaking change" label exists
         id: does-label-exist
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
         with:
@@ -320,7 +295,7 @@ jobs:
                   "fields": [
                     {
                       "type": "mrkdwn",
-                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n\nAuthor: ${{ github.event.pull_request.user.login }}"
+                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>"
                     },
                     {
                       "type": "mrkdwn",
@@ -334,7 +309,7 @@ jobs:
       # Add the label
       - name: Add "levitate breaking change" label
         if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         env:
           PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
         with:
@@ -350,7 +325,7 @@ jobs:
       # Remove label (no more breaking changes)
       - name: Remove "levitate breaking change" label
         if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         env:
           PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
         with:
@@ -368,7 +343,7 @@ jobs:
       # Related issue: https://github.com/renovatebot/renovate/issues/1908
       - name: Add "grafana/plugins-platform-frontend" as a reviewer
         if: steps.levitate-run.outputs.exit_code == 1
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         env:
           PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
         with:
@@ -385,7 +360,7 @@ jobs:
       # Remove reviewers (no more breaking changes)
       - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
         if: steps.levitate-run.outputs.exit_code == 0
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
         env:
           PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
         with:
@@ -401,11 +376,9 @@ jobs:
 
       - name: Exit
         run: |
-          if [ "${LV_EXIT_CODE}" -ne 0 ]; then
+          if [ "${{ steps.levitate-run.outputs.exit_code }}" -ne 0 ]; then
             echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
           fi
 
-          exit "${LV_EXIT_CODE}"
+          exit ${{ steps.levitate-run.outputs.exit_code }}
         shell: bash
-        env:
-          LV_EXIT_CODE: ${{ steps.levitate-run.outputs.exit_code }}

.github/workflows/documentation-ci.yml

@@ -4,18 +4,11 @@ on:
     branches: ["main"]
     paths: ["docs/sources/**"]
   workflow_dispatch:
-
-permissions: {}
-
 jobs:
   vale:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      security-events: write
     container:
-      image: grafana/vale:latest # zizmor: ignore[unpinned-images]
+      image: grafana/vale:latest
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/e2e-dashboard-new-layouts.yml

@@ -1,42 +0,0 @@
-name: Run e2e for dashboardNewLayouts
-
-on:
-  pull_request:
-    branches:
-      - '**'
-    paths:
-      - 'e2e/dashboard-new-layouts/**'
-      - 'public/app/features/dashboard-scene/**'
-
-env:
-  ARCH: linux-amd64
-
-jobs:
-  dashboard-new-layouts-e2e:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Pin Go version to mod file
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - run: go version
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-      - name: Install dependencies
-        run: yarn install --immutable
-      - name: Build grafana
-        run: make build
-      - name: Install Cypress dependencies
-        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
-        with:
-          runTests: false
-      - name: Run dashboardNewLayouts e2e
-        run: yarn e2e:dashboard-new-layouts

.github/workflows/ephemeral-instances-pr-comment.yml

@@ -1,48 +1,47 @@
-name: "Ephemeral instances"
-
+name: 'Ephemeral instances'
 on:
   issue_comment:
     types: [created]
   pull_request:
     types: [closed]
-
-permissions: {}
-
 jobs:
-  handle-ephemeral-instances:
-    if: ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') && github.repository_owner == 'grafana' }}
-    runs-on:
-      labels: ubuntu-latest-16-cores
-    continue-on-error: true
-    permissions:
-      # For commenting.
-      pull-requests: write
-      # No contents permission is needed because we will impersonate an app to create the PR instead.
-      id-token: write # required for vault access
-
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
     steps:
-      - name: Get vault secrets
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in ci/repo/grafana/grafana/
-          repo_secrets: |
-            APP_ID=ephemeral-instances-bot:app-id
-            APP_PEM=ephemeral-instances-bot:app-private-key
-            GCOM_HOST=ephemeral-instances-bot:gcom-host
-            GCOM_TOKEN=ephemeral-instances-bot:gcom-token
-            REGISTRY=ephemeral-instances-bot:registry
-            GCP_SA_ACCOUNT_KEY_BASE64=ephemeral-instances-bot:sa-key
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.EI_APP_ID != '' &&
+                        secrets.EI_APP_PRIVATE_KEY != '' &&
+                        secrets.EI_GCOM_HOST != '' &&
+                        secrets.EI_GCOM_TOKEN != '' &&
+                        secrets.EI_EPHEMERAL_INSTANCES_REGISTRY != '' &&
+                        secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 != '' &&
+                        secrets.EI_EPHEMERAL_ORG_ID != ''
+                        ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
 
+  handle-pull-request-event:
+    needs: config
+    if: needs.config.outputs.has-secrets &&
+        ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') }}
+    runs-on:
+      labels: ubuntu-latest-8-cores
+    continue-on-error: true
+    steps:
       - name: Generate a GitHub app installation token
         id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app_id: ${{ env.APP_ID }}
-          private_key: ${{ env.APP_PEM }}
+          app_id: ${{ secrets.EI_APP_ID }}
+          private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}
 
       - name: Checkout ephemeral instances repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
         with:
           repository: grafana/ephemeral-grafana-instances-github-action
           token: ${{ steps.generate_token.outputs.token }}
@@ -53,11 +52,11 @@ jobs:
       - name: build and deploy ephemeral instance
         uses: ./ephemeral
         with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          gcom-host: ${{ env.GCOM_HOST }}
-          gcom-token: ${{ env.GCOM_TOKEN }}
-          registry: "${{ env.REGISTRY }}"
-          gcp-service-account-key: ${{ env.GCP_SA_ACCOUNT_KEY_BASE64 }}
-          ephemeral-org-id: ephemeral
+          github-token:  ${{ steps.generate_token.outputs.token }}
+          gcom-host: ${{ secrets.EI_GCOM_HOST }}
+          gcom-token: ${{ secrets.EI_GCOM_TOKEN }}
+          registry: "${{ secrets.EI_EPHEMERAL_INSTANCES_REGISTRY }}"
+          gcp-service-account-key: "${{ secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 }}"
+          ephemeral-org-id: "${{ secrets.EI_EPHEMERAL_ORG_ID }}"
           oss-or-enterprise: oss
           verbose: true

.github/workflows/feature-toggles-ci.yml

@@ -7,15 +7,9 @@ on:
       - 'pkg/services/featuremgmt/registry.go'
       - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
 
-permissions: {}
-
 jobs:
   test:
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/frontend-lint.yml

@@ -9,34 +9,12 @@ on:
 permissions: {}
 
 jobs:
-  detect-changes:
-    name: Detect whether code changed
+  lint-frontend-verify-i18n:
+    name: Verify i18n
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.frontend }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/frontend-lint.yml
-
-  lint-frontend-prettier:
-    needs: detect-changes
     permissions:
       contents: read
       id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-prettier-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
-    name: Lint
-    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:
@@ -47,21 +25,46 @@ jobs:
         cache: 'yarn'
         cache-dependency-path: 'yarn.lock'
     - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-prettier-enterprise:
-    needs: detect-changes
+    - run: |
+        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
+        make i18n-extract || (echo "${extract_error_message}" && false)
+    - run: |
+        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
+        file_diff=$(git diff --dirstat public/locales)
+        if [ -n "$file_diff" ]; then
+            echo $file_diff
+            echo "${uncommited_error_message}"
+            exit 1
+        fi
+  lint-frontend-prettier:
     permissions:
       contents: read
       id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-prettier-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
     name: Lint
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
       with:
-        persist-credentials: false
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-prettier-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
     - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
@@ -75,19 +78,16 @@ jobs:
     - run: yarn run prettier:check
     - run: yarn run lint
   lint-frontend-typecheck:
-    needs: detect-changes
     permissions:
       contents: read
       id-token: write
     # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
     # the `lint-frontend-typecheck-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
     name: Typecheck
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
@@ -96,18 +96,15 @@ jobs:
     - run: yarn install --immutable --check-cache
     - run: yarn run typecheck
   lint-frontend-typecheck-enterprise:
-    needs: detect-changes
     permissions:
       contents: read
       id-token: write
     # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     name: Typecheck
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
@@ -120,17 +117,13 @@ jobs:
     - run: yarn install --immutable --check-cache
     - run: yarn run typecheck
   lint-frontend-betterer:
-    needs: detect-changes
     permissions:
       contents: read
       id-token: write
-    if: needs.detect-changes.outputs.changed == 'true'
     name: Betterer
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'

.github/workflows/github-release.yml

@@ -34,7 +34,6 @@ on:
 permissions:
   # contents: write allows the action(s) to create github releases
   contents: write
-  id-token: write
 
 jobs:
   main:
@@ -45,5 +44,6 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}
+          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
           latest: ${{ inputs.latest }}
           dry_run: ${{ inputs.dry_run }}

.github/workflows/go-lint.yml

@@ -22,10 +22,11 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
+      - run: make gen-go
       - name: golangci-lint
         uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
         with:
-          version: v2.5.0
+          version: v2.0.2
           args: |
             --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
           install-mode: binary

.github/workflows/i18n-crowdin-create-tasks.yml

@@ -1,13 +1,27 @@
-name: Crowdin automatic task management
+name: Crowdin Create Tasks
 
 on:
   workflow_dispatch:
-  # once a month on the first day of the month at midnight
-  schedule:
-    - cron: "0 0 1 * *"
+  # schedule:
+  #   - cron: "0 0 * * *"
 
 jobs:
   create-tasks-in-crowdin:
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-create-tasks.yml@main
-    with:
-      crowdin_project_id: 5
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Create tasks
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+        run: node ./.github/workflows/scripts/crowdin/create-tasks.js

