fix integration test

patch raw settings before parsing because DingDing's config parser does not know about secrets

.betterer.eslint.config.js

@@ -86,10 +86,6 @@ module.exports = [
               importNames: ['Layout', 'HorizontalGroup', 'VerticalGroup'],
               message: 'Use Stack component instead.',
             },
-            {
-              group: ['@grafana/ui/src/*', '@grafana/runtime/src/*', '@grafana/data/src/*'],
-              message: 'Import from the public export instead.',
-            },
           ],
         },
       ],

.bingo/Variables.mk

@@ -5,10 +5,6 @@ GOPATH ?= $(shell go env GOPATH)
 GOBIN  ?= $(firstword $(subst :, ,${GOPATH}))/bin
 GO     ?= $(shell which go)
 
-# Add this near the top of the file, after the initial variable definitions
-ifndef VARIABLES_MK
-VARIABLES_MK := 1
-
 # Below generated variables ensure that every time a tool under each variable is invoked, the correct version
 # will be used; reinstalling only if needed.
 # For example for bra variable:
@@ -27,12 +23,6 @@ $(BRA): $(BINGO_DIR)/bra.mod
 	@echo "(re)installing $(GOBIN)/bra-v0.0.0-20200517080246-1e3013ecaff8"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=bra.mod -o=$(GOBIN)/bra-v0.0.0-20200517080246-1e3013ecaff8 "github.com/unknwon/bra"
 
-COG := $(GOBIN)/cog-v0.0.15
-$(COG): $(BINGO_DIR)/cog.mod
-	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/cog-v0.0.15"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=cog.mod -o=$(GOBIN)/cog-v0.0.15 "github.com/grafana/cog/cmd/cli"
-
 CUE := $(GOBIN)/cue-v0.5.0
 $(CUE): $(BINGO_DIR)/cue.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
@@ -69,4 +59,3 @@ $(SWAGGER): $(BINGO_DIR)/swagger.mod
 	@echo "(re)installing $(GOBIN)/swagger-v0.30.6-0.20240310114303-db51e79a0e37"
 	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=swagger.mod -o=$(GOBIN)/swagger-v0.30.6-0.20240310114303-db51e79a0e37 "github.com/go-swagger/go-swagger/cmd/swagger"
 
-endif

.bingo/cog.mod

@@ -1,5 +0,0 @@
-module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
-
-go 1.23.4
-
-require github.com/grafana/cog v0.0.15 // cmd/cli

.bingo/variables.env

@@ -10,8 +10,6 @@ fi
 
 BRA="${GOBIN}/bra-v0.0.0-20200517080246-1e3013ecaff8"
 
-COG="${GOBIN}/cog-v0.0.15"
-
 CUE="${GOBIN}/cue-v0.5.0"
 
 DRONE="${GOBIN}/drone-v1.5.0"

.github/CODEOWNERS

@@ -57,6 +57,7 @@
 /go.work @grafana/grafana-app-platform-squad
 /go.work.sum @grafana/grafana-app-platform-squad
 /.bingo/ @grafana/grafana-backend-group
+/.citools @grafana/grafana-developer-enablement-squad
 /pkg/README.md @grafana/grafana-backend-group
 /pkg/ruleguard.rules.go @grafana/grafana-backend-group
 /.bra.toml @grafana/grafana-backend-group
@@ -67,9 +68,12 @@
 /hack/ @grafana/grafana-app-platform-squad
 
 /pkg/apis/provisioning @grafana/grafana-git-ui-sync-team
+/public/app/features/provisioning @grafana/grafana-git-ui-sync-team
 /pkg/registry/apis/provisioning @grafana/grafana-git-ui-sync-team
 
 /apps/alerting/ @grafana/alerting-backend
+/apps/dashboard/ @grafana/grafana-app-platform-squad @grafana/dashboards-squad
+/apps/folder/ @grafana/grafana-app-platform-squad
 /apps/playlist/ @grafana/grafana-app-platform-squad
 /apps/investigations/ @fcjack @matryer @svennergr
 /apps/advisor/ @grafana/plugins-platform-backend
@@ -77,6 +81,7 @@
 /pkg/apis/ @grafana/grafana-app-platform-squad
 /pkg/apis/query @grafana/grafana-datasources-core-services
 /pkg/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
+/pkg/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/bus/ @grafana/grafana-search-and-storage
 /pkg/cmd/ @grafana/grafana-backend-group
 /pkg/cmd/grafana-cli/commands/install_command.go @grafana/plugins-platform-backend
@@ -122,6 +127,7 @@
 /pkg/apimachinery/errutil/ @grafana/grafana-backend-group
 /pkg/promlib @grafana/oss-big-tent
 /pkg/storage/ @grafana/grafana-search-and-storage
+/pkg/storage/secret/ @grafana/grafana-operator-experience-squad
 /pkg/services/annotations/ @grafana/grafana-search-and-storage
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
@@ -132,6 +138,7 @@
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
 /pkg/services/encryption/ @grafana/grafana-operator-experience-squad
 /pkg/services/folder/ @grafana/grafana-search-and-storage
+/pkg/services/frontend/ @grafana/grafana-frontend-platform
 /pkg/services/apiserver @grafana/grafana-app-platform-squad
 /pkg/services/hooks/ @grafana/grafana-backend-group
 /pkg/services/kmsproviders/ @grafana/grafana-operator-experience-squad
@@ -312,6 +319,7 @@
 /Makefile @grafana/grafana-developer-enablement-squad
 /scripts/build/ @grafana/grafana-developer-enablement-squad
 /scripts/list-release-artifacts.sh @grafana/grafana-developer-enablement-squad
+/scripts/releasefinder.sh @baldm0mma
 /.trivyignore @grafana/grafana-backend-services-squad
 
 # OSS Plugin Partnerships backend code
@@ -380,12 +388,9 @@
 
 
 /crowdin.yml @grafana/grafana-frontend-platform
-/public/locales/ @grafana/grafana-frontend-platform
-/public/locales/de-DE @grafanabot
-/public/locales/es-ES @grafanabot
-/public/locales/fr-FR @grafanabot
-/public/locales/pt-BR @grafanabot
-/public/locales/zh-Hans @grafanabot
+/public/locales/ @grafanabot
+/public/locales/i18next-parser.config.cjs @grafana/grafana-frontend-platform
+/public/locales/i18next-parser-enterprise.config.cjs @grafana/grafana-frontend-platform
 /public/app/core/internationalization/ @grafana/grafana-frontend-platform
 /e2e/ @grafana/grafana-frontend-platform
 /e2e/cloud-plugins-suite/ @grafana/partner-datasources
@@ -420,7 +425,7 @@
 /packages/grafana-ui/src/components/PluginSignatureBadge/ @grafana/plugins-platform-frontend
 /packages/grafana-ui/src/components/Sparkline/ @grafana/grafana-frontend-platform @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/Table/ @grafana/dataviz-squad
-/packages/grafana-ui/src/components/Table/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
+/packages/grafana-ui/src/components/Table/Cells/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/uPlot/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/ValuePicker/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/VizLayout/ @grafana/dataviz-squad
@@ -431,6 +436,7 @@
 /packages/grafana-ui/src/graveyard/GraphNG/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
 /packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
+/packages/grafana-alerting/ @grafana/alerting-frontend
 
 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
@@ -458,7 +464,6 @@
 /stylelint.config.js @grafana/frontend-ops
 /tools/ @grafana/frontend-ops
 /lefthook.yml @grafana/frontend-ops
-/lefthook.rc @grafana/frontend-ops
 /.husky/pre-commit @grafana/frontend-ops
 /cypress.config.js @grafana/grafana-frontend-platform
 /.levignore.js @grafana/plugins-platform-frontend
@@ -500,9 +505,8 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
 /public/app/features/explore/ @grafana/observability-traces-and-profiling
-/public/app/features/expressions/ @grafana/observability-metrics
+/public/app/features/expressions/ @grafana/grafana-datasources-core-services
 /public/app/features/folders/ @grafana/grafana-frontend-platform
-/public/app/features/iam/ @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
 /public/app/features/invites/ @grafana/grafana-frontend-platform
 /public/app/features/library-panels/ @grafana/dashboards-squad
@@ -540,7 +544,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
 /public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
-/public/app/plugins/panel/graph/ @grafana/dataviz-squad
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
@@ -553,7 +556,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/status-history/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/cells/SparklineCellOptionsEditor.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
-/public/app/plugins/panel/table-old/ @grafana/dataviz-squad
 /public/app/plugins/panel/timeseries/ @grafana/dataviz-squad
 /public/app/plugins/panel/trend/ @grafana/dataviz-squad
 /public/app/plugins/panel/geomap/ @grafana/dataviz-squad
@@ -565,12 +567,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
-/public/app/plugins/sdk.ts @grafana/plugins-platform-frontend
 /public/app/routes/ @grafana/grafana-frontend-platform
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
 /public/app/types/unified-alerting-dto.ts @grafana/alerting-frontend
+/public/app/types/unified-alerting.ts @grafana/alerting-frontend
 /public/dashboards/ @grafana/dashboards-squad
 /public/gazetteer/ @ryantxu
 /public/img/ @grafana/grafana-frontend-platform
@@ -598,7 +600,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
 /public/openapi3.json @grafana/grafana-backend-group
-/public/app/angular/ @torkelo
 /public/app/app.ts @grafana/frontend-ops
 /public/app/dev.ts @grafana/frontend-ops
 /public/app/core/utils/metrics.ts @grafana/plugins-platform-frontend
@@ -620,7 +621,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/import_many_dashboards.sh @torkelo
 /scripts/mixin-check.sh @bergquist
 /scripts/openapi3/ @grafana/grafana-operator-experience-squad
-/scripts/prepare-packagejson.js @grafana/frontend-ops
+/scripts/prepare-npm-package.js @grafana/frontend-ops
 /scripts/protobuf-check.sh @grafana/plugins-platform-backend
 /scripts/stripnulls.sh @grafana/grafana-as-code
 /scripts/tag_release.sh @grafana/grafana-developer-enablement-squad
@@ -733,6 +734,7 @@ embed.go @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
 /pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
+/pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
 /pkg/registry/apps/advisor @grafana/plugins-platform-backend
 /pkg/codegen/ @grafana/grafana-as-code
@@ -754,13 +756,18 @@ embed.go @grafana/grafana-as-code
 /.github/pr-checks.json @tolzhabayev
 /.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
+/.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
+/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
+/.github/actions/setup-grafana-bench/ @Proximyst
 /.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
 /.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
+/.github/workflows/alerting-update-module.yml @grafana/alerting-backend
 /.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
+/.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
 /.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/close-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
@@ -771,26 +778,25 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/community-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/detect-breaking-changes-* @grafana/plugins-platform-frontend
 /.github/workflows/documentation-ci.yml @grafana/docs-tooling
-/.github/workflows/doc-validator.yml @grafana/docs-tooling
 /.github/workflows/deploy-pr-preview.yml @grafana/docs-tooling
-/.github/workflows/epic-add-to-platform-ux-parent-project.yml @meanmina
+/.github/workflows/feature-toggles-ci.yml @grafana/docs-tooling
 /.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
+/.github/workflows/lint-build-docs.yml @grafana/docs-tooling
 /.github/workflows/metrics-collector.yml @torkelo
-/.github/workflows/milestone.yml @tolzhabayev
 /.github/workflows/pr-checks.yml @tolzhabayev
-/.github/workflows/pr-codeql-analysis-go.yml @DanCech
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
-/.github/workflows/pr-patch-check.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/sync-mirror.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
+/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
+/.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
-/.github/workflows/remove-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/scripts/json-file-to-job-output.js @grafana/plugins-platform-frontend
 /.github/workflows/stale.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/update-changelog.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
 /.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
@@ -798,18 +804,29 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
 /.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
+/.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
+/.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
 /.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
+/.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
+/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
 /.github/workflows/changelog.yml @zserge
-/.github/workflows/actions/changelog @zserge
+/.github/actions/changelog @zserge
+/.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
+/.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
+/.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
+/.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
+/.github/zizmor.yml @grafana/grafana-developer-enablement-squad
 
 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot
@@ -828,3 +845,4 @@ embed.go @grafana/grafana-as-code
 /conf/provisioning/dashboards/ @grafana/dashboards-squad
 /conf/provisioning/datasources/ @grafana/plugins-platform-backend
 /conf/provisioning/plugins/ @grafana/plugins-platform-backend
+/conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team

.github/actions/setup-enterprise/action.yml

@@ -0,0 +1,48 @@
+name: 'Setup Grafana Enterprise'
+description: 'Clones and sets up Grafana Enterprise repository for testing'
+
+inputs:
+  github-app-name:
+    description: 'Name of the GitHub App in Vault'
+    required: false
+    default: 'grafana-ci-bot'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=${{ inputs.github-app-name }}:app-id
+          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
+          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+        repositories: "grafana-enterprise"
+        owner: "grafana"
+
+    - name: Setup Enterprise
+      shell: bash
+      env:
+        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+      run: |
+        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
+        
+        cd ../grafana-enterprise
+        
+        if git checkout ${GITHUB_HEAD_REF}; then
+          echo "checked out ${GITHUB_HEAD_REF}"
+        elif git checkout ${GITHUB_BASE_REF}; then
+          echo "checked out ${GITHUB_BASE_REF}"
+        else
+          git checkout main
+        fi
+        
+        ./build.sh

.github/actions/setup-grafana-bench/action.yml

@@ -0,0 +1,45 @@
+name: 'Setup Grafana Bench'
+description: 'Sets up and installs Grafana Bench'
+
+inputs:
+  github-app-name:
+    description: 'Name of the GitHub App in Vault'
+    required: false
+    default: 'grafana-ci-bot'
+  branch:
+    description: 'The branch to install from'
+    required: false
+    default: 'main'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=${{ inputs.github-app-name }}:app-id
+          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
+          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+        repositories: "grafana-bench"
+        owner: "grafana"
+
+    - name: Setup Bench
+      shell: bash
+      env:
+        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+        BRANCH: ${{ inputs.branch }}
+      run: |
+        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-bench.git ../grafana-bench
+
+        cd ../grafana-bench
+        git switch "$BRANCH"
+        go install .

.github/actions/test-coverage-processor/action.yml

@@ -0,0 +1,50 @@
+name: 'Go Coverage Processor'
+description: 'Process Go test coverage files and generate reports'
+
+inputs:
+  test-type:
+    description: 'Type of test (e.g., be-unit, be-integration)'
+    required: true
+    type: string
+  coverage-file:
+    description: 'Path to the Go coverage file (.cov)'
+    required: true
+    type: string
+  codecov-token:
+    description: 'Token for CodeCov (required for CodeCov reporting)'
+    required: false
+    default: ''
+  codecov-flag:
+    description: 'Flag to categorize the upload to CodeCov'
+    required: false
+    default: ''
+  codecov-name:
+    description: 'Custom name for the upload to CodeCov'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Process Go coverage output
+      shell: bash
+      env:
+        COVERAGE_FILE: ${{ inputs.coverage-file }}
+      run: |
+        # Ensure valid coverage file even if empty
+        if [ ! -s "$COVERAGE_FILE" ]; then
+          echo "Coverage file is empty, creating a minimal valid file"
+          echo "mode: set" > "$COVERAGE_FILE"
+        fi
+
+    - name: Report coverage to CodeCov
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
+      if: inputs.codecov-token != ''
+      with:
+        files: ${{ inputs.coverage-file }}
+        flags: ${{ inputs.codecov-flag || inputs.test-type }}
+        name: ${{ inputs.codecov-name || inputs.test-type }}
+        slug: grafana/grafana
+        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
+        url: https://codecov-webhook.grafana-dev.net
+        token: ${{ inputs.codecov-token }}

.github/dependabot.yml

@@ -8,7 +8,7 @@ updates:
     directories:
       - "/"
       - "/apps/playlist"
-      - "/apps/investigations"
+      - "/apps/investigation"
       - "/pkg/aggregator"
       - "/pkg/apimachinery"
       - "/pkg/apiserver"

.github/pr-commands.json

@@ -14,6 +14,7 @@
       "public/**/*",
       "packages/**/*",
       "e2e/**/*",
+      "plugins-bundled/**/*",
       "scripts/build/release-packages.sh",
       "scripts/circle-release-next-packages.sh",
       "scripts/ci-frontend-metrics.sh",
@@ -247,8 +248,7 @@
       "/pkg/services/sqlstore/migrations/ualert/**/*",
       "/pkg/services/alerting/**/*",
       "/public/app/features/alerting/**/*",
-      "/pkg/tests/api/alerting/**/*",
-      "/pkg/tests/alertmanager/**/*"
+      "/pkg/tests/api/alerting/**/*"
     ],
     "action": "updateLabel",
     "addLabel": "area/alerting"
@@ -437,4 +437,4 @@
     "action": "updateLabel",
     "addLabel": "area/panel/table"
   }
-]
+]

.github/renovate.json5

@@ -13,12 +13,13 @@
     "slate-react", // we don't want to continue using this on the long run, use Monaco editor instead of Slate
     "@types/slate-react", // we don't want to continue using this on the long run, use Monaco editor instead of Slate
     "@types/slate", // we don't want to continue using this on the long run, use Monaco editor instead of Slate
+    "storybook-dark-mode", // 4.0.2 causes storybook 8.4 to break with react hooks errors
     // Temporarily pause updating lerna and nx until we resolve build issues
     "lerna",
     "nx"
   ],
   includePaths: ["package.json", "packages/**", "public/app/plugins/**"],
-  ignorePaths: ["emails/**", "**/mocks/**"],
+  ignorePaths: ["emails/**", "plugins-bundled/**", "**/mocks/**"],
   labels: ["area/frontend", "dependencies", "no-changelog"],
   postUpdateOptions: ["yarnDedupeHighest"],
   packageRules: [

.github/workflows/alerting-swagger-gen.yml

@@ -13,15 +13,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Set go version
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
         with:
           go-version-file: go.mod
       - name: Build swagger
         run: |
           make -C pkg/services/ngalert/api/tooling post.json api.json
       - name: Open Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "chore: update alerting swagger spec"
@@ -34,4 +35,3 @@ jobs:
           labels: 'area/alerting,type/docs,no-changelog'
           team-reviewers: 'grafana/alerting-backend'
           draft: false
-

.github/workflows/alerting-update-module.yml

@@ -0,0 +1,137 @@
+name: Update Alerting Module
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-grafana:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4 # 4.2.2
+        with:
+          persist-credentials: false
+      - name: Check if update branch exists
+        run: |
+          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
+            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
+            echo "Please review and merge/close the existing PR before running this workflow again."
+            exit 1
+          fi
+
+      - name: Setup Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0
+        with:
+          "go-version-file": "go.mod"
+
+      - name: Extract current commit hash of alerting module
+        id: current-commit
+        run: |
+          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
+          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Get current branch name
+        id: current-branch-name
+        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
+
+      - name: Get latest commit
+        id: latest-commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BRANCH="${{ steps.current-branch-name.outputs.name }}"
+          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
+           if [ -z "$TO_COMMIT" ]; then
+            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
+            exit 1
+          fi
+          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Compare commit hashes
+        run: |
+          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
+          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
+          
+          # Compare just the length of the shorter hash
+          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
+          
+          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
+            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
+            exit 0
+          fi
+          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
+
+      - name: Check for commit history
+        id: check-commits
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # get all commits that contains 'Alerting:' in the message          
+          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
+            --jq '.commits[].commit.message | split("\n")[0]') || true
+          
+          # Use printf instead of echo -e for better multiline handling
+          printf "%s\n" "$ALERTING_COMMITS"
+          
+          # make the list for markdown and replace PR numbers with links
+          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
+          
+          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
+          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Update alerting module
+        env:
+          GOSUMDB: off
+        run: |
+          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
+          make update-workspace
+
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=alerting-team:app-id
+            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
+
+      - name: "Generate token"
+        id: generate_token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
+        id: create-pr
+        with:
+          token: '${{ steps.generate_token.outputs.token }}'
+          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
+          branch: alerting/update-alerting-module
+          delete-branch: true
+          body: |
+            Updates Grafana Alerting module to latest version.
+
+            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
+            <details>
+            <summary>Commits</summary>
+            
+            ${{ steps.check-commits.outputs.alerting_commits }}
+
+            </details>
+
+            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+      - name: Add PR URL to Summary
+        if: steps.create-pr.outputs.pull-request-url != ''
+        run: |
+          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
+          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY

.github/workflows/analytics-events-report.yml

@@ -0,0 +1,25 @@
+name: Analytics Events Report
+
+on:
+  workflow_dispatch:
+
+jobs:
+  generate-report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Generate analytics report
+        run: yarn analytics-report

.github/workflows/auto-milestone.yml

@@ -21,7 +21,7 @@ jobs:
       # Note: Github will not trigger other actions from this because it uses
       # the GITHUB_TOKEN token
       - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main
+        uses: grafana/grafana-github-actions-go/auto-milestone@d4c452f92ed826d515dccf1f62923e537953acd8 # main
         with:
           pr: ${{ github.event.pull_request.number }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/auto-triager/labels.txt

@@ -32,9 +32,7 @@ area/dashboard/tv
 area/dashboard/variable
 area/dashboards/panel
 area/data/export
-area/editor
 area/explore
-area/exploremetrics
 area/expressions
 area/field/overrides
 area/frontend/library-panels
@@ -43,6 +41,7 @@ area/image-rendering
 area/internationalization
 area/legend
 area/library-panel
+area/metricsdrilldown
 area/navigation
 area/panel/annotation-list
 area/panel/barchart

.github/workflows/backend-code-checks.yml

@@ -0,0 +1,73 @@
+name: Backend Code Checks
+
+on:
+  pull_request:
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  validate-configs:
+    name: Validate Backend Configs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
+          # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
+          # This ensures the GHAs environment matches what we use in the Drone pipeline
+          go-version: 1.24.1
+          cache: true
+
+      - name: Verify code generation
+        run: |
+          CODEGEN_VERIFY=1 make gen-cue
+          CODEGEN_VERIFY=1 make gen-jsonnet
+      
+      - name: Validate go.mod
+        run: go run scripts/modowners/modowners.go check go.mod
+
+      # Enterprise setup is needed for complete OpenAPI spec generation
+      # We only do this for internal PRs
+      - name: Setup Grafana Enterprise
+        if: github.event.pull_request.head.repo.fork == false
+        uses: ./.github/actions/setup-enterprise
+        
+      - name: Generate and Validate OpenAPI Specs
+        run: |
+          # For PRs from forks, we'll just run the basic swagger-gen without validation
+          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            echo "PR is from a fork, skipping enterprise-based validation"
+            make swagger-gen
+            exit 0
+          fi
+          
+          # Clean and regenerate OpenAPI specs
+          make swagger-clean && make openapi3-gen
+          
+          # Check if the generated specs differ from what's in the repository
+          for f in public/api-merged.json public/openapi3.json; do git add $f; done
+          if [ -z "$(git diff --name-only --cached)" ]; then
+            echo "OpenAPI specs are up to date!"
+          else
+            echo "OpenAPI specs are OUT OF DATE!"
+            git diff --cached
+            echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
+            exit 1
+          fi

.github/workflows/backend-unit-tests.yml

@@ -0,0 +1,71 @@
+name: Backend Unit Tests
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+  push:
+    branches:
+      - main
+      - release-*.*.*
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+permissions: {}
+
+jobs:
+  grafana:
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
+    # the `pr-backend-unit-tests-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Grafana
+    runs-on: ubuntu-latest-8-cores
+    continue-on-error: true
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: make test-go-unit
+
+  grafana-enterprise:
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Grafana Enterprise
+    runs-on: ubuntu-latest-8-cores
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Setup Enterprise
+        uses: ./.github/actions/setup-enterprise
+        with:
+          github-app-name: 'grafana-ci-bot'
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: make test-go-unit

.github/workflows/backport.yml

@@ -5,23 +5,28 @@ on:
       - closed
       - labeled
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   main:
     if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/checkout@v4 # 4.2.2
         with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - run: git config --global user.email '132647405+grafana-delivery-bot[bot]@users.noreply.github.com'
-      - run: git config --global user.name 'grafana-delivery-bot[bot]'
-      - run: git remote set-url origin "https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/grafana.git"
+          persist-credentials: false
+      - run: git config --local user.name "github-actions[bot]"
+      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
+      - run: git config --local --add --bool push.autoSetupRemote true
+      - name: Set remote URL
+        env:
+          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
       - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@main
+        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
         with:
-          token: ${{ steps.generate_token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/bump-version.yml

@@ -11,33 +11,37 @@ on:
       dry_run:
         default: false
         required: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  main:
+  bump-version:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Grafana
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Update package.json versions
         uses: ./pkg/build/actions/bump-version
         with:
           version: ${{ inputs.version }}
-      - if: ${{ inputs.push }}
-        name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - if: ${{ inputs.push }}
         name: Push & Create PR
+        env:
+          VERSION: ${{ inputs.version }}
+          DRY_RUN: ${{ inputs.dry_run }}
+          REF_NAME: ${{ github.ref_name }}
+          RUN_ID: ${{ github.run_id }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config --local user.name "github-actions[bot]"
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
-          git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}"
+          git checkout -b "bump-version/${RUN_ID}/${VERSION}"
           git add .
-          git commit -m "bump version ${{ inputs.version }}"
+          git commit -m "bump version ${VERSION}"
           git push
-          gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}"
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"