.github/workflows/i18n-crowdin-download.yml

@@ -7,10 +7,153 @@ on:
 
 jobs:
   download-sources-from-crowdin:
-    if: github.repository == 'grafana/grafana'
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-download.yml@main
-    with:
-      crowdin_project_id: 5
-      pr_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
-      github_board_id: 78 # Frontend Platform project
-      en_paths: public/locales/en-US/grafana.json, public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json, public/app/plugins/datasource/mssql/locales/en-US/mssql.json, packages/grafana-prometheus/src/locales/en-US/grafana-prometheus.json, packages/grafana-sql/src/locales/en-US/grafana-sql.json
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # needed to commit changes into the PR
+      pull-requests: write # needed to update PR description, labels, etc
+      id-token: write # needed to get vault secrets
+
+    steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+
+      - name: Download sources
+        id: crowdin-download
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        with:
+          upload_sources: false
+          upload_translations: false
+          download_sources: false
+          download_translations: true
+          export_only_approved: true
+          localization_branch_name: i18n_crowdin_translations
+          create_pull_request: true
+          pull_request_title: 'I18n: Download translations from Crowdin'
+          pull_request_body:  |
+            :robot: Automatic download of translations from Crowdin.
+
+            This runs once per day and will merge automatically if all the required checks pass.
+
+            If there's a conflict, close the pull request and **delete the branch**.
+            You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
+          pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
+          pull_request_base_branch_name: 'main'
+          base_url: 'https://grafana.api.crowdin.com'
+          config: 'crowdin.yml'
+          source: 'public/locales/en-US/grafana.json'
+          translation: 'public/locales/%locale%/%original_file_name%'
+          # Magic details of the github-actions bot user, to pass CLA checks
+          github_user_name: "github-actions[bot]"
+          github_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+
+      - name: Get pull request ID
+        if: steps.crowdin-download.outputs.pull_request_url
+        shell: bash
+        # Crowdin action returns us the URL of the pull request, but we need an ID for the GraphQL API
+        # that looks like 'PR_kwDOAOaWjc5mP_GU'
+        run: |
+          pr_id=$(gh pr view ${{ steps.crowdin-download.outputs.pull_request_url }} --json id -q .id)
+          echo "PULL_REQUEST_ID=$pr_id" >> "$GITHUB_ENV"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Get project board ID
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        id: get-project-id
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          # Frontend Platform project - https://github.com/orgs/grafana/projects/78
+          org: grafana
+          project_number: 78
+          query: |
+            query getProjectId($org: String!, $project_number: Int!){
+              organization(login: $org) {
+                projectV2(number: $project_number) {
+                  title
+                  id
+                }
+              }
+            }
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Add to project board
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
+          prid: ${{ env.PULL_REQUEST_ID }}
+          query: |
+            mutation addPullRequestToProject($projectid: ID!, $prid: ID!){
+              addProjectV2ItemById(input: {projectId: $projectid, contentId: $prid}) {
+                item {
+                  id
+                }
+              }
+            }
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Run auto-milestone
+        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Get vault secrets
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
+          repo_secrets: |
+            GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
+            GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
+
+      - name: Generate approver token
+        if: steps.crowdin-download.outputs.pull_request_url
+        id: generate_approver_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
+          private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
+
+      - name: Approve and automerge PR
+        if: steps.crowdin-download.outputs.pull_request_url
+        shell: bash
+        # Only approve if:
+        # - the PR does not modify files other than json files under the public/locales/ directory
+        # - the PR does not modify the en-US locale
+        run: |
+          filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
+
+          if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
+            echo "Non-i18n changes detected, not approving"
+            exit 1
+          fi
+
+          if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
+            echo "public/locales/en-US changes detected, not approving"
+            exit 1
+          fi
+
+          echo "Approving and enabling automerge"
+          gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
+          gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}

.github/workflows/i18n-crowdin-upload.yml

@@ -5,16 +5,31 @@ on:
   push:
     paths:
       - 'public/locales/en-US/grafana.json'
-      - 'public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json'
-      - 'public/app/plugins/datasource/mssql/locales/en-US/mssql.json'
-      - 'packages/grafana-sql/src/locales/en-US/grafana-sql.json'
-      - 'packages/grafana-prometheus/src/locales/en-US/grafana-prometheus.json'
     branches:
       - main
 
 jobs:
   upload-sources-to-crowdin:
-    if: github.repository == 'grafana/grafana'
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-upload.yml@main
-    with:
-      crowdin_project_id: 5
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Upload sources
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        with:
+          upload_sources: true
+          upload_sources_args: '--dest=public/locales/en-US/grafana.json'
+          upload_translations: false
+          download_translations: false
+          create_pull_request: false
+          base_url: 'https://grafana.api.crowdin.com'
+          config: 'crowdin.yml'
+          source: 'public/locales/en-US/grafana.json'
+          translation: 'public/locales/%locale%/%original_file_name%'
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}

.github/workflows/i18n-verify.yml

@@ -1,15 +0,0 @@
-name: Verify i18n
-
-permissions:
-  contents: read
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-jobs:
-  verify-i18n:
-    uses: grafana/grafana-github-actions/.github/workflows/verify-i18n.yml@main

.github/workflows/issue-opened.yml

@@ -43,19 +43,20 @@ jobs:
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
 
-      - name: Generate token
+      - name: "Generate token"
         id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
 
       - name: Run Commands
         uses: ./actions/commands
         with:
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
           token: ${{ steps.generate_token.outputs.token }}
           configPath: "issue-opened"
 
@@ -76,20 +77,18 @@ jobs:
           repo_secrets: |
             AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
             AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
-            GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
-            GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
 
-      - name: Generate token
+      - name: "Generate token"
         id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
 
       - name: Checkout
         uses: actions/checkout@v4 # v4.2.2
-        with:
-          persist-credentials: false
 
       - name: Send issue to the auto triager action
         id: auto_triage

.github/workflows/lint-build-docs.yml

@@ -16,16 +16,10 @@ on:
       - 'packages/**/*.md'
       - 'latest.json'
 
-permissions: {}
-
 jobs:
   docs:
     name: Build & Verify Docs
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -35,7 +29,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version-file: '.nvmrc'
+          node-version: '22.11.0'
           cache: 'yarn'
 
       - name: Install dependencies
@@ -51,18 +45,18 @@ jobs:
         run: |
           # Create and start a container from the docs-base image in detached mode
           docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
-
+          
           # Create the directory structure inside the container
           docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
-
+          
           # Create the _index.md file
           docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
-
+          
           # Copy the docs sources from the host to the container
           docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
-
+          
           # Run the make prod command inside the container
           docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
-
+          
           # Clean up the container
           docker rm -f docs-builder

.github/workflows/metrics-collector.yml

@@ -0,0 +1,54 @@
+#
+# When triggered by the cron job it will also collect metrics for:
+#  * number of issues without label
+#  * number of issues with "needs more info"
+#  * number of issues with "needs investigation"
+#  * number of issues with label type/bug
+#  * number of open issues in current milestone
+#
+# https://github.com/grafana/grafana-github-actions/blob/main/metrics-collector/index.ts
+#
+name: Github issue metrics collection
+on:
+  schedule:
+    - cron: "*/10 * * * *"
+  issues:
+    types: [opened, closed]
+
+permissions:
+  contents: read
+
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: Run metrics collector
+        uses: ./actions/metrics-collector
+        with:
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          token: ${{secrets.GITHUB_TOKEN}}
+          configPath: "metrics-collector"

.github/workflows/migrate-prs.yml

@@ -15,6 +15,11 @@ on:
         description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
         required: true
         type: string
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
   workflow_dispatch:
     inputs:
       from:
@@ -29,30 +34,24 @@ on:
         description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
         required: true
         type: string
-
-permissions:
-  contents: read
-  id-token: write
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
 
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Migrate PRs
-        uses: grafana/grafana-github-actions-go/migrate-open-prs@main
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ steps.generate_token.outputs.token }}
           ownerRepo: ${{ inputs.ownerRepo }}

.github/workflows/pr-backend-coverage.yml

@@ -0,0 +1,71 @@
+name: Coverage
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  EDITION: 'oss'
+  WIRE_TAGS: 'oss'
+
+jobs:
+  main:
+    name: Backend Unit Tests
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential shared-mime-info
+          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
+      - name: Process and upload coverage
+        uses: ./.github/actions/test-coverage-processor
+        with:
+          test-type: 'be-unit'
+          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
+          coverage-file: 'unit.cov'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          codecov-flag: 'be-unit'
+          codecov-name: 'be-unit'
+
+      - name: Install Grafana Bench
+        # We can't allow forks here, as we need secret access.
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: ./.github/actions/setup-grafana-bench
+
+      - name: Process output for Bench
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          grafana-bench report \
+            --trigger pr-backend-unit-tests-oss \
+            --report-input go \
+            --report-output log \
+            --grafana-version "$(git rev-parse HEAD)" \
+            --suite-name grafana-oss-unit-tests \
+            /tmp/unit.log || true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false

.github/workflows/pr-codeql-analysis-python.yml

@@ -25,24 +25,11 @@ jobs:
         fetch-depth: 2
         persist-credentials: false
 