.github/workflows/changelog.yml

@@ -51,15 +51,21 @@ on:
         default: false
         type: boolean
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   main:
+    env:
+      RUN_ID: ${{ github.run_id }}
+      VERSION: ${{ inputs.version }}
+      PREVIOUS_VERISON: ${{ inputs.previous_version }}
+      TARGET: ${{ inputs.target }}
+      DRY_RUN: ${{ inputs.dry_run }}
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: write
+      pull-requests: write
     steps:
       - name: "Generate token"
         id: generate_token
@@ -79,6 +85,7 @@ jobs:
             .prettierrc.js
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -89,10 +96,10 @@ jobs:
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
       - name: "Create branch"
-        run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}"
+        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
       - name: "Generate changelog"
         id: changelog
-        uses: ./.github/workflows/actions/changelog
+        uses: ./.github/actions/changelog
         with:
           previous: ${{ inputs.previous_version }}
           github_token: ${{ steps.generate_token.outputs.token }}
@@ -103,24 +110,24 @@ jobs:
           # Prepare CHANGELOG.md content with version delimiters
           (
             echo
-            echo "# ${{ inputs.version}} ($(date '+%F'))"
+            echo "# ${VERSION} ($(date '+%F'))"
             echo
             cat changelog_items.md
           ) > CHANGELOG.part
 
           # Check if a version exists in the changelog
-          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
+          if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
             # Replace the content between START and END delimiters
-            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
+            echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
+            sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
+                   -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
           else
             # Prepend changelog part to the main changelog file
-            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
+            echo "Version $VERSION not found in the CHANGELOG.md"
             (
-              echo "<!-- ${{ inputs.version }} START -->"
+              echo "<!-- ${VERSION} START -->"
               cat CHANGELOG.part
-              echo "<!-- ${{ inputs.version }} END -->"
+              echo "<!-- ${VERSION} END -->"
               cat CHANGELOG.md
             ) > CHANGELOG.tmp
             mv CHANGELOG.tmp CHANGELOG.md
@@ -138,11 +145,11 @@ jobs:
       - name: "Create changelog PR"
         run: >
           gh pr create \
-            --dry-run=${{ inputs.dry_run }} \
+            --dry-run=${DRY_RUN} \
             --label "no-backport" \
             --label "no-changelog" \
-            -B "${{ inputs.target }}" \
-            --title "Release: update changelog for ${{ inputs.version }}" \
-            --body "Changelog changes for release ${{ inputs.version }}"
+            -B "${TARGET}" \
+            --title "Release: update changelog for ${VERSION}" \
+            --body "Changelog changes for release ${VERSION}"
         env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/close-milestone.yml

@@ -1,44 +0,0 @@
-name: Close milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: Needs to match, exactly, the name of a milestone
-  workflow_call:
-    inputs:
-      version_call:
-        description: Needs to match, exactly, the name of a milestone
-        required: true
-        type: string
-
-jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Close milestone (manually invoked)
-        if: ${{ github.event.inputs.version != '' }}
-        uses: ./actions/close-milestone
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Close milestone (workflow invoked)
-        if: ${{ inputs.version_call != '' }}
-        uses: ./actions/close-milestone
-        with:
-          version_call: ${{ inputs.version_call }}
-          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/codeowners-validator.yml

@@ -10,8 +10,10 @@ jobs:
     steps:
       # Checks-out your repository, which is validated in the next step
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: GitHub CODEOWNERS Validator
-        uses: mszostok/codeowners-validator@v0.7.4
+        uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
         # input parameters
         with:
           # ==== GitHub Auth ====

.github/workflows/codeql-analysis.yml

@@ -3,18 +3,19 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: "CodeQL checks"
 
 on:
   workflow_dispatch:
   push:
-    branches: [main, v1.8.x, v2.0.x, v2.1.x, v2.6.x, v3.0.x, v3.1.x, v4.0.x, v4.1.x, v4.2.x, v4.3.x, v4.4.x, v4.5.x, v4.6.x, v4.7.x, v5.0.x, v5.1.x, v5.2.x, v5.3.x, v5.4.x, v6.0.x, v6.1.x, v6.2.x, v6.3.x, v6.4.x, v6.5.x, v6.6.x, v6.7.x, v7.0.x, v7.1.x, v7.2.x]
+    branches: ['**'] # run on all branches
     paths-ignore:
       - '**/*.cue'
       - '**/*.json'
       - '**/*.md'
       - '**/*.txt'
       - '**/*.yml'
+      - pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
   schedule:
     - cron: '0 4 * * 6'
 
@@ -25,6 +26,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    continue-on-error: true # doesn't block PRs from being merged if this fails
     if: github.repository == 'grafana/grafana'
 
     strategy:
@@ -43,16 +45,17 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     - if: matrix.language == 'go'
       name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -67,4 +70,4 @@ jobs:
         make build-go
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/commands.yml

@@ -12,9 +12,7 @@ on:
 concurrency:
   group: issue-commands-${{ github.event.issue.number }}
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   config:
@@ -34,10 +32,13 @@ jobs:
     needs: config
     if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: "Get vault secrets"
         id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
@@ -52,11 +53,12 @@ jobs:
           private_key: ${{ env.GH_APP_PEM }}
 
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
 
       - name: Install Actions
         run: npm install --production --prefix ./actions

.github/workflows/community-release.yml

@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main
+        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}

.github/workflows/core-plugins-build-and-release.yml

@@ -33,6 +33,8 @@ permissions:
 
 jobs:
   build-and-publish:
+    env:
+      PLUGIN_ID: ${{ inputs.plugin_id }}
     name: Build and publish ${{ inputs.plugin_id }}
     runs-on: ubuntu-latest
     outputs:
@@ -42,11 +44,13 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Verify inputs
         run: |
-          if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
       - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
           repo_secrets: |
@@ -54,11 +58,11 @@ jobs:
             PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
             PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
       - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
         with:
           credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -70,7 +74,7 @@ jobs:
         run: |
           dir=$(dirname \
             $(egrep -lir --include=plugin.json --exclude-dir=dist \
-              '"id": "${{ inputs.plugin_id }}"' \
+              '"id": "${PLUGIN_ID}"' \
               public/app/plugins \
             ) \
           )
@@ -85,19 +89,19 @@ jobs:
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
           [ ! -d ./bin ] && mkdir -pv ./bin || true
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
           chmod 0755 ./bin/grabpl
       - name: Check backend
         id: check_backend
         shell: bash
         run: |
-          if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then
+          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
             echo "has_backend=true" >> $GITHUB_OUTPUT
           else
             echo "has_backend=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup golang environment
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
         if: steps.check_backend.outputs.has_backend == 'true'
         with:
           go-version-file: go.mod
@@ -151,7 +155,7 @@ jobs:
             # Release branch, do not add commit hash to version
             command="plugin:build"
           fi
-          yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}"
+          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
           version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
           echo "version=${version}" >> $GITHUB_OUTPUT
       - name: build:backend
@@ -160,7 +164,7 @@ jobs:
         env:
           VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
-          make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }}
+          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
       - name: package
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
@@ -175,7 +179,7 @@ jobs:
           VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
           api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            '${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \
+            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
             -H 'accept: application/json')
           api_res_code=$(echo $api_res | jq -r .code)
           if [ "$api_res_code" = "NotFound" ]; then
@@ -197,10 +201,10 @@ jobs:
         run: |
           echo "Publish release to Google Cloud Storage:"
           touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows
-          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux 
-          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin
-          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any
+          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
+          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
+          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
+          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
       - name: Publish new plugin version on grafana.com
         if: steps.check_backend.outputs.has_backend == 'true'
         working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -214,27 +218,27 @@ jobs:
             \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
             \"download\": {
               \"linux-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
               },
               \"linux-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
               },
               \"linux-arm\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
               },
               \"windows-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
               },
               \"darwin-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
               },
               \"darwin-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
                 \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
               }
             }
@@ -257,7 +261,7 @@ jobs:
             \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
             \"download\": {
               \"any\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
                 \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
               }
             }

.github/workflows/create-next-release-branch.yml

@@ -11,7 +11,9 @@ on:
         type: string
         required: true
     secrets:
-      token:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
         required: true
     outputs:
       branch:
@@ -26,7 +28,9 @@ on:
         type: string
         required: true
     secrets:
-      token:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
         required: true
 jobs:
   main:
@@ -34,10 +38,16 @@ jobs:
     outputs:
       branch: ${{ steps.branch.outputs.branch }}
     steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Create release branch
         id: branch
-        uses: grafana/grafana-github-actions-go/bump-release@main
+        uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
         with:
           ownerRepo: ${{ inputs.ownerRepo }}
           source: ${{ inputs.source }}
-          token: ${{ secrets.token }}
+          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/create-security-patch-from-security-mirror.yml

@@ -17,7 +17,7 @@ on:
 jobs:
   trigger_downstream_create_security_patch:
     concurrency: create-patch-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
+    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
     if: github.repository == 'grafana/grafana-security-mirror'
     with:
       repo: "${{ github.repository }}"
@@ -25,5 +25,4 @@ jobs:
       patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
       patch_repo: "grafana/grafana-security-patches"
       patch_prefix: "${{ github.event.pull_request.number }}"
-    secrets: inherit
-
+    secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/dashboards-issue-add-label.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       - name: "Get vault secrets"
         id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
@@ -38,11 +38,13 @@ jobs:
       - name: Check if issue is in target project
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
         run: |
           gh api graphql -f query='
             query($org: String!, $repo: String!) {
               repository(name: $repo, owner: $org) {
-                issue (number: ${{ github.event.issue.number }}) {
+                issue (number: $ISSUE_NUMBER) {
                   id
                   projectItems(first:20) {
                     nodes {
@@ -55,12 +57,14 @@ jobs:
               }
             }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
 
-            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.TARGET_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
             echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
       - name: Set up label array
         if: env.IN_TARGET_PROJ
+        env:
+          LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
-          IFS=',' read -ra LABEL_IDs <<< "${{ env.LABEL_IDs }}"
+          IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
           for item in "${LABEL_IDs[@]}"; do
             echo "Item: $item"
           done
@@ -68,6 +72,7 @@ jobs:
         if: env.IN_TARGET_PROJ
         env:
           GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
           gh api graphql -f query='
             mutation ($labelableId: ID!, $labelIds: [ID!]!) {
@@ -76,4 +81,4 @@ jobs:
               ) {
                   clientMutationId
               }
-            }' -f labelableId=$ITEM_ID -f labelIds=${{ env.LABEL_IDs }}
+            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS

.github/workflows/deploy-pr-preview.yml

@@ -11,14 +11,21 @@ on:
 
 jobs:
   deploy-pr-preview:
-    if: ${{ ! github.event.pull_request.head.repo.fork }}
-    uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main
+    if: "!github.event.pull_request.head.repo.fork"
+    uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
     with:
-      sha: ${{ github.event.pull_request.head.sha }}
       branch: ${{ github.head_ref }}
       event_number: ${{ github.event.number }}
-      title: ${{ github.event.pull_request.title }}
       repo: grafana
-      website_directory: content/docs/grafana/latest
-      relative_prefix: /docs/grafana/latest/
-      index_file: true
+      sha: ${{ github.event.pull_request.head.sha }}
+      sources: |
+        [
+          {
+            "index_file": "content/docs/grafana/_index.md",
+            "relative_prefix": "/docs/grafana/latest/",
+            "repo": "grafana",
+            "source_directory": "docs/sources",
+            "website_directory": "content/docs/grafana/latest"
+          }
+        ]
+      title: ${{ github.event.pull_request.title }}

.github/workflows/detect-breaking-changes-levitate.yml

@@ -6,9 +6,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 on:
   pull_request:
@@ -24,11 +22,15 @@ jobs:
     defaults:
       run:
         working-directory: './pr'
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           path: './pr'
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: 22.11.0
@@ -67,6 +69,9 @@ jobs:
   buildBase:
     name: Build Base packages artifacts
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     defaults:
       run:
         working-directory: './base'
@@ -145,14 +150,14 @@ jobs:
         run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
 
       - id: 'auth'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
         with:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.LEVITATE_SA }}
           project_id: 'grafanalabs-global'
 
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
         with:
           version: '>= 363.0.0'
           project_id: 'grafanalabs-global'
@@ -180,6 +185,9 @@ jobs:
     name: Report breaking changes in PR comment
     runs-on: ubuntu-latest
     needs: ['Detect']
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: "Generate token"
@@ -238,7 +246,7 @@ jobs:
       # Comment on the PR
       - name: Comment on PR
         if: steps.levitate-run.outputs.exit_code == 1
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
         with:
           header: levitate-breaking-change-comment
           number: ${{ github.event.pull_request.number }}
@@ -255,7 +263,7 @@ jobs:
       # Remove comment from the PR (no more breaking changes)
       - name: Remove comment from PR
         if: steps.levitate-run.outputs.exit_code == 0
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
         with:
           header: levitate-breaking-change-comment
           number: ${{ github.event.pull_request.number }}