-    - name: Check for Python files
-      id: check-python
-      run: |
-        if [ -z "$(find . -name '*.py' -type f)" ]; then
-          echo "No Python files found, skipping analysis"
-          echo "skip=true" >> "$GITHUB_OUTPUT"
-        else
-          echo "Python files found, proceeding with analysis"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-        fi
-
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      if: steps.check-python.outputs.skip != 'true'
       uses: github/codeql-action/init@v3
       with:
         languages: "python"
 
     - name: Perform CodeQL Analysis
-      if: steps.check-python.outputs.skip != 'true'
       uses: github/codeql-action/analyze@v3

.github/workflows/pr-commands.yml

@@ -5,14 +5,28 @@ on:
       - labeled
       - opened
       - synchronize
-permissions: {}
 concurrency:
   group: pr-commands-${{ github.event.number }}
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_PR_AUTOMATION_APP_ID != '' &&
+                        secrets.GRAFANA_PR_AUTOMATION_APP_PEM != '' &&
+                        secrets.GRAFANA_MISC_STATS_API_KEY != ''
+                        ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
   main:
-    permissions:
-      contents: read
-      pull-requests: write
+    needs: config
+    if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
@@ -24,8 +38,15 @@ jobs:
           persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
       - name: Run Commands
         uses: ./actions/commands
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          token: ${{ steps.generate_token.outputs.token }}
           configPath: pr-commands

.github/workflows/pr-dependabot-update-go-workspace.yml

@@ -65,5 +65,5 @@ jobs:
         if ! git diff --exit-code --quiet; then
           echo "Committing and pushing workspace changes"
           git commit -a -m "update workspace"
-          git push origin "$BRANCH_NAME"
+          git push origin $BRANCH_NAME
         fi

.github/workflows/pr-e2e-tests.yml

@@ -11,47 +11,27 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
 
-permissions: {}
-
 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.e2e }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/pr-e2e-tests.yml
-
   build-grafana:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
     name: Build & Package Grafana
     runs-on: ubuntu-latest-16-cores
-    permissions:
-      contents: read
     outputs:
       artifact: ${{ steps.artifact.outputs.artifact }}
     steps:
       - uses: actions/checkout@v4
         with:
-          path: ./grafana
+          repository: 'grafana/grafana-build'
+          ref: 'main'
           persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          path: ./grafana
+      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
       - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
         with:
-          version: 0.18.8
           verb: run
-          args: go -C grafana run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir="${PWD}/grafana" > out.txt
-      - run: mv "$(cat out.txt)" grafana.tar.gz
+          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
+      - run: mv $(cat out.txt) grafana.tar.gz
       - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
         id: artifact
       - uses: actions/upload-artifact@v4
@@ -60,160 +40,33 @@ jobs:
           retention-days: 1
           name: ${{ steps.artifact.outputs.artifact }}
           path: grafana.tar.gz
-
-  build-e2e-runner:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
-    name: Build E2E test runner
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      artifact: ${{ steps.artifact.outputs.artifact }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: ${{ !github.event.pull_request.head.repo.fork }}
-      - name: Build E2E test runner
-        id: artifact
-        run: |
-          set -euo pipefail
-          # We want a static binary, so we need to set CGO_ENABLED=0
-          CGO_ENABLED=0 go build -o ./e2e-runner ./e2e/
-          echo "artifact=e2e-runner-${{github.run_number}}" >> "$GITHUB_OUTPUT"
-      - uses: actions/upload-artifact@v4
-        id: upload
-        with:
-          retention-days: 1
-          name: ${{ steps.artifact.outputs.artifact }}
-          path: e2e-runner
-
-  run-e2e-tests:
-    needs:
-      - build-grafana
-      - build-e2e-runner
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - suite: various-suite
-            path: e2e/various-suite
-          - suite: dashboards-suite
-            path: e2e/dashboards-suite
-          - suite: smoke-tests-suite
-            path: e2e/smoke-tests-suite
-          - suite: panels-suite
-            path: e2e/panels-suite
-          - suite: various-suite (old arch)
-            path: e2e/old-arch/various-suite
-            flags: --flags="--env dashboardScene=false"
-          - suite: dashboards-suite (old arch)
-            path: e2e/old-arch/dashboards-suite
-            flags: --flags="--env dashboardScene=false"
-          - suite: smoke-tests-suite (old arch)
-            path: e2e/old-arch/smoke-tests-suite
-            flags: --flags="--env dashboardScene=false"
-          - suite: panels-suite (old arch)
-            path: e2e/old-arch/panels-suite
-            flags: --flags="--env dashboardScene=false"
+  e2e-matrix:
     name: ${{ matrix.suite }}
-    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-grafana.outputs.artifact }}
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-e2e-runner.outputs.artifact }}
-      - name: chmod +x
-        run: chmod +x ./e2e-runner
-      - name: Run E2E tests
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/e2e --package=grafana.tar.gz
-            --suite=${{ matrix.path }}
-            ${{ matrix.flags }}
-      - name: Set suite name
-        id: set-suite-name
-        if: success() || failure()
-        env:
-          SUITE: ${{ matrix.path }}
-        run: |
-          set -euo pipefail
-          echo "suite=$(echo "$SUITE" | sed 's/\//-/g')" >> "$GITHUB_OUTPUT"
-      - uses: actions/upload-artifact@v4
-        if: success() || failure()
-        with:
-          name: ${{ steps.set-suite-name.outputs.suite }}-${{ github.run_number }}
-          path: videos
-          retention-days: 1
-
-  run-a11y-test:
+    strategy:
+      matrix:
+        suite:
+          - various-suite
+          - dashboards-suite
+          - smoke-tests-suite
+          - panels-suite
     needs:
       - build-grafana
-    name: A11y test
-    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-grafana.outputs.artifact }}
-      - name: Run PR a11y test
-        if: github.event_name == 'pull_request'
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/a11y --package=grafana.tar.gz
-      - name: Run non-PR a11y test
-        if: github.event_name != 'pull_request'
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/a11y --package=grafana.tar.gz --no-threshold-fail
-
-  # This is the job that is actually required by rulesets.
-  # We want to only require one job instead of all the individual tests.
-  # Future work also allows us to start skipping some tests based on changed files.
-  required-e2e-tests:
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}
+  e2e-matrix-old-arch:
+    name: ${{ matrix.suite }} (old arch)
+    strategy:
+      matrix:
+        suite:
+          - old-arch/various-suite
+          - old-arch/dashboards-suite
+          - old-arch/smoke-tests-suite
+          - old-arch/panels-suite
     needs:
-      - run-e2e-tests
-      # a11y test is not listed on purpose: it is not an important E2E test.
-      # It is also totally fine to fail right now.
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All E2E tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}

.github/workflows/pr-external-labelling.yml

@@ -1,25 +0,0 @@
-name: External PR labelling
-
-on:
-  # We need "write" permissions on the PR to be able to add a label.
-  pull_request_target: # zizmor: ignore[dangerous-triggers] We need this to have labelling permissions. There are no user inputs here, so we should be fine.
-    types:
-      - opened
-
-permissions: {}
-
-jobs:
-  label-if-external:
-    name: Add 'pr/external' label if the PR is external
-    if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write # to write the label
-
-    steps:
-      - name: Add the 'pr/external' label
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          echo "Adding 'pr/external' label to the PR"
-          gh pr edit "$PR_NUMBER" --add-label pr/external

.github/workflows/pr-frontend-unit-tests.yml

@@ -9,32 +9,13 @@ on:
 permissions: {}
 
 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.frontend }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/pr-frontend-unit-tests.yml
-
   frontend-unit-tests:
     permissions:
       contents: read
       id-token: write
     # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
     # the `frontend-unit-tests-enterprise` workflow will run instead
-    needs: detect-changes
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
     runs-on: ubuntu-latest-8-cores
     name: "Unit tests (${{ matrix.chunk }} / 8)"
     strategy:
@@ -62,8 +43,7 @@ jobs:
       contents: read
       id-token: write
     # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    needs: detect-changes
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
     runs-on: ubuntu-latest-8-cores
     name: "Unit tests (${{ matrix.chunk }} / 8)"
     strategy:
@@ -72,8 +52,6 @@ jobs:
         chunk: [1, 2, 3, 4, 5, 6, 7, 8]
     steps:
     - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
     - uses: actions/setup-node@v4
       with:
         node-version-file: '.nvmrc'
@@ -89,30 +67,3 @@ jobs:
         TEST_MAX_WORKERS: 2
         TEST_SHARD: ${{ matrix.chunk }}
         TEST_SHARD_TOTAL: 8
-
-  # This is the job that is actually required by rulesets.
-  # We need to require EITHER the OSS or the Enterprise job to pass.
-  # However, if one is skipped, GitHub won't flat-map the shards,
-  #   so they won't be accepted by a ruleset.
-  required-frontend-unit-tests:
-    needs:
-      - frontend-unit-tests
-      - frontend-unit-tests-enterprise
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All frontend unit tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"

.github/workflows/pr-patch-check-event.yml

@@ -1,27 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana
 name: Dispatch check for patch conflicts
+run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
       - synchronize
     branches:
       - "main"
+      - "v*.*.*"
       - "release-*"
 