.github/workflows/doc-validator.yml

@@ -1,26 +0,0 @@
-name: "doc-validator"
-on:
-  workflow_dispatch:
-    inputs:
-      include:
-        description: |
-          Regular expression that matches paths to include in linting.
-
-          For example: docs/sources/(?:alerting|fundamentals)/.+\.md
-        required: true
-jobs:
-  doc-validator:
-    runs-on: "ubuntu-latest"
-    container:
-      image: "grafana/doc-validator:v5.2.0"
-    steps:
-      - name: "Checkout code"
-        uses: "actions/checkout@v4"
-      - name: "Run doc-validator tool"
-        # Only run doc-validator on specific directories.
-        run: >
-          doc-validator
-          '--include=${{ inputs.include }}'
-          '--skip-checks=^(?:image.+|canonical-does-not-match-pretty-URL)$'
-          ./docs/sources
-          /docs/grafana/latest

.github/workflows/documentation-ci.yml

@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           persist-credentials: false
-      - uses: grafana/writers-toolkit/vale-action@vale-action/v1
+      - uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
         with:
-          filter: '.Name in ["Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
+          filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ephemeral-instances-pr-comment.yml

@@ -47,6 +47,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
           ref: main
           path: ephemeral
+          persist-credentials: false
 
       - name: build and deploy ephemeral instance
         uses: ./ephemeral

.github/workflows/epic-add-to-platform-ux-parent-project.yml

@@ -1,149 +0,0 @@
-name: When epic issues changed in Platform UX squad projects, check if epic is part of specified child projects and update on Platform UX parent project
-
-on:
-  issues:
-    types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
-    labels:
-      - 'type/epic'
-
-env:
-  GH_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
-  ORGANIZATION: ${{ github.repository_owner }}
-  REPO: ${{ github.event.repository.name }}
-  PARENT_PROJECT: 304
-  CHILD_PROJECT_1: 78
-  CHILD_PROJECT_2: 111
-  CHILD_PROJECT_3: 202
-
-concurrency:
-  group: issue-add-to-parent-project-${{ github.event.number }}
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_PROJECTS_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets && contains(github.event.issue.labels.*.name, 'type/epic')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check if issue is in child or parent projects
-        run: |
-          gh api graphql -f query='
-            query($org: String!, $repo: String!) {
-              repository(name: $repo, owner: $org) {
-                issue (number: ${{ github.event.issue.number }}) {
-                  projectItems(first:20) {
-                    nodes {
-                      id,
-                      project {
-                        number,
-                        title
-                      },
-                      fieldValueByName(name:"Status") {
-                        ... on ProjectV2ItemFieldSingleSelectValue {
-                          optionId
-                          name
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
-
-            echo 'IN_PARENT_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
-            echo 'PARENT_PROJ_STATUS_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | select(.fieldValueByName != null) | .fieldValueByName.optionId' projects_data.json) >> $GITHUB_ENV
-            echo 'ITEM_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .id' projects_data.json) >> $GITHUB_ENV
-            echo 'IN_CHILD_PROJ='$(jq 'first(.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | .project != null)' projects_data.json) >> $GITHUB_ENV
-            echo 'CHILD_PROJ_STATUS='$(jq -r '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | select(.fieldValueByName != null) | .fieldValueByName.name' projects_data.json) >> $GITHUB_ENV
-      - name: Get parent project project data
-        if: env.IN_CHILD_PROJ
-        run: |
-          gh api graphql -f query='
-            query($org: String!, $number: Int!) {
-              organization(login: $org){
-                projectV2(number: $number) {
-                  id
-                  fields(first:20) {
-                    nodes {
-                      ... on ProjectV2Field {
-                        id
-                        name
-                      }
-                      ... on ProjectV2SingleSelectField {
-                        id
-                        name
-                        options {
-                          id
-                          name
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }' -f org=$ORGANIZATION -F number=$PARENT_PROJECT > project_data.json
-
-          echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
-          echo 'STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' project_data.json) >> $GITHUB_ENV
-          echo 'TODO_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Todo") |.id' project_data.json) >> $GITHUB_ENV
-          echo 'PROGRESS_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="In Progress") |.id' project_data.json) >> $GITHUB_ENV
-          echo 'DONE_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Done") |.id' project_data.json) >> $GITHUB_ENV
-      - name: Add issue to parent project
-        if: env.IN_CHILD_PROJ && !env.IN_PARENT_PROJ
-        run: |
-          item_id="$( gh api graphql -f query='
-            mutation($project:ID!, $issue:ID!) {
-              addProjectV2ItemById(input: {projectId: $project, contentId: $issue}) {
-                item {
-                  id
-                }
-              }
-            }' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
-
-            echo 'ITEM_ID='$item_id >> $GITHUB_ENV
-      - name: Set parent project status Done
-        if: contains(env.CHILD_PROJ_STATUS, 'Done')
-        run: |
-          echo 'OPTION_ID='$DONE_OPTION_ID >> $GITHUB_ENV
-      - name: Set parent project status In Progress
-        if: contains(env.CHILD_PROJ_STATUS, 'In ') || contains(env.CHILD_PROJ_STATUS, 'Blocked')
-        run: |
-          echo 'OPTION_ID='$PROGRESS_OPTION_ID >> $GITHUB_ENV
-      - name: Set parent project status To do
-        if: env.CHILD_PROJ_STATUS && !contains(env.CHILD_PROJ_STATUS, 'In ') && !contains(env.CHILD_PROJ_STATUS, 'Blocked') && ! contains(env.CHILD_PROJ_STATUS, 'Done')
-        run: |
-          echo 'OPTION_ID='$TODO_OPTION_ID >> $GITHUB_ENV
-      - name: Set issue status in parent project
-        if: env.OPTION_ID && (env.OPTION_ID != env.PARENT_PROJ_STATUS_ID)
-        run: |
-          gh api graphql -f query='
-            mutation (
-              $project: ID!
-              $item: ID!
-              $status_field: ID!
-              $status_value: String!
-            ) {
-              set_status: updateProjectV2ItemFieldValue(input: {
-                projectId: $project
-                itemId: $item
-                fieldId: $status_field
-                value: {
-                  singleSelectOptionId: $status_value
-                  }
-              }) {
-                projectV2Item {
-                  id
-                  }
-              }
-            }' -f project=$PROJECT_ID -f item=$ITEM_ID -f status_field=$STATUS_FIELD_ID -f status_value=${{ env.OPTION_ID }} --silent

.github/workflows/feature-toggles-ci.yml

@@ -0,0 +1,25 @@
+name: Feature toggles CI
+
+on:
+  pull_request:
+    paths:
+      - 'pkg/services/featuremgmt/toggles_gen_test.go'
+      - 'pkg/services/featuremgmt/registry.go'
+      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run feature toggle tests
+        run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/

.github/workflows/frontend-lint.yml

@@ -0,0 +1,133 @@
+name: Lint Frontend
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+permissions: {}
+
+jobs:
+  lint-frontend-verify-i18n:
+    name: Verify i18n
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: |
+        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
+        make i18n-extract || (echo "${extract_error_message}" && false)
+    - run: |
+        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
+        file_diff=$(git diff --dirstat public/locales)
+        if [ -n "$file_diff" ]; then
+            echo $file_diff
+            echo "${uncommited_error_message}"
+            exit 1
+        fi
+  lint-frontend-prettier:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-prettier-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-prettier-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-typecheck:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-typecheck-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-typecheck-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-betterer:
+    permissions:
+      contents: read
+      id-token: write
+    name: Betterer
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run betterer:ci

.github/workflows/github-release.yml

@@ -40,7 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Create GitHub release (manually invoked)
-        uses: grafana/grafana-github-actions-go/github-release@main
+        uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}

.github/workflows/go-lint.yml

@@ -17,14 +17,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
       - run: make gen-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
         with:
-          version: v1.62.0
+          version: v2.0.2
           args: |
             --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
           install-mode: binary

.github/workflows/i18n-crowdin-create-tasks.yml

@@ -0,0 +1,27 @@
+name: Crowdin Create Tasks
+
+on:
+  workflow_dispatch:
+  # schedule:
+  #   - cron: "0 0 * * *"
+
+jobs:
+  create-tasks-in-crowdin:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Create tasks
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+        run: node ./.github/workflows/scripts/crowdin/create-tasks.js

.github/workflows/i18n-crowdin-download.yml

@@ -26,10 +26,11 @@ jobs:
         with:
           ref: ${{ github.head_ref }}
           token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
 
       - name: Download sources
         id: crowdin-download
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
         with:
           upload_sources: false
           upload_translations: false
@@ -72,7 +73,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Get project board ID
-        uses: octokit/graphql-action@v2.x
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
         id: get-project-id
         if: steps.crowdin-download.outputs.pull_request_url
         with:
@@ -92,7 +93,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Add to project board
-        uses: octokit/graphql-action@v2.x
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
         if: steps.crowdin-download.outputs.pull_request_url
         with:
           projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@@ -109,7 +110,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main
+        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
         if: steps.crowdin-download.outputs.pull_request_url
         with:
           pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
@@ -117,7 +118,7 @@ jobs:
 
       - name: Get vault secrets
         id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
           repo_secrets: |

.github/workflows/i18n-crowdin-upload.yml

@@ -15,9 +15,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Upload sources
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
         with:
           upload_sources: true
           upload_sources_args: '--dest=public/locales/en-US/grafana.json'

.github/workflows/issue-opened.yml

@@ -10,22 +10,24 @@ on:
 concurrency:
   group: issue-opened-${{ github.event.issue.number }}
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   main:
     runs-on: ubuntu-latest
     if: github.repository == 'grafana/grafana'
+    permissions:
+      contents: read
+      id-token: write
     steps:
 
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
 
       - name: Install Actions
         run: npm install --production --prefix ./actions
@@ -37,7 +39,7 @@ jobs:
 
       - name: "Get vault secrets"
         id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
           repo_secrets: |
@@ -60,13 +62,16 @@ jobs:
 
   auto-triage:
     needs: [main]
+    permissions:
+      contents: read
+      id-token: write
     if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
     runs-on: ubuntu-latest
     steps:
 
       - name: "Get vault secrets"
         id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
           repo_secrets: |
@@ -83,11 +88,11 @@ jobs:
           private_key: ${{ env.GH_APP_PEM }}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
 
       - name: Send issue to the auto triager action
         id: auto_triage
-        uses: grafana/auto-triager@main
+        uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ steps.generate_token.outputs.token }}
           issue_number: ${{ github.event.issue.number }}
@@ -99,7 +104,7 @@ jobs:
 
       - name: "Send Slack notification"
         if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
-        uses: slackapi/slack-github-action@v1.27.0
+        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
         with:
           payload: >
             {

.github/workflows/lint-build-docs.yml

@@ -0,0 +1,62 @@
+name: Documentation
+
+on:
+  pull_request:
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+
+jobs:
+  docs:
+    name: Build & Verify Docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.11.0'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Lint docs
+        run: yarn run prettier:checkDocs
+        env:
+          # Increase memory for prettier due to large number of files
+          NODE_OPTIONS: --max_old_space_size=8192
+
+      - name: Build docs website
+        run: |
+          # Create and start a container from the docs-base image in detached mode
+          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
+          
+          # Create the directory structure inside the container
+          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
+          
+          # Create the _index.md file
+          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
+          
+          # Copy the docs sources from the host to the container
+          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
+          
+          # Run the make prod command inside the container
+          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
+          
+          # Clean up the container
+          docker rm -f docs-builder

.github/workflows/metrics-collector.yml

@@ -15,6 +15,9 @@ on:
   issues:
     types: [opened, closed]
 
+permissions:
+  contents: read
+
 jobs:
   config:
     runs-on: "ubuntu-latest"
@@ -35,11 +38,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run metrics collector

.github/workflows/migrate-prs.yml

@@ -16,7 +16,9 @@ on:
         required: true
         type: string
     secrets:
-      token:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
         required: true
   workflow_dispatch:
     inputs:
@@ -33,17 +35,25 @@ on:
         required: true
         type: string
     secrets:
-      token:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
         required: true
 
 jobs:
   main:
     runs-on: ubuntu-latest
     steps:
-      - name: Migrate PRs
-        uses: grafana/grafana-github-actions-go/migrate-open-prs@main
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
         with:
-          token: ${{ secrets.token }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Migrate PRs
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
           ownerRepo: ${{ inputs.ownerRepo }}
           from: ${{ inputs.from }}
           to: ${{ inputs.to }}