-permissions:
-  id-token: write
-  contents: read
+permissions: {}
 
 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
   dispatch-job:
-    uses: grafana/grafana/.github/workflows/pr-patch-check.yml@main
-    with:
-      head_ref: ${{ github.head_ref }}
-      base_ref: ${{ github.base_ref }}
-      repo: ${{ github.repository }}
-      sender_login: ${{ github.event.sender.login }}
-      sha: ${{ github.sha }}
-      pr_commit_sha: ${{ github.event.pull_request.head.sha }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+      REPO: ${{ github.repository }}
+      SENDER: ${{ github.event.sender.login }}
+      SHA: ${{ github.sha }}
+      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: "Dispatch job"
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'test-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_repo: REPO,
+                  src_ref: HEAD_REF,
+                  src_merge_sha: SHA,
+                  src_pr_commit_sha: PR_COMMIT_SHA,
+                  patch_repo: REPO + '-security-patches',
+                  patch_ref: BASE_REF,
+                  triggering_github_handle: SENDER
+                }
+            })

.github/workflows/pr-patch-check.yml

@@ -1,78 +0,0 @@
-name: Dispatch check for patch conflicts
-on:
-  workflow_call:
-    inputs:
-      head_ref:
-        type: string
-        required: true
-      base_ref:
-        type: string
-        required: true
-      repo:
-        type: string
-        required: true
-      sender_login:
-        type: string
-        required: true
-      sha:
-        type: string
-        required: true
-      pr_commit_sha:
-        type: string
-        required: true
-
-permissions:
-  id-token: write
-  contents: read
-
-# Since this is run on a pull request, we want to apply the patches intended for the
-# target branch onto the source branch, to verify compatibility before merging.
-jobs:
-  dispatch-job:
-    env:
-      HEAD_REF: ${{ inputs.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-      REPO: ${{ inputs.repo }}
-      SENDER: ${{ inputs.sender_login }}
-      SHA: ${{ inputs.sha }}
-      PR_COMMIT_SHA: ${{ inputs.pr_commit_sha }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          permissions: "{\"actions\": \"write\", \"workflows\": \"write\"}"
-          repositories: "[\"security-patch-actions\"]"
-      - name: "Dispatch job"
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'security-patch-actions',
-                workflow_id: 'test-patches-event.yml',
-                ref: 'main',
-                inputs: {
-                  src_repo: REPO,
-                  src_ref: HEAD_REF,
-                  src_merge_sha: SHA,
-                  src_pr_commit_sha: PR_COMMIT_SHA,
-                  patch_repo: REPO + '-security-patches',
-                  patch_ref: BASE_REF,
-                  triggering_github_handle: SENDER
-                }
-            })

.github/workflows/pr-test-integration.yml

@@ -15,8 +15,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
 
-permissions: {}
-
 jobs:
   sqlite:
     strategy:
@@ -29,8 +27,6 @@ jobs:
 
     name: Sqlite (${{ matrix.shard }})
     runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -41,11 +37,12 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
+      - name: Generate Go code
+        run: make gen-go
       - name: Run tests
         env:
           SHARD: ${{ matrix.shard }}
         run: |
-          set -euo pipefail
           readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
           go test -tags=sqlite -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
   mysql:
@@ -59,8 +56,6 @@ jobs:
 
     name: MySQL (${{ matrix.shard }})
     runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
     env:
       GRAFANA_TEST_DB: mysql
       MYSQL_HOST: 127.0.0.1
@@ -78,8 +73,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -87,11 +80,12 @@ jobs:
           cache: true
       - name: Setup MySQL devenv
         run: mysql -h 127.0.0.1 -P 3306 -u root -prootpass < devenv/docker/blocks/mysql_tests/setup.sql
+      - name: Generate Go code
+        run: make gen-go
       - name: Run tests
         env:
           SHARD: ${{ matrix.shard }}
         run: |
-          set -euo pipefail
           readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
           go test -p=1 -tags=mysql -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
   postgres:
@@ -123,8 +117,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-        with:
-          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
@@ -132,37 +124,11 @@ jobs:
           cache: true
       - name: Setup Postgres devenv
         run: psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
+      - name: Generate Go code
+        run: make gen-go
       - name: Run tests
         env:
           SHARD: ${{ matrix.shard }}
         run: |
-          set -euo pipefail
           readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
           go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
-
-  # This is the job that is actually required by rulesets.
-  # We want to only require one job instead of all the individual tests and shards.
-  # Future work also allows us to start skipping some tests based on changed files.
-  required-backend-integration-tests:
-    needs:
-      - mysql
-      - postgres
-      - sqlite
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All backend integration tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"

.github/workflows/publish-artifact.yml

@@ -1,72 +0,0 @@
-name: Publish artifacts to bucket
-on:
-  workflow_call:
-    inputs:
-      pattern:
-        description: |
-          (From actinos/download-artifact) Glob pattern of artifacts (instead of `name`)
-          Be careful when using this option; the contents of the root of each artifact are coalesced, so ensure that they do not collide.
-        type: string
-        required: false
-      name:
-        description: (From actinos/download-artifact) Name of the GitHub artifact to upload (Ignored if `pattern` is set)
-        type: string
-        required: false
-      bucket:
-        description: Name of the GCS bucket
-        type: string
-        required: true
-      bucket-path:
-        description: Path in the GCS bucket
-        type: string
-        required: false
-        default: "."
-      environment:
-        description: "'prod' or 'dev'"
-        type: string
-        required: false
-        default: dev
-      run-id:
-        type: string
-        required: true
-      service-account:
-        type: string
-        required: false
-        default: github-prerelease-writer@grafanalabs-workload-identity.iam.gserviceaccount.com
-      runs-on:
-        type: string
-        required: false
-        default: github-hosted-ubuntu-x64-small
-jobs:
-  publish:
-    runs-on: ${{ inputs.runs-on }}
-    name: Publish
-    permissions:
-      id-token: write
-    steps:
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: ${{ inputs.name }}
-          pattern: ${{ inputs.pattern }}
-          run-id: ${{ inputs.run-id }}
-          path: ./artifact
-      - name: Log in to GCS
-        id: login-to-gcs
-        uses: grafana/shared-workflows/actions/login-to-gcs@login-to-gcs/v0.2.1
-        with:
-          environment: ${{ inputs.environment }}
-          service_account: ${{ inputs.service-account }}
-      - name: Coalesce artifacts
-        run: |
-          mkdir out
-          find ./artifact -mindepth 2 -maxdepth 2 -exec cp -r {} out/ \;
-          ls -al out
-      - name: Upload artifacts
-        uses: grafana/shared-workflows/actions/push-to-gcs@push-to-gcs-v0.2.0
-        with:
-          bucket: ${{ inputs.bucket }}
-          environment: ${{ inputs.environment }}
-          parent: false
-          path: out
-          bucket_path: ${{ inputs.bucket-path }}
-          service_account: ${{ inputs.service-account }}

.github/workflows/publish-kinds-next.yml

@@ -8,17 +8,25 @@ on:
       - '**/*.cue'
   workflow_dispatch:
 
-permissions: {}
-
 jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
+  config:
     runs-on: "ubuntu-latest"
-    permissions:
-      contents: read # cloning repo
-      actions: read # reading .github/workflows/ dir
-      id-token: write # reading vault secrets
+    if: github.repository == 'grafana/grafana'
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
 
+  main:
+    needs: config
+    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout Grafana repo"
         uses: "actions/checkout@v4"
@@ -34,20 +42,12 @@ jobs:
       - name: "Verify kinds"
         run: go run .github/workflows/scripts/kinds/verify-kinds.go
 
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
 
       - name: "Clone website-sync Action"
         run: "git clone --single-branch --no-tags --depth 1 -b master https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/website-sync ./.github/actions/website-sync"

.github/workflows/publish-kinds-release.yml

@@ -10,17 +10,25 @@ on:
       - '**/*.cue'
   workflow_dispatch:
 
-permissions: {}
-
 jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
+  config:
     runs-on: "ubuntu-latest"
-    permissions:
-      contents: read # cloning repo
-      actions: read # reading .github/workflows/ dir
-      id-token: write # reading vault secrets
+    if: github.repository == 'grafana/grafana'
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
 
+  main:
+    needs: config
+    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    runs-on: "ubuntu-latest"
     steps:
       - name: "Checkout Grafana repo"
         uses: "actions/checkout@v4"
@@ -42,7 +50,6 @@ jobs:
         with:
           repository: "grafana/grafana-github-actions"
           path: "./actions"
-          persist-credentials: false
 
       - name: "Install Actions from library"
         run: "npm install --production --prefix ./actions"
@@ -55,20 +62,12 @@ jobs:
           release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
           release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"
 
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
       - name: "Generate token"
         id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
 
       - name: "Clone website-sync Action"
         if: "steps.has-matching-release-tag.outputs.bool == 'true'"

.github/workflows/publish-technical-documentation-next.yml

@@ -16,8 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
       - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
         with:
           website_directory: content/docs/grafana/next

.github/workflows/reject-gh-secrets.yml

@@ -1,31 +0,0 @@
-name: Reject GitHub secrets
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches:
-      - main
-      - release-*
-
-permissions: {}
-
-jobs:
-  reject-gh-secrets:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - name: Grep for secrets accesses
-        run: |
-          if grep -E '\$\{\{\s*secrets\s*\.\s*[a-zA-Z0-9_\-]+\s*\}\}' .github/workflows/*.yml | grep -vF 'secrets.GITHUB_TOKEN' | grep -vF '# nolint:reject-gh-secrets'; then
-            echo "Found secrets access in the codebase. Please remove it in favour of Vault secrets."
-            echo "If you are sure this is correct, add '# nolint:reject-gh-secrets' to the end of the line. Be VERY careful with this."
-            exit 1
-          fi

.github/workflows/release-build.yml

@@ -1,337 +0,0 @@
-name: Build Release Packages
-on:
-  workflow_dispatch:
-    inputs:
-      source-event:
-        description: If this workflow was triggered by another workflow, this value should be set to the GITHUB_EVENT_NAME of that source workflow.
-        type: string
-        required: false
-        default: workflow_dispatch
-  schedule:
-    # Every weeknight at midnight
-    # "Scheduled workflows will only run on the default branch." (docs.github.com)
-    - cron: '0 0 * * 1-5'
-  push:
-    branches:
-      - release-*.*.*
-      - main
-
-permissions:
-  contents: read
-
-# Builds the following artifacts:
-#
-# npm:grafana
-# storybook
-# targz:grafana:linux/amd64
-# targz:grafana:linux/arm64
-# targz:grafana:linux/arm/v6
-# targz:grafana:linux/arm/v7
-# deb:grafana:linux/amd64
-# deb:grafana:linux/arm64
-# deb:grafana:linux/arm/v6
-# deb:grafana:linux/arm/v7
-# rpm:grafana:linux/amd64:sign
-# rpm:grafana:linux/arm64:sign
-# docker:grafana:linux/amd64
-# docker:grafana:linux/arm64
-# docker:grafana:linux/arm/v7
-# docker:grafana:linux/amd64:ubuntu
-# docker:grafana:linux/arm64:ubuntu
-# docker:grafana:linux/arm/v7:ubuntu
-# targz:grafana:windows/amd64
-# targz:grafana:windows/arm64
-# targz:grafana:darwin/amd64
-# targz:grafana:darwin/arm64
-# zip:grafana:windows/amd64
-# msi:grafana:windows/amd64
-jobs:
-  setup:
-    name: setup
-    runs-on: github-hosted-ubuntu-x64-small
-    if: (github.repository == 'grafana/grafana') || (github.repository == 'grafana/grafana-security-mirror' && contains(github.ref_name, '+security'))
-    outputs:
-      version: ${{ steps.output.outputs.version }}
-      grafana-commit: ${{ steps.output.outputs.grafana_commit }}
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Set up version (Release Branches)
-        if: startsWith(github.ref_name, 'release-')
-        run: echo "${REF_NAME#release-}" > VERSION
-        env:
-          REF_NAME: ${{ github.ref_name }}
-      - name: Set up version (Non-release branches)
-        if: ${{ !startsWith(github.ref_name, 'release-') }}
-        run: jq -r .version package.json | sed -s "s/pre/${BUILD_ID}/g" > VERSION
-        env:
-          REF_NAME: ${{ github.ref_name }}
-          BUILD_ID: ${{ github.run_id }}
-      - id: output
-        run: |
-          echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
-          echo "grafana_commit=$(git rev-parse HEAD)" | tee -a "$GITHUB_OUTPUT"
-  # Triggers the same workflow in `grafana-enterprise` on the same ref
-  downstream:
-    runs-on: github-hosted-ubuntu-x64-small
-    needs: [setup]
-    permissions:
-      contents: read
-      id-token: write
-    name: Dispatch grafana-enterprise build
-    steps:
-      - id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana-enterprise"]'
-          permissions: '{"actions": "write"}'
-      - uses: actions/github-script@v7
-        env:
-          REF: ${{ github.ref_name }}
-          VERSION: ${{ needs.setup.outputs.version }}
-          BUILD_ID: ${{ github.run_id }}
-          BUCKET: grafana-prerelease
-          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
-          SOURCE_EVENT: ${{ inputs.source-event || github.event_name }}
-          REPO: ${{ github.repository }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, SOURCE_EVENT, REPO} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'grafana-enterprise',
-                workflow_id: 'release-build.yml',
-                ref:  REF,
-                inputs: {
-                  "version": VERSION,
-                  "build-id": String(BUILD_ID),
-                  "bucket": BUCKET,
-                  "grafana-commit": GRAFANA_COMMIT,
-                  "source-event": SOURCE_EVENT,
-                  "upstream": REPO,
-                }
-            })
-
-  build:
-    runs-on: github-hosted-ubuntu-x64-large
-    needs: [setup]
-    permissions:
-      contents: read
-      id-token: write
-    name: ${{ needs.setup.outputs.version }} / ${{ matrix.name }}
-    strategy:
-      fail-fast: false
-      matrix:
-        # The artifacts in these lists are grouped by their os+arch because the
-        # build process can reuse the binaries for each artifact.
-        # The downside to this is that the frontend will be built for each one when it could be reused for all of them.
-        # This could be a future improvement.
-        include:
-          - name: linux-amd64 # publish-npm relies on this step building npm packages
-            artifacts: targz:grafana:linux/amd64,deb:grafana:linux/amd64,rpm:grafana:linux/amd64,docker:grafana:linux/amd64,docker:grafana:linux/amd64:ubuntu,npm:grafana,storybook
-            verify: true
-          - name: linux-arm64
-            artifacts: targz:grafana:linux/arm64,deb:grafana:linux/arm64,rpm:grafana:linux/arm64,docker:grafana:linux/arm64,docker:grafana:linux/arm64:ubuntu
-            verify: false
-          - name: linux-s390x
-            artifacts: targz:grafana:linux/s390x,deb:grafana:linux/s390x,rpm:grafana:linux/s390x,docker:grafana:linux/s390x,docker:grafana:linux/s390x:ubuntu
-            verify: true
-          - name: linux-armv7
-            artifacts: targz:grafana:linux/arm/v7,deb:grafana:linux/arm/v7,docker:grafana:linux/arm/v7,docker:grafana:linux/arm/v7:ubuntu
-            verify: true
-          - name: linux-armv6
-            artifacts: targz:grafana:linux/arm/v6,deb:grafana:linux/arm/v6
-            verify: true
-          - name: windows-amd64
-            artifacts: targz:grafana:windows/amd64:nocgo,zip:grafana:windows/amd64:nocgo,msi:grafana:windows/amd64:nocgo
-            verify: true
-          - name: windows-arm64
-            artifacts: targz:grafana:windows/arm64:nocgo,zip:grafana:windows/arm64:nocgo
-            verify: true
-          - name: darwin-amd64
-            artifacts: targz:grafana:darwin/amd64:nocgo
-            verify: true
-          - name: darwin-arm64
-            artifacts: targz:grafana:darwin/arm64:nocgo
-            verify: true
-    steps:
-      - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
-        with:
-          image: docker.io/tonistiigi/binfmt:qemu-v7.0.0-28
-      - uses: ./.github/actions/build-package
-        id: build
-        with:
-          artifacts: ${{ matrix.artifacts }}
-          checksum: true
-          grafana-path: .
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ needs.setup.outputs.version }}
-          output: artifacts-${{ matrix.name }}.txt
-          verify: ${{ matrix.verify }}
-          build-id: ${{ github.run_id }}
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: artifacts-list-${{ matrix.name }}
-          path: ${{ steps.build.outputs.file }}
-          retention-days: 1
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: artifacts-${{ matrix.name }}
-          path: ${{ steps.build.outputs.dist-dir }}
-          retention-days: 1
-
-  publish-artifacts:
-    name: Upload artifacts
-    uses: grafana/grafana/.github/workflows/publish-artifact.yml@main
-    permissions:
-      id-token: write
-    needs:
-      - setup
-      - build
-    with:
-      bucket: grafana-prerelease
-      pattern: artifacts-*
-      run-id: ${{ github.run_id }}
-      bucket-path: ${{ needs.setup.outputs.version }}_${{ github.run_id }}
-      environment: prod
-
-  publish-dockerhub:
-    if: github.ref_name == 'main'
-    permissions:
-      contents: read
-      id-token: write
-    runs-on: ubuntu-x64-small
-    needs:
-      - setup
-      - build
-    steps:
-      - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-amd64
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-arm64
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-armv7
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-amd64
-          path: dist
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-arm64
-          path: dist
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-armv7
-          path: dist
-      - name: Push to Docker Hub
-        env:
-          VERSION: ${{ needs.setup.outputs.version }}
-        run: |
-          # grep can use a wildcard but then it includes the filename as part of the result and that gets complicated.
-          # It's easier to use cat to combine the artifact lists
-          cat artifacts-*.txt > artifacts.txt
-          grep 'grafana_.*docker.tar.gz$' artifacts.txt | xargs -I % docker load -i % | sed 's/Loaded image: //g' | tee docker_images
-          while read -r line; do
-            # This tag will be `grafana/grafana-image-tags:...`
-            docker push "$line"
-          done < docker_images
-
-          docker manifest create grafana/grafana:main "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64"  "grafana/grafana-image-tags:${VERSION}-armv7"
-          docker manifest create grafana/grafana:main-ubuntu "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64"  "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7"
-          docker manifest create "grafana/grafana-dev:${VERSION}" "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64"  "grafana/grafana-image-tags:${VERSION}-armv7"
-          docker manifest create "grafana/grafana-dev:${VERSION}-ubuntu" "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64"  "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7"
-
-          docker manifest push grafana/grafana:main
-          docker manifest push grafana/grafana:main-ubuntu
-          docker manifest push "grafana/grafana-dev:${VERSION}"
-          docker manifest push "grafana/grafana-dev:${VERSION}-ubuntu"
-
-  publish-npm-canaries:
-    if: github.ref_name == 'main'
-    name: Publish NPM canaries
-    uses: ./.github/workflows/release-npm.yml
-    permissions:
-      contents: read
-      id-token: write
-    needs:
-      - setup
-      - build
-    with:
-      grafana_commit: ${{ needs.setup.outputs.grafana-commit }}
-      version: ${{ needs.setup.outputs.version }}
-      build_id: ${{ github.run_id }}
-      version_type: "canary"
-
-  # notify-pr creates (or updates) a comment in a pull request to link to this workflow where the release artifacts are
-  # being built.
-  notify-pr:
-    runs-on: ubuntu-x64-small
-    permissions:
-      contents: read
-      id-token: write
-    needs:
-      - setup
-    steps:
-      - id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana"]'
-          permissions: '{"issues": "write", "pull_requests": "write", "contents": "read"}'
-      - name: Find PR
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
-        run: echo "ISSUE_NUMBER=$(gh api "/repos/grafana/grafana/commits/${GRAFANA_COMMIT}/pulls" | jq -r '.[0].number')" >> "$GITHUB_ENV"
-      - name: Find Comment
-        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
-        id: fc
-        with:
-          issue-number: ${{ env.ISSUE_NUMBER }}
-          comment-author: 'grafana-delivery-bot[bot]'
-          body-includes: GitHub Actions Build
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ env.ISSUE_NUMBER }}
-          body: |
-            :rocket: Your submission is now being built and packaged.
-
-            - [GitHub Actions Build](https://github.com/grafana/grafana/actions/runs/${{ github.run_id }})
-            - Version: ${{ needs.setup.outputs.version }}
-          edit-mode: replace