.github/workflows/milestone.yml

@@ -1,19 +0,0 @@
-name: Close Milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version_input:
-        description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
-        required: true
-jobs:
-  call-remove-milestone:
-    uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
-    with:
-      version_call: ${{ github.event.inputs.version_input }}
-    secrets: inherit
-  call-close-milestone:
-    uses: grafana/grafana/.github/workflows/close-milestone.yml@main
-    with:
-      version_call: ${{ github.event.inputs.version_input }}
-    secrets: inherit
-    needs: call-remove-milestone

.github/workflows/pr-backend-coverage.yml

@@ -0,0 +1,71 @@
+name: Coverage
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  EDITION: 'oss'
+  WIRE_TAGS: 'oss'
+
+jobs:
+  main:
+    name: Backend Unit Tests
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential shared-mime-info
+          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
+      - name: Process and upload coverage
+        uses: ./.github/actions/test-coverage-processor
+        with:
+          test-type: 'be-unit'
+          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
+          coverage-file: 'unit.cov'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          codecov-flag: 'be-unit'
+          codecov-name: 'be-unit'
+
+      - name: Install Grafana Bench
+        # We can't allow forks here, as we need secret access.
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: ./.github/actions/setup-grafana-bench
+
+      - name: Process output for Bench
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          grafana-bench report \
+            --trigger pr-backend-unit-tests-oss \
+            --report-input go \
+            --report-output log \
+            --grafana-version "$(git rev-parse HEAD)" \
+            --suite-name grafana-oss-unit-tests \
+            /tmp/unit.log || true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false

.github/workflows/pr-checks.yml

@@ -31,11 +31,12 @@ jobs:
     if: github.event.pull_request.draft == false
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run PR Checks

.github/workflows/pr-codeql-analysis-go.yml

@@ -1,53 +0,0 @@
-name: "CodeQL for PR / go"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-    paths:
-      - '**/*.go'
-
-permissions:
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-
-    steps:
-    - name: "Generate token"
-      id: generate_token
-      continue-on-error: true
-      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-      with:
-        app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-        private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        token: ${{ steps.generate_token.outputs.token }}
-
-    - name: Set go version
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: "go"
-
-    - name: Build go files
-      run: |
-        go mod verify
-        make build-go
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/pr-codeql-analysis-javascript.yml

@@ -25,12 +25,13 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: "javascript"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-codeql-analysis-python.yml

@@ -23,12 +23,13 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: "python"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-commands.yml

@@ -30,11 +30,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: "Generate token"

.github/workflows/pr-dependabot-update-go-workspace.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
     - name: Retrieve GitHub App secrets
       id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
       with:
         repo_secrets: |
           APP_ID=grafana-go-workspace-bot:app-id
@@ -42,9 +42,10 @@ jobs:
         repository: ${{ github.event.pull_request.head.repo.full_name }}
         ref: ${{ github.event.pull_request.head.ref }}
         token: ${{ steps.generate_token.outputs.token }}
+        persist-credentials: false
 
     - name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
         go-version-file: go.mod
 
@@ -65,4 +66,4 @@ jobs:
           echo "Committing and pushing workspace changes"
           git commit -a -m "update workspace"
           git push origin $BRANCH_NAME
-        fi
+        fi

.github/workflows/pr-e2e-tests.yml

@@ -0,0 +1,72 @@
+name: End-to-end tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  build-grafana:
+    name: Build & Package Grafana
+    runs-on: ubuntu-latest-16-cores
+    outputs:
+      artifact: ${{ steps.artifact.outputs.artifact }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: 'grafana/grafana-build'
+          ref: 'main'
+          persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          path: ./grafana
+      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
+      - run: mv $(cat out.txt) grafana.tar.gz
+      - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
+        id: artifact
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          retention-days: 1
+          name: ${{ steps.artifact.outputs.artifact }}
+          path: grafana.tar.gz
+  e2e-matrix:
+    name: ${{ matrix.suite }}
+    strategy:
+      matrix:
+        suite:
+          - various-suite
+          - dashboards-suite
+          - smoke-tests-suite
+          - panels-suite
+    needs:
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}
+  e2e-matrix-old-arch:
+    name: ${{ matrix.suite }} (old arch)
+    strategy:
+      matrix:
+        suite:
+          - old-arch/various-suite
+          - old-arch/dashboards-suite
+          - old-arch/smoke-tests-suite
+          - old-arch/panels-suite
+    needs:
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}

.github/workflows/pr-frontend-unit-tests.yml

@@ -0,0 +1,69 @@
+name: Frontend tests
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+permissions: {}
+
+jobs:
+  frontend-unit-tests:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `frontend-unit-tests-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    runs-on: ubuntu-latest-8-cores
+    name: "Unit tests (${{ matrix.chunk }} / 8)"
+    strategy:
+      fail-fast: false
+      matrix:
+        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run test:ci
+      env:
+        TEST_MAX_WORKERS: 2
+        TEST_SHARD: ${{ matrix.chunk }}
+        TEST_SHARD_TOTAL: 8
+
+  frontend-unit-tests-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    runs-on: ubuntu-latest-8-cores
+    name: "Unit tests (${{ matrix.chunk }} / 8)"
+    strategy:
+      fail-fast: false
+      matrix:
+        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run test:ci
+      env:
+        TEST_MAX_WORKERS: 2
+        TEST_SHARD: ${{ matrix.chunk }}
+        TEST_SHARD_TOTAL: 8

.github/workflows/pr-go-workspace-check.yml

@@ -22,10 +22,13 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
+        cache: false
         go-version-file: go.mod
 
     - name: Update workspace
@@ -41,4 +44,4 @@ jobs:
           exit 1
         fi
     - name: Ensure Dockerfile contains submodule COPY commands
-      run: ./scripts/go-workspace/validate-dockerfile.sh
+      run: ./scripts/go-workspace/validate-dockerfile.sh

.github/workflows/pr-k8s-codegen-check.yml

@@ -9,6 +9,7 @@ on:
       - "pkg/aggregator/apis/**"
       - "pkg/apimachinery/apis/**"
       - "hack/**"
+      - "apps/**"
       - "*.sum"
 
 jobs:
@@ -19,9 +20,11 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
         go-version-file: go.mod
 
@@ -35,4 +38,4 @@ jobs:
           git diff
           echo "Please run './hack/update-codegen.sh' and commit the changes."
           exit 1
-        fi
+        fi

.github/workflows/pr-patch-check-event.yml

@@ -0,0 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana
+name: Dispatch check for patch conflicts
+run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+permissions: {}
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  dispatch-job:
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+      REPO: ${{ github.repository }}
+      SENDER: ${{ github.event.sender.login }}
+      SHA: ${{ github.sha }}
+      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: "Dispatch job"
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'test-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_repo: REPO,
+                  src_ref: HEAD_REF,
+                  src_merge_sha: SHA,
+                  src_pr_commit_sha: PR_COMMIT_SHA,
+                  patch_repo: REPO + '-security-patches',
+                  patch_ref: BASE_REF,
+                  triggering_github_handle: SENDER
+                }
+            })

.github/workflows/pr-patch-check.yml

@@ -1,27 +0,0 @@
-# Owned by grafana-release-guild
-# Intended to be dropped into the base repo Ex: grafana/grafana
-name: Check for patch conflicts
-run-name: check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
-on:
-  pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-# Since this is run on a pull request, we want to apply the patches intended for the
-# target branch onto the source branch, to verify compatibility before merging.
-jobs:
-  trigger_downstream_patch_check:
-    uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
-    if: github.repository == 'grafana/grafana'
-    with:
-      src_repo: "${{ github.repository }}"
-      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
-      patch_repo: "${{ github.repository }}-security-patches"
-      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
-    secrets: inherit

.github/workflows/pr-test-integration.yml

@@ -0,0 +1,89 @@
+name: Integration Tests
+
+on:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  sqlite:
+    name: Sqlite
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - run: |
+          make gen-go
+          go test -tags=sqlite -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
+  mysql:
+    name: MySQL
+    runs-on: ubuntu-latest-8-cores
+    env:
+      GRAFANA_TEST_DB: mysql
+      MYSQL_HOST: 127.0.0.1
+    services:
+      mysql:
+        image: mysql:8.0.32
+        env:
+          MYSQL_ROOT_PASSWORD: rootpass
+          MYSQL_DATABASE: grafana_tests
+          MYSQL_USER: grafana
+          MYSQL_PASSWORD: password
+        options: --health-cmd="mysqladmin ping --silent" --health-interval=10s --health-timeout=5s --health-retries=3
+        ports:
+          - 3306:3306
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - run: |
+          sudo apt-get update -yq && sudo apt-get install mariadb-client
+          cat devenv/docker/blocks/mysql_tests/setup.sql | mariadb -h 127.0.0.1 -P 3306 -u root -prootpass --disable-ssl-verify-server-cert
+          make gen-go
+          go test -tags=mysql -p=1 -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
+  postgres:
+    name: Postgres
+    runs-on: ubuntu-latest-8-cores
+    services:
+      postgres:
+        image: postgres:12.3-alpine
+        env:
+          POSTGRES_USER: grafanatest
+          POSTGRES_PASSWORD: grafanatest
+          POSTGRES_DB: grafanatest
+        ports:
+          - 5432:5432
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - env:
+          GRAFANA_TEST_DB: postgres
+          PGPASSWORD: grafanatest
+          POSTGRES_HOST: 127.0.0.1
+        run: |
+          sudo apt-get update -yq && sudo apt-get install postgresql-client
+          psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
+          make gen-go
+          go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)

.github/workflows/publish-kinds-next.yml

@@ -32,9 +32,10 @@ jobs:
         uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/workflows/publish-kinds-release.yml

@@ -35,9 +35,10 @@ jobs:
         with:
           # required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/workflows/publish-technical-documentation-next.yml

@@ -16,6 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
+      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
         with:
           website_directory: content/docs/grafana/next

.github/workflows/publish-technical-documentation-release.yml

@@ -20,7 +20,8 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
         with:
           release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
           release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

.github/workflows/release-comms.yml

@@ -19,7 +19,7 @@ on:
     - closed
     branches:
     - 'main'
-    - 'v*.*.*'
+    - 'release-*.*.*'
 
 jobs:
   setup:
@@ -30,25 +30,16 @@ jobs:
       release_branch: ${{ steps.output.outputs.release_branch }}
       dry_run: ${{ steps.output.outputs.dry_run }}
       latest: ${{ steps.output.outputs.latest }}
-      token: ${{ steps.output.outputs.token }}
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      DRY_RUN: ${{ inputs.dry_run }}
+      LATEST: ${{ inputs.latest && '1' || '0' }}
+      VERSION: ${{ inputs.version }}
     runs-on: ubuntu-latest
     steps:
-    - name: "Generate token"
-      id: generate_token
-      uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-      with:
-        app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-        private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      # The github-release action expects a `LATEST` value of a string of either '1' or '0'
-    - if: ${{ github.event_name == 'workflow_dispatch' }}
-      run: |
-        echo setting up GITHUB_ENV for ${{ github.event_name }}
-        echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
-        echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
-        echo "LATEST=${{ inputs.latest && '1' || '0' }}" >> $GITHUB_ENV
     - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
       run: |
-        echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\///g')" >> $GITHUB_ENV
+        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
         echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
         echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
     - id: output
@@ -58,7 +49,6 @@ jobs:
         echo "version: $VERSION"
 
         echo "release_branch=$(echo $VERSION | sed -s 's/^v/release-/g')" >> "$GITHUB_OUTPUT"
-        echo "token=${{ steps.generate_token.outputs.token }}" >> "$GITHUB_OUTPUT"
         echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
         echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
         echo "version=$VERSION" >> "$GITHUB_OUTPUT"
@@ -66,42 +56,46 @@ jobs:
     name: Create next release branch (Grafana)
     needs: setup
     uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana'
       source: ${{ needs.setup.outputs.release_branch }}
-    secrets:
-      token: ${{ needs.setup.outputs.token }}
   create_next_release_branch_enterprise:
     name: Create next release branch (Grafana Enterprise)
     needs: setup
     uses: ./.github/workflows/create-next-release-branch.yml
-    with:
-      ownerRepo: 'grafana/grafana'
-      source: ${{ needs.setup.outputs.release_branch }}
     secrets:
-      token: ${{ needs.setup.outputs.token }}
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    with:
+      ownerRepo: 'grafana/grafana-enterprise'
+      source: ${{ needs.setup.outputs.release_branch }}
   migrate_prs_grafana:
     needs:
       - setup
       - create_next_release_branch_grafana
     uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_grafana.outputs.branch }}
-    secrets:
-      token: ${{ needs.setup.outputs.token }}
   migrate_prs_enterprise:
     needs:
       - setup
       - create_next_release_branch_enterprise
     uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
     with:
       ownerRepo: 'grafana/grafana-enterprise'
       from: ${{ needs.setup.outputs.release_branch }}
       to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
-    secrets:
-      token: ${{ needs.setup.outputs.token }}
   post_changelog_on_forum:
     needs: setup
     uses: ./.github/workflows/community-release.yml
@@ -124,7 +118,10 @@ jobs:
   post_on_slack:
     needs: setup
     runs-on: ubuntu-latest
+    env:
+      DRY_RUN: ${{ needs.setup.outputs.dry_run }}
+      VERSION: ${{ needs.setup.outputs.version }}
     steps:
     - run: |
-        echo announce on slack that ${{ needs.setup.outputs.version }} has been released
-        echo dry run: ${{ needs.setup.outputs.dry_run }}
+        echo announce on slack that $VERSION has been released
+        echo dry run: $DRY_RUN