.github/workflows/release-comms.yml

@@ -21,11 +21,6 @@ on:
     - 'main'
     - 'release-*.*.*'
 
-permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
-
 jobs:
   setup:
     if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) }}
@@ -35,8 +30,6 @@ jobs:
       release_branch: ${{ steps.output.outputs.release_branch }}
       dry_run: ${{ steps.output.outputs.dry_run }}
       latest: ${{ steps.output.outputs.latest }}
-      private_key: ${{ steps.output.outputs.delivery_bot_pem }}
-      app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
     env:
       HEAD_REF: ${{ github.head_ref }}
       DRY_RUN: ${{ inputs.dry_run }}
@@ -46,58 +39,47 @@ jobs:
     steps:
     - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
       run: |
-        {
-        echo "VERSION=$(echo "${HEAD_REF}" | sed -e 's/release\/.*\//v/g')"
-        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}"
-        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}"
-        } >> "$GITHUB_ENV"
+        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
+        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
+        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
     - id: output
       run: |
         echo "dry_run: $DRY_RUN"
         echo "latest: $LATEST"
         echo "version: $VERSION"
 
-        {
-          echo "release_branch=$(echo "$VERSION" | sed -s 's/^v/release-/g')"
-          echo "dry_run=$DRY_RUN"
-          echo "latest=$LATEST"
-          echo "version=$VERSION"
-        } >> "$GITHUB_OUTPUT"
+        echo "release_branch=$(echo $VERSION | sed -s 's/^v/release-/g')" >> "$GITHUB_OUTPUT"
+        echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
+        echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
+        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
   create_next_release_branch_grafana:
     name: Create next release branch (Grafana)
     needs: setup
-    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana'
       source: ${{ needs.setup.outputs.release_branch }}
   create_next_release_branch_enterprise:
     name: Create next release branch (Grafana Enterprise)
     needs: setup
-    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana-enterprise'
       source: ${{ needs.setup.outputs.release_branch }}
-  create_security_branch_grafana:
-    name: Create security branch (Grafana Security Mirror)
-    needs: setup
-    uses: ./.github/workflows/create-security-branch.yml
-    with:
-      release_branch: ${{ needs.setup.outputs.release_branch }}
-      security_branch_number: "01"
-      repository: grafana/grafana-security-mirror
-  create_security_branch_enterprise:
-    name: Create security branch (Enterprise)
-    needs: setup
-    uses: ./.github/workflows/create-security-branch.yml
-    with:
-      release_branch: ${{ needs.setup.outputs.release_branch }}
-      security_branch_number: "01"
-      repository: grafana/grafana-enterprise
   migrate_prs_grafana:
     needs:
       - setup
       - create_next_release_branch_grafana
-    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana'
       from: ${{ needs.setup.outputs.release_branch }}
@@ -106,14 +88,20 @@ jobs:
     needs:
       - setup
       - create_next_release_branch_enterprise
-    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana-enterprise'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
   post_changelog_on_forum:
     needs: setup
-    uses: grafana/grafana/.github/workflows/community-release.yml@main
+    uses: ./.github/workflows/community-release.yml
+    secrets:
+      GRAFANA_MISC_STATS_API_KEY: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+      GRAFANABOT_FORUM_KEY: ${{ secrets.GRAFANABOT_FORUM_KEY }}
     with:
       version: ${{ needs.setup.outputs.version }}
       dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -122,7 +110,7 @@ jobs:
     # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API
     # endpoint.
     needs: setup
-    uses: grafana/grafana/.github/workflows/github-release.yml@main
+    uses: ./.github/workflows/github-release.yml
     with:
       version: ${{ needs.setup.outputs.version }}
       dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -135,5 +123,5 @@ jobs:
       VERSION: ${{ needs.setup.outputs.version }}
     steps:
     - run: |
-        echo announce on slack that "$VERSION" has been released
-        echo dry run: "$DRY_RUN"
+        echo announce on slack that $VERSION has been released
+        echo dry run: $DRY_RUN

.github/workflows/release-npm.yml

@@ -1,129 +0,0 @@
-name: Release NPM packages
-run-name: Publish NPM ${{ inputs.version_type }} ${{ inputs.version }}
-on:
-  workflow_call:
-    inputs:
-      grafana_commit:
-        description: 'Grafana commit SHA to build against'
-        required: true
-        type: string
-      version:
-        description: 'Version to publish as'
-        required: true
-        type: string
-      build_id:
-        description: 'Run ID from the original release-build workflow'
-        required: true
-        type: string
-      version_type:
-        description: 'Version type (canary, nightly, stable)'
-        required: true
-        type: string
-
-  workflow_dispatch:
-    inputs:
-      grafana_commit:
-        description: 'Grafana commit SHA to build against'
-        required: true
-      version:
-        description: 'Version to publish as'
-        required: true
-      build_id:
-        description: 'Run ID from the original release-build workflow'
-        required: true
-      version_type:
-        description: 'Version type (canary, nightly, stable)'
-        required: true
-
-permissions: {}
-
-jobs:
-  # If called with version_type 'canary' or 'stable', build + publish to NPM
-  # If called with version_type 'nightly', do nothing (we're not yet tagging them with the nightly tag)
-
-  publish:
-    name: Publish NPM packages
-    runs-on: github-hosted-ubuntu-x64-small
-    if: inputs.version_type == 'canary' || inputs.version_type == 'stable'
-    # Required for this workflow to have permission to publish NPM packages
-    environment: npm-publish
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Info
-        env:
-          GITHUB_REF: ${{ github.ref }}
-          GRAFANA_COMMIT: ${{ inputs.grafana_commit }}
-        run: |
-          echo "GRAFANA_COMMIT: $GRAFANA_COMMIT"
-          echo "github.ref: $GITHUB_REF"
-
-      - name: Checkout workflow ref
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          fetch-depth: 100
-          fetch-tags: false
-
-      # this will fail with "{commit} is not a valid commit" if the commit is valid but
-      # not in the last 100 commits.
-      - name: Verify commit is in workflow HEAD
-        env:
-          GIT_COMMIT: ${{ inputs.grafana_commit }}
-        run: ./.github/workflows/scripts/validate-commit-in-head.sh
-        shell: bash
-
-      - name: Map version type to NPM tag
-        id: npm-tag
-        env:
-          VERSION: ${{ inputs.version }}
-          VERSION_TYPE: ${{ inputs.version_type }}
-          REFERENCE_PKG: "@grafana/runtime"
-        run: |
-          TAG=$(./.github/workflows/scripts/determine-npm-tag.sh)
-          echo "NPM_TAG=$TAG" >> "$GITHUB_OUTPUT"
-        shell: bash
-
-      - name: Checkout build commit
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          ref: ${{ inputs.grafana_commit }}
-
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
-      # Trusted Publishing is only available in npm v11.5.1 and later
-      - name: Update npm
-        run: npm install -g npm@^11.5.1
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Typecheck packages
-        run: yarn run packages:typecheck
-
-      - name: Version, build, and pack packages
-        env:
-          VERSION: ${{ inputs.version }}
-        run: |
-          yarn run packages:build
-          yarn lerna version "$VERSION" \
-            --exact \
-            --no-git-tag-version \
-            --no-push \
-            --force-publish \
-            --yes
-          yarn run packages:pack
-
-      - name: Debug packed files
-        run: tree -a ./npm-artifacts
-
-      - name: Validate packages
-        run: ./scripts/validate-npm-packages.sh
-
-      - name: Publish packages
-        env:
-          NPM_TAG: ${{ steps.npm-tag.outputs.NPM_TAG }}
-        run: ./scripts/publish-npm-packages.sh --dist-tag "$NPM_TAG" --registry 'https://registry.npmjs.org/'

.github/workflows/release-pr.yml

@@ -15,19 +15,15 @@ on:
       version:
         required: true
         type: string
-        description: The version of Grafana that is being released (without the `v` prefix)`
+        description: The version of Grafana that is being released
       target:
+        required: true
+        type: string
+        description: The release branch pattern (eg v9.5.x) that these changes are being merged into
+      backport:
         required: false
         type: string
-        description: 'Unused: left here for backwards compatibility'
-      changelog:
-        required: false
-        type: boolean
-        default: true
-      bump:
-        required: false
-        type: boolean
-        default: true
+        description: Branch to backport these changes to
       dry_run:
         required: false
         default: false
@@ -36,63 +32,29 @@ on:
         required: false
         default: false
         type: boolean
-      release_date:
-        required: false
-        type: string
-        description: "Release date in format YYYY-MM-DD"
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  capture-date:
-    runs-on: ubuntu-latest
-    outputs:
-      release_date: ${{ steps.set_release_date.outputs.release_date }}
-    steps:
-      - name: compute_release_date
-        run: |
-          if [ -n "$DATE" ]; then
-            echo "release_date=$DATE" >> "$GITHUB_ENV"
-            exit 0
-          fi
-
-          echo "Fetching workflow run creation date..."
-          created_at=$(gh run view "$GITHUB_RUN_ID" --repo "$GH_REPO" --json createdAt -q .createdAt)
-          formatted_date=$(date -d "$created_at" +%Y-%m-%d)
-          echo "release_date=$formatted_date" >> "$GITHUB_ENV"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          DATE: ${{ inputs.release_date }}
-
-      - id: set_release_date
-        run: echo "release_date=$release_date" >> "$GITHUB_OUTPUT"
-
   push-changelog-to-main:
-    needs: capture-date
     permissions:
       contents: write
-      id-token: write
       pull-requests: write
-
     name: Create PR to main to update the changelog
     uses: ./.github/workflows/changelog.yml
-    concurrency:
-      group: grafana-release-pr-update-changelog-main
-      cancel-in-progress: false
     with:
       previous_version: ${{inputs.previous_version}}
       version: ${{ inputs.version }}
       latest: ${{ inputs.latest }}
       dry_run: ${{ inputs.dry_run }}
       target: main
-      work_branch: changelog/update-changelog-${{ needs.capture-date.outputs.release_date }}
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
 
   create-prs:
     permissions:
       contents: write
-      id-token: write
       pull-requests: write
     name: Create Release PR
     runs-on: ubuntu-latest
@@ -102,62 +64,55 @@ jobs:
       LATEST: ${{ inputs.latest }}
       DRY_RUN: ${{ inputs.dry_run }}
     steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      - name: Get release branch
+        id: branch
+        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
         with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_changelog_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: "[\"grafana\", \"grafana-enterprise\"]"
-          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
-      - run: echo "RELEASE_BRANCH=release-${VERSION}" >> "$GITHUB_ENV"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ownerRepo: 'grafana/grafana'
+          pattern: ${{ inputs.target }}
       - name: Checkout Grafana
         uses: actions/checkout@v4
         with:
-          token: ${{ steps.generate_changelog_token.outputs.token }}
-          ref: ${{ env.RELEASE_BRANCH }}
+          ref: ${{ steps.branch.outputs.branch }}
           fetch-tags: true
-          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Checkout Grafana (main)
         uses: actions/checkout@v4
         with:
-          token: ${{ steps.generate_changelog_token.outputs.token }}
           ref: main
           fetch-depth: '0'
+          fetch-tags: 'false'
           path: .grafana-main
-
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
           node-version-file: .nvmrc
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
       - name: Configure git user
         run: |
-          git config --local user.name "grafana-delivery-bot[bot]"
-          git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
 
       - name: Create branch
-        run: git checkout -b "release/${{ github.run_number }}/$VERSION"
+        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
+      - name: Generate changelog token
+        id: generate_changelog_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Generate changelog
         id: changelog
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         uses: ./.grafana-main/.github/actions/changelog
         with:
-          previous: ${{inputs.previous_version}}
           github_token: ${{ steps.generate_changelog_token.outputs.token }}
           target: v${{ env.VERSION }}
           output_file: changelog_items.md
       - name: Patch CHANGELOG.md
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: |
           # Prepare CHANGELOG.md content with version delimiters
           (
@@ -189,44 +144,58 @@ jobs:
 
           git diff CHANGELOG.md
       - name: "Prettify CHANGELOG.md"
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: npx prettier --write CHANGELOG.md
       - name: Commit CHANGELOG.md changes
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
         run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
-      - name: Bump versions
-        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run -C .grafana-main ./pkg/build/actions/bump-version -version="patch"
 
-      - name: make gen-cue
-        shell: bash
-        run: make gen-cue
+      - name: Update package.json versions
+        uses: ./.grafana-main/pkg/build/actions/bump-version
+        with:
+          version: 'patch'
+
       - name: Add package.json changes
-        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
         run: |
           git add package.json lerna.json yarn.lock packages public
           test -e e2e/test-plugins && git add e2e/test-plugins
           git commit -m "Update version to $VERSION"
 
       - name: Git push
-        run: git push
-      - name: Create PR
+        if: ${{ inputs.dry_run }} != true
+        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
+
+      - name: Create PR without backports
+        if: "${{ inputs.backport == '' }}"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DRY_RUN: ${{ inputs.dry_run }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
         run: |
-          LATEST_FLAG=()
+          LATEST_FLAG=""
           if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG=(-l "release/latest")
+            LATEST_FLAG='-l "release/latest"'
           fi
           gh pr create \
-            "${LATEST_FLAG[@]}" \
+            $LATEST_FLAG \
             -l "no-changelog" \
             --dry-run="$DRY_RUN" \
-            -B "${RELEASE_BRANCH}" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"
+
+      - name: Create PR with backports
+        if: "${{ inputs.backport != '' }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "product-approved" \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
             --title "Release: $VERSION" \
             --body "These code changes must be merged after a release is complete"

.github/workflows/run-dashboard-search-e2e.yml

@@ -2,7 +2,7 @@ name: run-dashboard-search-e2e
 
 on:
   workflow_run:
-    workflows:
+    workflows: 
       - trigger-dashboard-search-e2e
     types:
       - completed
@@ -36,11 +36,11 @@ jobs:
       - run: go version
       - uses: actions/setup-node@v4
         with:
-          node-version-file: '.nvmrc'
+          node-version: 20
           cache: 'yarn'
       - name: Cache Node Modules
         id: cache-node-modules
-        uses: actions/cache@v4
+        uses: actions/cache@v3
         with:
           path: |
             node_modules
@@ -56,7 +56,7 @@ jobs:
           runTests: false
       - name: Cache Grafana Build and Dependencies
         id: cache-grafana
-        uses: actions/cache@v4
+        uses: actions/cache@v3
         with:
           path: |
             bin/
@@ -74,11 +74,9 @@ jobs:
 
       - name: Get list of .ini files
         id: get_files
-        env:
-          WORKSPACE: ${{ github.workspace }}
         run: |
-          INI_FILES="$(find "$WORKSPACE"/e2e/dashboards-search-suite/ -type f -name '*.ini' | jq -R -s -c 'split("\n")[:-1]')"
-          echo "ini_files=$INI_FILES" >> "$GITHUB_OUTPUT"
+          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
+          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
         shell: bash
 
   run_tests:
@@ -97,10 +95,8 @@ jobs:
       steps:
         - name: Checkout repository
           uses: actions/checkout@v4
-          with:
-            persist-credentials: false
         - name: Restore Cached Node Modules
-          uses: actions/cache@v4
+          uses: actions/cache@v3
           with:
             path: |
               node_modules
@@ -108,7 +104,7 @@ jobs:
             key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
 
         - name: Restore Cached Grafana Build and Dependencies
-          uses: actions/cache@v4
+          uses: actions/cache@v3
           with:
             path: |
               bin/
@@ -124,12 +120,11 @@ jobs:
           env:
             INI_NAME: ${{ matrix.ini_file }}
           run: |
-            FILE_NAME="$(basename "$INI_NAME" .ini)"
-            echo "FILE_NAME=$FILE_NAME" >> "$GITHUB_OUTPUT"
+            FILE_NAME=$(basename "$env.INI_NAME" .ini)
+            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
         - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
           env:
             INI_NAME: ${{ matrix.ini_file }}
-            WORKSPACE: ${{ github.workspace }}
           run: |
-            cp -rf "$INI_NAME" "$WORKSPACE"/scripts/grafana-server/custom.ini
+            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
             yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"

.github/workflows/run-e2e-suite.yml

@@ -0,0 +1,39 @@
+name: e2e suite
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        type: string
+        required: true
+      suite:
+        type: string
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.package }}
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
+      - name: Set suite name
+        id: set-suite-name
+        if: always()
+        env:
+          SUITE: ${{ inputs.suite }}
+        run: |
+          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
+          path: videos
+          retention-days: 1