.github/workflows/release-pr.yml

@@ -33,12 +33,13 @@ on:
         default: false
         type: boolean
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   push-changelog-to-main:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Create PR to main to update the changelog
     uses: ./.github/workflows/changelog.yml
     with:
@@ -50,30 +51,33 @@ jobs:
     secrets:
       GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
       GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
   create-prs:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Create Release PR
     runs-on: ubuntu-latest
     if: github.repository == 'grafana/grafana'
+    env:
+      VERSION: ${{ inputs.version }}
+      LATEST: ${{ inputs.latest }}
+      DRY_RUN: ${{ inputs.dry_run }}
     steps:
-      - name: Generate bot token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Get release branch
         id: branch
-        uses: grafana/grafana-github-actions-go/latest-release-branch@main
+        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
         with:
-          token: ${{ steps.generate_token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           ownerRepo: 'grafana/grafana'
           pattern: ${{ inputs.target }}
       - name: Checkout Grafana
         uses: actions/checkout@v4
         with:
           ref: ${{ steps.branch.outputs.branch }}
-          fetch-depth: 0
           fetch-tags: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Checkout Grafana (main)
         uses: actions/checkout@v4
         with:
@@ -81,6 +85,8 @@ jobs:
           fetch-depth: '0'
           fetch-tags: 'false'
           path: .grafana-main
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -92,37 +98,43 @@ jobs:
           git config --local --add --bool push.autoSetupRemote true
 
       - name: Create branch
-        run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}"
+        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
+      - name: Generate changelog token
+        id: generate_changelog_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Generate changelog
         id: changelog
-        uses: ./.grafana-main/.github/workflows/actions/changelog
+        uses: ./.grafana-main/.github/actions/changelog
         with:
-          github_token: ${{ steps.generate_token.outputs.token }}
-          target: v${{ inputs.version }}
+          github_token: ${{ steps.generate_changelog_token.outputs.token }}
+          target: v${{ env.VERSION }}
           output_file: changelog_items.md
       - name: Patch CHANGELOG.md
         run: |
           # Prepare CHANGELOG.md content with version delimiters
           (
             echo
-            echo "# ${{ inputs.version}} ($(date '+%F'))"
+            echo "# $VERSION ($(date '+%F'))"
             echo
             cat changelog_items.md
           ) > CHANGELOG.part
 
           # Check if a version exists in the changelog
-          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
+          if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
             # Replace the content between START and END delimiters
-            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
+            echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
+            sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
+                   -e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
           else
             # Prepend changelog part to the main changelog file
-            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
+            echo "Version $VERSION not found in the CHANGELOG.md"
             (
-              echo "<!-- ${{ inputs.version }} START -->"
+              echo "<!-- $VERSION START -->"
               cat CHANGELOG.part
-              echo "<!-- ${{ inputs.version }} END -->"
+              echo "<!-- $VERSION END -->"
               cat CHANGELOG.md
             ) > CHANGELOG.tmp
             mv CHANGELOG.tmp CHANGELOG.md
@@ -143,36 +155,47 @@ jobs:
 
       - name: Add package.json changes
         run: |
-          git add package.json lerna.json yarn.lock packages public e2e/test-plugins
-          git commit -m "Update version to ${{ inputs.version }}"
+          git add package.json lerna.json yarn.lock packages public
+          test -e e2e/test-plugins && git add e2e/test-plugins
+          git commit -m "Update version to $VERSION"
 
       - name: Git push
         if: ${{ inputs.dry_run }} != true
-        run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }}
+        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
 
       - name: Create PR without backports
         if: "${{ inputs.backport == '' }}"
-        run: >
-          gh pr create \
-            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-            -l "no-changelog" \
-            --dry-run=${{ inputs.dry_run }} \
-            -B "${{ steps.branch.outputs.branch }}" \
-            --title "Release: ${{ inputs.version }}" \
-            --body "These code changes must be merged after a release is complete"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"
 
       - name: Create PR with backports
         if: "${{ inputs.backport != '' }}"
-        run: >
-          gh pr create \
-            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-            -l "product-approved" \
-            -l "no-changelog" \
-            --dry-run=${{ inputs.dry_run }} \
-            -B "${{ steps.branch.outputs.branch }}" \
-            --title "Release: ${{ inputs.version }}" \
-            --body "These code changes must be merged after a release is complete"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "product-approved" \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"

.github/workflows/remove-milestone.yml

@@ -1,60 +0,0 @@
-name: Remove milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: Needs to match, exactly, the name of a milestone
-  workflow_call:
-    inputs:
-      version_call:
-        description: Needs to match, exactly, the name of a milestone
-        required: true
-        type: string
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    permissions:
-      issues: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Remove milestone from open issues (manually invoked)
-        if: ${{ github.event.inputs.version != '' }}
-        uses: ./actions/remove-milestone
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Remove milestone from open issues (workflow invoked)
-        if: ${{ inputs.version_call != '' }}
-        uses: ./actions/remove-milestone
-        with:
-          version_call: ${{ inputs.version_call }}
-          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/run-dashboard-search-e2e.yml

@@ -0,0 +1,130 @@
+name: run-dashboard-search-e2e
+
+on:
+  workflow_run:
+    workflows: 
+      - trigger-dashboard-search-e2e
+    types:
+      - completed
+  workflow_dispatch:
+
+env:
+  ARCH: linux-amd64
+
+permissions: {}
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    outputs:
+      ini_files: ${{ steps.get_files.outputs.ini_files }}
+
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Pin Go version to mod file
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - run: go version
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'yarn'
+      - name: Cache Node Modules
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            node_modules
+            /home/runner/.cache/Cypress
+          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: yarn install --immutable
+      - name: Install Cypress dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          runTests: false
+      - name: Cache Grafana Build and Dependencies
+        id: cache-grafana
+        uses: actions/cache@v3
+        with:
+          path: |
+            bin/
+            scripts/grafana-server/
+            tools/
+            public/
+            conf/
+            e2e/test-plugins/
+            devenv/
+          key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
+      # only rebuild grafana if search files have changed ( or dependencies )
+      - name: Build Grafana (Runs Only If Not Cached)
+        if: steps.cache-grafana.outputs.cache-hit != 'true'
+        run: make build
+
+      - name: Get list of .ini files
+        id: get_files
+        run: |
+          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
+          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
+        shell: bash
+
+  run_tests:
+      needs: setup
+      runs-on: ubuntu-latest
+      continue-on-error: true
+      if: github.event.pull_request.draft == false
+      strategy:
+        matrix:
+          ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
+
+      permissions:
+        contents: read
+        id-token: write
+
+      steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+        - name: Restore Cached Node Modules
+          uses: actions/cache@v3
+          with:
+            path: |
+              node_modules
+              /home/runner/.cache/Cypress
+            key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+
+        - name: Restore Cached Grafana Build and Dependencies
+          uses: actions/cache@v3
+          with:
+            path: |
+              bin/
+              scripts/grafana-server/
+              tools/
+              public/
+              conf/
+              e2e/test-plugins/
+              devenv/
+            key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
+        - name: Set the step name
+          id: set_file_name
+          env:
+            INI_NAME: ${{ matrix.ini_file }}
+          run: |
+            FILE_NAME=$(basename "$env.INI_NAME" .ini)
+            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
+        - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
+          env:
+            INI_NAME: ${{ matrix.ini_file }}
+          run: |
+            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
+            yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"

.github/workflows/run-e2e-suite.yml

@@ -0,0 +1,39 @@
+name: e2e suite
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        type: string
+        required: true
+      suite:
+        type: string
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.package }}
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
+      - name: Set suite name
+        id: set-suite-name
+        if: always()
+        env:
+          SUITE: ${{ inputs.suite }}
+        run: |
+          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
+          path: videos
+          retention-days: 1

.github/workflows/run-schema-v2-e2e.yml

@@ -19,6 +19,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Pin Go version to mod file
         uses: actions/setup-go@v5
         with:
@@ -33,7 +35,7 @@ jobs:
       - name: Build grafana
         run: make build
       - name: Install Cypress dependencies
-        uses: cypress-io/github-action@v6
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
         with:
           runTests: false
       - name: Run dashboard scenes e2e
@@ -41,4 +43,4 @@ jobs:
       
       - name: Always succeed # This is a workaround to make the job pass even if the previous step fails
         if: failure()
-        run: exit 0
+        run: exit 0

.github/workflows/scripts/crowdin/create-tasks.js

@@ -0,0 +1,84 @@
+const crowdin = require('@crowdin/crowdin-api-client');
+const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
+
+const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
+if (!API_TOKEN) {
+  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
+  process.exit(1);
+}
+
+const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
+if (!PROJECT_ID) {
+  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
+  process.exit(1);
+}
+
+const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
+  token: API_TOKEN,
+  organization: 'grafana'
+});
+
+const languages = await getLanguages();
+const fileIds = await getFileIds();
+console.log('Languages: ', languages);
+console.log('File IDs: ', fileIds);
+
+// for (const language of languages) {
+//   const { name, id } = language;
+//   await createTask(`Translate to ${name}`, id, fileIds);
+// }
+
+async function getLanguages() {
+  try {
+    const project = await projectsGroupsApi.getProject(PROJECT_ID);
+    const languages = project.data.targetLanguages;
+    return languages;
+  } catch (error) {
+    console.error('Failed to fetch languages: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getFileIds() {
+  try {
+    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
+    const files = response.data;
+    const fileIds = files.map(file => file.data.id);
+    return fileIds;
+  } catch (error) {
+    console.error('Failed to fetch file IDs: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function createTask(title, languageId, fileIds) {
+  try {
+    const taskParams = {
+      title,
+      description: TRANSLATED_CONNECTOR_DESCRIPTION,
+      languageId,
+      type: 2, // Translation by vendor
+      workflowStepId: 78, // Translation step ID
+      skipAssignedStrings: true,
+      fileIds,
+    };
+
+    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
+
+    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
+    console.log(`Task created successfully! Task ID: ${response.data.id}`);
+    return response.data;
+  } catch (error) {
+    console.error('Failed to create Crowdin task: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}

.github/workflows/skye-add-to-project.yml

@@ -0,0 +1,106 @@
+name: Add issues and PRs to Skye project board
+on:
+  workflow_dispatch:
+    inputs:
+      manual_issue_number:
+        description: 'Issue/PR number to add to project'
+        required: false
+        type: number
+  issues:
+    types: [opened]
+  pull_request:
+    types: [opened]
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  ORGANIZATION: grafana
+  REPO: grafana
+  PROJECT_ID: "PVT_kwDOAG3Mbc4AxfcI" # Retrieved manually from GitHub GraphQL Explorer
+
+concurrency:
+  group: skye-add-to-project-${{ github.event.number }}
+
+jobs:
+  main:
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Vault secret paths:
+          # - ci/repo/grafana/grafana/grafana_pr_automation_app
+          # - ci/repo/grafana/grafana/frontend_platform_skye_usernames (comma separated list of usernames)
+          repo_secrets: |
+            GH_APP_ID=grafana_pr_automation_app:app_id
+            GH_APP_PEM=grafana_pr_automation_app:app_pem
+            ALLOWED_USERS=frontend_platform_skye_usernames:allowed_users
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
+      # Check if the user is in the list from the secret
+      - name: Check if user is allowed
+        id: check_user
+        env:
+          ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
+          USERNAME: ${{ github.event.sender.login }}
+        run: |
+          # Convert the comma-separated list to an array
+          IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"
+
+          # Check if user is in the allowed list
+          for allowed_user in "${ALLOWED_USERS[@]}"; do
+            if [ "$allowed_user" = "$USERNAME" ]; then
+              echo "user_allowed=true" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+          done
+          echo "user_allowed=false" >> $GITHUB_OUTPUT
+
+      # Convert the issue/PR number to a node ID for the GraphQL API
+      - name: Get node ID for item
+        if: steps.check_user.outputs.user_allowed == 'true'
+        id: get_node_id
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        with:
+          query: |
+            query getNodeId($owner: String!, $repo: String!, $number: Int!) {
+              repository(owner: $owner, name: $repo) {
+                issueOrPullRequest(number: $number) {
+                  ... on Issue { id }
+                  ... on PullRequest { id }
+                }
+              }
+            }
+          variables: |
+            owner: ${{ env.ORGANIZATION }}
+            repo: ${{ env.REPO }}
+            number: ${{ github.event.number || github.event.inputs.manual_issue_number }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      # Finally, add the issue/PR to the project board
+      - name: Add to project board
+        if: steps.check_user.outputs.user_allowed == 'true'
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        with:
+          query: |
+            mutation addItem($projectid: ID!, $itemid: ID!) {
+              addProjectV2ItemById(input: {projectId: $projectid, contentId: $itemid}) {
+                item { id }
+              }
+            }
+          variables: |
+            projectid: ${{ env.PROJECT_ID }}
+            itemid: ${{ fromJSON(steps.get_node_id.outputs.data).repository.issueOrPullRequest.id }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/storybook-verification.yml