.github/workflows/run-schema-v2-e2e.yml

@@ -6,7 +6,7 @@ on:
       - main
   pull_request:
     branches:
-      - '**'
+      - '**' 
 
 env:
   ARCH: linux-amd64
@@ -28,7 +28,7 @@ jobs:
       - run: go version
       - uses: actions/setup-node@v4
         with:
-          node-version-file: '.nvmrc'
+          node-version: 20
           cache: 'yarn'
       - name: Install dependencies
         run: yarn install --immutable
@@ -40,7 +40,7 @@ jobs:
           runTests: false
       - name: Run dashboard scenes e2e
         run: yarn e2e:schema-v2 || echo "Test failed but marking as success since schema V2 is behind a feature flag and should not block PRs"
-
+      
       - name: Always succeed # This is a workaround to make the job pass even if the previous step fails
         if: failure()
         run: exit 0

.github/workflows/scripts/create-security-branch/create-security-branch.sh

@@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-# Construct the security branch name
-SECURITY_BRANCH="${INPUT_RELEASE_BRANCH}+security-${INPUT_SECURITY_BRANCH_NUMBER}"
-
-# Check if branch already exists
-if git show-ref --verify --quiet "refs/heads/${SECURITY_BRANCH}"; then
-    echo "::error::Security branch ${SECURITY_BRANCH} already exists"
-    exit 1
-fi
-
-# Create and push the new branch from the release branch
-git checkout "${INPUT_RELEASE_BRANCH}"
-git checkout -b "${SECURITY_BRANCH}"
-git push origin "${SECURITY_BRANCH}"
-
-# Output the branch name for the workflow
-echo "branch=${SECURITY_BRANCH}" >> "${GITHUB_OUTPUT}" 

.github/workflows/scripts/crowdin/create-tasks.js

@@ -0,0 +1,84 @@
+const crowdin = require('@crowdin/crowdin-api-client');
+const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
+
+const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
+if (!API_TOKEN) {
+  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
+  process.exit(1);
+}
+
+const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
+if (!PROJECT_ID) {
+  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
+  process.exit(1);
+}
+
+const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
+  token: API_TOKEN,
+  organization: 'grafana'
+});
+
+const languages = await getLanguages();
+const fileIds = await getFileIds();
+console.log('Languages: ', languages);
+console.log('File IDs: ', fileIds);
+
+// for (const language of languages) {
+//   const { name, id } = language;
+//   await createTask(`Translate to ${name}`, id, fileIds);
+// }
+
+async function getLanguages() {
+  try {
+    const project = await projectsGroupsApi.getProject(PROJECT_ID);
+    const languages = project.data.targetLanguages;
+    return languages;
+  } catch (error) {
+    console.error('Failed to fetch languages: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getFileIds() {
+  try {
+    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
+    const files = response.data;
+    const fileIds = files.map(file => file.data.id);
+    return fileIds;
+  } catch (error) {
+    console.error('Failed to fetch file IDs: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function createTask(title, languageId, fileIds) {
+  try {
+    const taskParams = {
+      title,
+      description: TRANSLATED_CONNECTOR_DESCRIPTION,
+      languageId,
+      type: 2, // Translation by vendor
+      workflowStepId: 78, // Translation step ID
+      skipAssignedStrings: true,
+      fileIds,
+    };
+
+    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
+
+    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
+    console.log(`Task created successfully! Task ID: ${response.data.id}`);
+    return response.data;
+  } catch (error) {
+    console.error('Failed to create Crowdin task: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}

.github/workflows/scripts/crowdin/create-tasks.ts

@@ -1,110 +0,0 @@
-import crowdinImport from '@crowdin/crowdin-api-client';
-const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
-const TRANSLATE_BY_VENDOR_WORKFLOW_TYPE = 'TranslateByVendor'
-
-// TODO Remove this type assertion when https://github.com/crowdin/crowdin-api-client-js/issues/508 is fixed
-// @ts-expect-error
-const crowdin = crowdinImport.default as typeof crowdinImport;
-
-const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
-if (!API_TOKEN) {
-  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
-  process.exit(1);
-}
-
-const PROJECT_ID = process.env.CROWDIN_PROJECT_ID ? parseInt(process.env.CROWDIN_PROJECT_ID, 10) : undefined;
-if (!PROJECT_ID) {
-  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
-  process.exit(1);
-}
-
-const credentials = {
-  token: API_TOKEN,
-  organization: 'grafana'
-};
-
-const { tasksApi, projectsGroupsApi, sourceFilesApi, workflowsApi } = new crowdin(credentials);
-
-const languages = await getLanguages(PROJECT_ID);
-const fileIds = await getFileIds(PROJECT_ID);
-const workflowStepId = await getWorkflowStepId(PROJECT_ID);
-
-for (const language of languages) {
-  const { name, id } = language;
-  await createTask(PROJECT_ID, `Translate to ${name}`, id, fileIds, workflowStepId);
-}
-
-async function getLanguages(projectId: number) {
-  try {
-    const project = await projectsGroupsApi.getProject(projectId);
-    const languages = project.data.targetLanguages;
-    console.log('Fetched languages successfully!');
-    return languages;
-  } catch (error) {
-    console.error('Failed to fetch languages: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getFileIds(projectId: number) {
-  try {
-    const response = await sourceFilesApi.listProjectFiles(projectId);
-    const files = response.data;
-    const fileIds = files.map(file => file.data.id);
-    console.log('Fetched file ids successfully!');
-    return fileIds;
-  } catch (error) {
-    console.error('Failed to fetch file IDs: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getWorkflowStepId(projectId: number) {
-  try {
-    const response = await workflowsApi.listWorkflowSteps(projectId);
-    const workflowSteps = response.data;
-    const workflowStepId = workflowSteps.find(step => step.data.type === TRANSLATE_BY_VENDOR_WORKFLOW_TYPE)?.data.id;
-    if (!workflowStepId) {
-      throw new Error(`Workflow step with type "${TRANSLATE_BY_VENDOR_WORKFLOW_TYPE}" not found`);
-    }
-    console.log('Fetched workflow step ID successfully!');
-    return workflowStepId;
-  } catch (error) {
-    console.error('Failed to fetch workflow step ID: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function createTask(projectId: number, title: string, languageId: string, fileIds: number[], workflowStepId: number) {
-  try {
-    const taskParams = {
-      title,
-      description: TRANSLATED_CONNECTOR_DESCRIPTION,
-      languageId,
-      workflowStepId,
-      skipAssignedStrings: true,
-      fileIds,
-    };
-
-    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
-
-    const response = await tasksApi.addTask(projectId, taskParams);
-    console.log(`Task created successfully! Task ID: ${response.data.id}`);
-    return response.data;
-  } catch (error) {
-    console.error('Failed to create Crowdin task: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}

.github/workflows/scripts/determine-npm-tag.sh

@@ -1,66 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-fail() { echo "Error: $*" >&2; exit 1; }
-
-# Ensure required variables are set
-if [[ -z "${REFERENCE_PKG}" || -z "${VERSION_TYPE}" || -z "${VERSION}" ]]; then
-  fail "Missing required environment variables: REFERENCE_PKG, VERSION_TYPE, VERSION"
-fi
-
-semver_cmp () {
-  IFS='.' read -r -a arr_a <<< "$1"
-  IFS='.' read -r -a arr_b <<< "$2"
-
-  for i in 0 1 2; do
-    local aa=${arr_a[i]:-0}
-    local bb=${arr_b[i]:-0}
-    # shellcheck disable=SC2004
-    if (( 10#$aa > 10#$bb )); then echo gt; return 0; fi
-    if (( 10#$aa < 10#$bb )); then echo lt; return 0; fi
-  done
-
-  echo "eq"
-}
-
-
-STABLE_REGEX='^([0-9]+)\.([0-9]+)\.([0-9]+)$'       # x.y.z
-PRE_REGEX='^([0-9]+)\.([0-9]+)\.([0-9]+)-([0-9]+)$' # x.y.z-123456
-
-# Validate that the VERSION matches VERSION_TYPE
-# - stable must be x.y.z
-# - nightly/canary must be x.y.z-123456
-case "$VERSION_TYPE" in
-  stable)
-    [[ $VERSION =~ $STABLE_REGEX ]] || fail "For 'stable', version must match x.y.z" ;;
-  nightly|canary)
-    [[ $VERSION =~ $PRE_REGEX   ]] || fail "For '$VERSION_TYPE', version must match x.y.z-123456" ;;
-  *)
-    fail "Unknown version_type '$VERSION_TYPE'" ;;
-esac
-
-# Extract major, minor from VERSION
-IFS=.- read -r major minor patch _ <<< "$VERSION"
-
-# Determine NPM tag
-case "$VERSION_TYPE" in
-  canary)  TAG="canary" ;;
-  nightly) TAG="nightly" ;;
-  stable)
-    # Use npm dist-tag "latest" as the reference
-    LATEST="$(npm view --silent "$REFERENCE_PKG" dist-tags.latest 2>/dev/null || true)"
-    echo "Latest for $REFERENCE_PKG is ${LATEST:-<none>}" >&2
-
-    if [[ -z ${LATEST:-} ]]; then
-      TAG="latest"  # first ever publish
-    else
-      case "$(semver_cmp "$VERSION" "$LATEST")" in
-        gt)    TAG="latest" ;;                      # newer than reference -> latest
-        lt|eq) TAG="v${major}.${minor}-latest" ;;   # older or equal -> vX.Y-latest
-      esac
-    fi
-    ;;
-esac
-
-echo "Resolved NPM_TAG=$TAG (VERSION=$VERSION, current latest=${LATEST:-none})"  1>&2 # stderr
-printf '%s' "$TAG"