@@ -0,0 +1,48 @@
+name: Verify Storybook
+
+on:
+  pull_request:
+    paths:
+      - 'packages/grafana-ui/**'
+      - '!docs/**'
+      - '!*.md'
+  push:
+    branches:
+      - main
+    paths:
+      - 'packages/grafana-ui/**'
+      - '!docs/**'
+      - '!*.md'
+
+jobs:
+  verify-storybook:
+    name: Verify Storybook
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: 'package.json'
+          cache: 'yarn'
+      
+      - name: Install dependencies
+        run: yarn install --immutable
+      
+      - name: Run Storybook and E2E tests
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          browser: chrome
+          start: yarn storybook --quiet
+          wait-on: 'http://localhost:9001'
+          wait-on-timeout: 60
+          command: yarn e2e:storybook
+          install: false
+        env:
+          HOST: localhost
+          PORT: 9001

.github/workflows/sync-mirror-event.yml

@@ -0,0 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Dispatch sync to mirror
+run-name: dispatch-sync-to-mirror-${{ github.ref_name }}
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+permissions: {}
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  dispatch-job:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      REF_NAME: ${{ github.ref_name }}
+      REPO: ${{ github.repository }}
+      SHA: ${{ github.sha }}
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - uses: actions/github-script@v7
+        if: github.repository == 'grafana/grafana'
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {REF_NAME, REPO, SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'mirror-branch-and-apply-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_ref: REF_NAME,
+                  src_repo: REPO,
+                  src_sha: SHA,
+                  dest_repo: REPO + "-security-mirror",
+                  patch_repo: REPO + "-security-patches"
+                }
+            })

.github/workflows/sync-mirror.yml

@@ -1,25 +0,0 @@
-# Owned by grafana-release-guild
-# Intended to be dropped into the base repo, Ex: grafana/grafana
-name: Sync to mirror
-run-name: sync-to-mirror-${{ github.ref_name }}
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-# This is run after the pull request has been merged, so we'll run against the target branch
-jobs:
-  trigger_downstream_patch_mirror:
-    concurrency: patch-mirror-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
-    if: github.repository == 'grafana/grafana'
-    with:
-      ref: "${{ github.ref_name }}" # this is the target branch name, Ex: "main"
-      src_repo: "${{ github.repository }}"
-      dest_repo: "${{ github.repository }}-security-mirror"
-      patch_repo: "${{ github.repository }}-security-patches"
-    secrets: inherit
-

.github/workflows/trigger-dashboard-search-e2e.yml

@@ -0,0 +1,28 @@
+name: trigger-dashboard-search-e2e
+# triggers the dashboard search e2e tests which runs async 
+# doesn't block prs, allows setting up notifications from grafana
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - public/app/features/search/**/*.ts
+      - public/app/features/search/**/*.tsx
+      - pkg/storage/**/*.go
+  pull_request:
+    branches:
+      - main
+    paths:
+      - public/app/features/search/**/*.ts
+      - public/app/features/search/**/*.tsx
+      - pkg/storage/**/*.go
+env:
+  ARCH: linux-amd64
+
+jobs:
+  trigger-search-e2e:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Trigger Dashboard Search E2E
+        run: echo "Triggered Dashboard Search e2e..."

.github/workflows/trivy-scan.yml

@@ -17,8 +17,10 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Install Trivy
-      uses: aquasecurity/setup-trivy@v0.2.2
+      uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
       with:
         version: v0.56.2
         cache: true

.github/workflows/update-changelog.yml

@@ -1,52 +0,0 @@
-name: Update changelog
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
-      skip_pr:
-        required: false
-        default: "0"
-      skip_community_post:
-        required: false
-        default: "0"
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
-                        secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
-                        secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
-                        secrets.GRAFANABOT_FORUM_KEY != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Run update changelog (manually invoked)
-        uses: grafana/grafana-github-actions-go/update-changelog@main
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          version: ${{ inputs.version }}
-          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
-          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
-          community_api_username: grafanabot
-          skip_pr: ${{ inputs.skip_pr }}
-          skip_community_post: ${{ inputs.skip_community_post }}

.github/workflows/update-make-docs.yml

@@ -9,7 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
+        with:
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
         with:
           pr_options: >
             --label 'backport v10.1.x'

.github/workflows/verify-kinds.yml

@@ -14,9 +14,10 @@ jobs:
         uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/zizmor.yml

@@ -0,0 +1,31 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": hash-pin
+        actions/*: any
+        github/*: any
+        grafana/*: any
+  forbidden-uses:
+    config:
+      deny:
+        # Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
+        # https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30066
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30154
+        - reviewdog/*
+  cache-poisoning:
+    ignore:
+      - backend-unit-tests.yml
+      - frontend-lint.yml
+      - pr-frontend-unit-tests.yml
+      - pr-test-integration.yml
+      - publish-kinds-release.yml
+  dangerous-triggers:
+    ignore:
+      - auto-milestone.yml
+      - backport.yml
+      - pr-checks.yml
+      - pr-commands.yml
+      - pr-patch-check-event.yml
+      - run-dashboard-search-e2e.yml

.gitignore

@@ -40,7 +40,6 @@ __debug_bin*
 # This is the new place of the block, but I leave the previous here for a while
 /devenv/docker/blocks/auth/saml-enterprise
 /devenv/docker/blocks/auth/signer
-/devenv/docker/blocks/spanner_tests
 
 /tmp
 tools/phantomjs/phantomjs
@@ -104,18 +103,14 @@ profile.cov
 /pkg/cmd/grafana-cli/grafana-cli
 /pkg/cmd/grafana-server/grafana-server
 /pkg/cmd/grafana-server/debug
-
-# Extensions
-/pkg/cmd/grafana-cli/runner/wireexts_enterprise.go
-/pkg/server/wireexts_enterprise.go
-/pkg/build/cmd/enterprise.go
 /pkg/extensions/*
-!/pkg/extensions/.keep
+/pkg/build/cmd/artifactspage.go
+/pkg/build/cmd/artifactspage.tmpl.html
+/pkg/build/cmd/exportversion.go
+/pkg/server/wireexts_enterprise.go
+/pkg/cmd/grafana-cli/runner/wireexts_enterprise.go
 !/pkg/extensions/main.go
 /public/app/extensions
-!/public/app/extensions/.keep
-
-
 debug.test
 /examples/*/dist
 /packaging/**/*.rpm
@@ -175,13 +170,13 @@ compilation-stats.json
 /e2e/benchmarks/**/results
 /e2e/build_results.zip
 /e2e/extensions
-!/e2e/extensions/.keep
 /e2e/extensions-suite
 /test-results/
 /playwright-report/
 /blob-report/
 /playwright/.cache/
 /playwright/.auth/
+
 # grafana server
 /scripts/grafana-server/server.log
 

.golangci.yml

@@ -191,10 +191,10 @@ linters-settings:
         allow: []
         deny:
           - pkg: github.com/grafana/grafana/pkg
-            desc: apps/investigations is not allowed to import grafana core
+            desc: apps/investigation is not allowed to import grafana core
         files:
-          - ./apps/investigations/*
-          - ./apps/investigations/**/*
+          - ./apps/investigation/*
+          - ./apps/investigation/**/*
   gocritic:
     enabled-checks:
       - ruleguard

.ignore

@@ -1,22 +0,0 @@
-# This is a trick to ignore files only by git but not by other tools
-!/public/app/extensions
-!/pkg/extensions/*
-!/pkg/cmd/grafana-cli/runner/wireexts_enterprise.go
-!/pkg/server/wireexts_enterprise.go
-!/pkg/build/cmd/enterprise.go
-!/pkg/extensions/*
-
-# Enterprise emails
-!/emails/templates/enterprise_*
-!/public/emails/enterprise_*
-
-# Enterprise reporting fonts
-!/public/fonts/dejavu
-
-# Enterprise devenv
-!/devenv/docker/blocks/grafana-enterprise
-!/devenv/docker/blocks/saml-enterprise
-# This is the new place of the block, but I leave the previous here for a while
-!/devenv/docker/blocks/auth/saml-enterprise
-!/devenv/docker/blocks/auth/signer
-!/devenv/docker/blocks/spanner_tests

.vale.ini

@@ -1,5 +0,0 @@
-MinAlertLevel = warning
-
-[*]
-BasedOnStyles = Grafana
-TokenIgnores = (<http[^\n]+>+?), \*\*[^\n]+\*\*

.vscode/launch.json

@@ -9,7 +9,12 @@
       "program": "${workspaceFolder}/pkg/cmd/grafana/",
       "env": {},
       "cwd": "${workspaceFolder}",
-      "args": ["server", "--homepath", "${workspaceFolder}", "--packaging", "dev", "cfg:app_mode=development"]
+      "args": [
+        "server", 
+        "--homepath", "${workspaceFolder}", 
+        "--packaging", "dev", 
+        "cfg:app_mode=development",
+      ]
     },
     {
       "name": "Attach to Test Process",
@@ -18,7 +23,7 @@
       "mode": "remote",
       "host": "127.0.0.1",
       "port": 50480,
-      "apiVersion": 2
+      "apiVersion": 2,
     },
     {
       "name": "Run API Server (testdata)",
@@ -67,16 +72,6 @@
       "cwd": "${workspaceFolder}",
       "args": ["server", "target", "--homepath", "${workspaceFolder}", "--packaging", "dev"]
     },
-    {
-      "name": "Run Authz server",
-      "type": "go",
-      "request": "launch",
-      "mode": "auto",
-      "program": "${workspaceFolder}/pkg/cmd/grafana/",
-      "env": { "GF_DEFAULT_TARGET": "zanzana-server", "GF_SERVER_HTTP_PORT": "3001" },
-      "cwd": "${workspaceFolder}",
-      "args": ["server", "target", "--homepath", "${workspaceFolder}", "--packaging", "dev"]
-    },
     {
       "name": "Attach to Chrome",
       "port": 9222,
@@ -96,15 +91,6 @@
         "NODE_ENV": "test"
       }
     },
-    {
-      "name": "Debug ESLint",
-      "type": "node",
-      "request": "launch",
-      "runtimeExecutable": "yarn",
-      "runtimeArgs": ["run", "eslint", "${file}"],
-      "console": "integratedTerminal",
-      "internalConsoleOptions": "neverOpen"
-    },
     {
       "name": "Debug Go test",
       "type": "go",

.yarnrc.yml

@@ -13,6 +13,10 @@ packageExtensions:
   doctrine@3.0.0:
     dependencies:
       assert: 2.0.0
+  rc-time-picker@3.7.3:
+    peerDependencies:
+      react: 17.0.1
+      react-dom: 17.0.1
   rc-trigger@2.6.5:
     peerDependencies:
       react: 17.0.1

CHANGELOG.md

@@ -1,3 +1,73 @@
+<!-- 11.5.4 START -->
+
+# 11.5.4 (2025-04-23)
+
+### Features and enhancements
+
+- **Azure Monitor:** Filter namespaces by resource group [#103654](https://github.com/grafana/grafana/pull/103654), [@alyssabull](https://github.com/alyssabull)
+- **Azure:** Add support for custom namespace and custom metrics variable queries [#103650](https://github.com/grafana/grafana/pull/103650), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Resource picker improvements [#103638](https://github.com/grafana/grafana/pull/103638), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Support more complex variable interpolation [#103651](https://github.com/grafana/grafana/pull/103651), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Variable editor and resource picker improvements [#103657](https://github.com/grafana/grafana/pull/103657), [@aangelisc](https://github.com/aangelisc)
+- **Chore:** Update CVE-affected dependencies [#102709](https://github.com/grafana/grafana/pull/102709), [@grambbledook](https://github.com/grambbledook)
+- **DashboardScenePage:** Correct slug in self referencing data links [#103853](https://github.com/grafana/grafana/pull/103853), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
+- **Dependencies:** Bump github.com/redis/go-redis/v9 to 9.6.3 to address CVE-2025-29923 [#102865](https://github.com/grafana/grafana/pull/102865), [@macabu](https://github.com/macabu)
+- **Go:** Bump to 1.24.2 [#103525](https://github.com/grafana/grafana/pull/103525), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+- **Prometheus:** Add support for cloud partners Prometheus data sources [#103942](https://github.com/grafana/grafana/pull/103942), [@kevinwcyu](https://github.com/kevinwcyu)
+
+### Bug fixes
+
+- **InfluxDB:** Fix nested variable interpolation [#104095](https://github.com/grafana/grafana/pull/104095), [@aangelisc](https://github.com/aangelisc)
+- **LDAP test:** Fix page crash [#102683](https://github.com/grafana/grafana/pull/102683), [@ashharrison90](https://github.com/ashharrison90)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.5.4 END -->
+<!-- 11.5.3 START -->
+
+# 11.5.3 (2025-03-25)
+
+### Features and enhancements
+
+- **Chore:** Bump Go to 1.23.7 [#101581](https://github.com/grafana/grafana/pull/101581), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go to 1.23.7 (Enterprise)
+
+### Bug fixes
+
+- **Alerting:** Fix token-based Slack image upload to work with channel names [#101078](https://github.com/grafana/grafana/pull/101078), [@JacobsonMT](https://github.com/JacobsonMT)
+- **Auth:** Fix AzureAD config UI's ClientAuthentication dropdown [#100869](https://github.com/grafana/grafana/pull/100869), [@mgyongyosi](https://github.com/mgyongyosi)
+- **Dashboard:** Fix the unintentional time range and variables updates on saving [#101671](https://github.com/grafana/grafana/pull/101671), [@harisrozajac](https://github.com/harisrozajac)
+- **Dashboards:** Fix missing `v/e/i` keybindings to return back to dashboard [#102365](https://github.com/grafana/grafana/pull/102365), [@mdvictor](https://github.com/mdvictor)
+- **InfluxDB:** Improve handling of template variables contained in regular expressions (InfluxQL) [#100977](https://github.com/grafana/grafana/pull/100977), [@aangelisc](https://github.com/aangelisc)
+- **Org redirection:** Fix linking between orgs [#102089](https://github.com/grafana/grafana/pull/102089), [@ashharrison90](https://github.com/ashharrison90)
+
+<!-- 11.5.3 END -->
+<!-- 11.5.2 START -->
+
+# 11.5.2 (2025-02-18)
+
+### Features and enhancements
+
+- **Docker:** Use our own glibc 2.40 binaries [#99918](https://github.com/grafana/grafana/pull/99918), [@DanCech](https://github.com/DanCech)
+- **TransformationFilter:** Include transformation outputs in transformation filtering options [#99878](https://github.com/grafana/grafana/pull/99878), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
+- **grafana-ui:** Update InlineField error prop type to React.ReactNode [#100373](https://github.com/grafana/grafana/pull/100373), [@Clarity-89](https://github.com/Clarity-89)
+
+### Bug fixes
+
+- **Alerting:** Allow specifying uid for new rules added to groups [#100450](https://github.com/grafana/grafana/pull/100450), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Allow specifying uid for new rules added to groups [#100450](https://github.com/grafana/grafana/pull/100450), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Call RLock() before reading sendAlertsTo map [#99880](https://github.com/grafana/grafana/pull/99880), [@santihernandezc](https://github.com/santihernandezc)
+- **Auth:** Fix redirect with JWT auth URL login [#100355](https://github.com/grafana/grafana/pull/100355), [@mgyongyosi](https://github.com/mgyongyosi)
+- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#100582](https://github.com/grafana/grafana/pull/100582), [@kalleep](https://github.com/kalleep)
+- **Azure:** Correctly set application insights resource values [#99599](https://github.com/grafana/grafana/pull/99599), [@aangelisc](https://github.com/aangelisc)
+- **CodeEditor:** Fix cursor alignment [#99863](https://github.com/grafana/grafana/pull/99863), [@ashharrison90](https://github.com/ashharrison90)
+- **DashboardList:** Throttle the re-renders [#100046](https://github.com/grafana/grafana/pull/100046), [@bfmatei](https://github.com/bfmatei)
+- **Dashboards:** Bring back scripted dashboards [#100633](https://github.com/grafana/grafana/pull/100633), [@dprokop](https://github.com/dprokop)
+- **Plugin Metrics:** Eliminate data race in plugin metrics middleware [#100078](https://github.com/grafana/grafana/pull/100078), [@clord](https://github.com/clord)
+- **RBAC:** Don't check folder access if `annotationPermissionUpdate` FT is enabled [#100117](https://github.com/grafana/grafana/pull/100117), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+
+<!-- 11.5.2 END -->
 <!-- 11.5.1 START -->
 
 # 11.5.1 (2025-02-03)
@@ -176,121 +246,6 @@
 - **Grafana UI:** Re-add react-router-dom as a dependency [#97540](https://github.com/grafana/grafana/pull/97540), [@leventebalogh](https://github.com/leventebalogh)
 
 <!-- 11.5.0 END -->
-<!-- 11.4.1 START -->
-
-# 11.4.1 (2025-01-28)
-
-### Features and enhancements
-
-- **Security:** Update to Go 1.23.5 - Backport to v11.4.x [#99123](https://github.com/grafana/grafana/pull/99123), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.23.5 - Backport to v11.4.x (Enterprise)
-
-### Bug fixes
-
-- **Alerting:** AlertingQueryRunner should skip descendant nodes of invalid queries [#97830](https://github.com/grafana/grafana/pull/97830), [@gillesdemey](https://github.com/gillesdemey)
-- **Alerting:** Fix alert rules unpausing after moving rule to different folder [#97583](https://github.com/grafana/grafana/pull/97583), [@santihernandezc](https://github.com/santihernandezc)
-- **Alerting:** Fix label escaping in rule export [#98649](https://github.com/grafana/grafana/pull/98649), [@moustafab](https://github.com/moustafab)
-- **Alerting:** Fix slack image uploading to use new api [#98066](https://github.com/grafana/grafana/pull/98066), [@moustafab](https://github.com/moustafab)
-- **Azure/GCM:** Improve error display [#97594](https://github.com/grafana/grafana/pull/97594), [@aangelisc](https://github.com/aangelisc)
-- **Dashboards:** Fix issue where filtered panels would not react to variable changes [#98734](https://github.com/grafana/grafana/pull/98734), [@oscarkilhed](https://github.com/oscarkilhed)
-- **Dashboards:** Fixes issue with panel header showing even when hide time override was enabled [#98747](https://github.com/grafana/grafana/pull/98747), [@torkelo](https://github.com/torkelo)
-- **Dashboards:** Fixes week relative time ranges when weekStart was changed [#98269](https://github.com/grafana/grafana/pull/98269), [@torkelo](https://github.com/torkelo)
-- **Dashboards:** Panel react for `timeFrom` and `timeShift` changes using variables [#98659](https://github.com/grafana/grafana/pull/98659), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
-- **DateTimePicker:** Fixes issue with date picker showing invalid date [#97971](https://github.com/grafana/grafana/pull/97971), [@torkelo](https://github.com/torkelo)
-- **Fix:** Add support for datasource variable queries [#98119](https://github.com/grafana/grafana/pull/98119), [@sunker](https://github.com/sunker)
-- **InfluxDB:** Adhoc filters can use template vars as values [#98786](https://github.com/grafana/grafana/pull/98786), [@bossinc](https://github.com/bossinc)
-- **LibraryPanel:** Fallback to panel title if library panel title is not set [#99410](https://github.com/grafana/grafana/pull/99410), [@ivanortegaalba](https://github.com/ivanortegaalba)
-
-### Plugin development fixes & changes
-
-- **Grafana UI:** Re-add react-router-dom as a dependency [#98422](https://github.com/grafana/grafana/pull/98422), [@leventebalogh](https://github.com/leventebalogh)
-
-<!-- 11.4.1 END -->
-<!-- 11.3.3 START -->
-
-# 11.3.3 (2025-01-28)
-
-### Features and enhancements
-
-- **Azure Monitor:** Add a feature flag to toggle user auth for Azure Monitor only [#97576](https://github.com/grafana/grafana/pull/97576), [@adamyeats](https://github.com/adamyeats)
-- **Security:** Update to Go 1.23.5 - Backport to v11.3.x [#99124](https://github.com/grafana/grafana/pull/99124), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.23.5 - Backport to v11.3.x (Enterprise)
-
-### Bug fixes
-
-- **Alerting:** AlertingQueryRunner should skip descendant nodes of invalid queries [#97829](https://github.com/grafana/grafana/pull/97829), [@gillesdemey](https://github.com/gillesdemey)
-- **Azure/GCM:** Improve error display [#97593](https://github.com/grafana/grafana/pull/97593), [@aangelisc](https://github.com/aangelisc)
-- **Dashboard:** Fixes issue with compatability of old DashboardModel.annotations [#97467](https://github.com/grafana/grafana/pull/97467), [@torkelo](https://github.com/torkelo)
-- **Dashboards:** Fix issue where filtered panels would not react to variable changes [#98733](https://github.com/grafana/grafana/pull/98733), [@oscarkilhed](https://github.com/oscarkilhed)
-- **Dashboards:** Fixes issue with panel header showing even when hide time override was enabled [#97389](https://github.com/grafana/grafana/pull/97389), [@torkelo](https://github.com/torkelo)
-- **Dashboards:** Fixes week relative time ranges when weekStart was changed [#98268](https://github.com/grafana/grafana/pull/98268), [@torkelo](https://github.com/torkelo)
-- **DateTimePicker:** Fixes issue with date picker showing invalid date [#97970](https://github.com/grafana/grafana/pull/97970), [@torkelo](https://github.com/torkelo)
-- **Fix:** Add support for datasource variable queries [#98118](https://github.com/grafana/grafana/pull/98118), [@sunker](https://github.com/sunker)
-- **InfluxDB:** Adhoc filters can use template vars as values [#98785](https://github.com/grafana/grafana/pull/98785), [@bossinc](https://github.com/bossinc)
-- **Unified Storage:** Use tls preferred when grafana db using ssl [#97379](https://github.com/grafana/grafana/pull/97379), [@owensmallwood](https://github.com/owensmallwood)
-
-### Plugin development fixes & changes
-
-- **Grafana UI:** Re-add react-router-dom as a dependency [#98421](https://github.com/grafana/grafana/pull/98421), [@leventebalogh](https://github.com/leventebalogh)
-
-<!-- 11.3.3 END -->
-<!-- 11.2.6 START -->
-
-# 11.2.6 (2025-01-28)
-
-### Features and enhancements
-
-- **Azure Monitor:** Add a feature flag to toggle user auth for Azure Monitor only [#97565](https://github.com/grafana/grafana/pull/97565), [@adamyeats](https://github.com/adamyeats)
-- **Security:** Update to Go 1.22.11 - Backport to v11.2.x [#99125](https://github.com/grafana/grafana/pull/99125), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.22.11 - Backport to v11.2.x (Enterprise)
-
-### Bug fixes
-
-- **Azure/GCM:** Improve error display [#97591](https://github.com/grafana/grafana/pull/97591), [@aangelisc](https://github.com/aangelisc)
-
-<!-- 11.2.6 END -->
-<!-- 11.1.11 START -->
-
-# 11.1.11 (2025-01-28)
-
-### Features and enhancements
-
-- **Security:** Update to Go 1.22.11 - Backport to v11.1.x [#99126](https://github.com/grafana/grafana/pull/99126), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.22.11 - Backport to v11.1.x (Enterprise)
-
-### Bug fixes
-
-- **Azure/GCM:** Improve error display [#97595](https://github.com/grafana/grafana/pull/97595), [@aangelisc](https://github.com/aangelisc)
-
-<!-- 11.1.11 END -->
-<!-- 11.0.10 START -->
-
-# 11.0.10 (2025-01-28)
-
-### Features and enhancements
-
-- **Security:** Update to Go 1.22.11 - Backport to v11.0.x [#99127](https://github.com/grafana/grafana/pull/99127), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.22.11 - Backport to v11.0.x (Enterprise)
-
-### Bug fixes
-
-- **Azure/GCM:** Improve error display [#97592](https://github.com/grafana/grafana/pull/97592), [@aangelisc](https://github.com/aangelisc)
-
-<!-- 11.0.10 END -->
-<!-- 10.4.15 START -->
-
-# 10.4.15 (2025-01-28)
-
-### Features and enhancements
-
-- **Security:** Update to Go 1.22.11 - Backport to v10.4.x [#99128](https://github.com/grafana/grafana/pull/99128), [@Proximyst](https://github.com/Proximyst)
-- **Security:** Update to Go 1.22.11 - Backport to v10.4.x (Enterprise)
-
-### Bug fixes
-
-- **Azure/GCM:** Improve error display [#97590](https://github.com/grafana/grafana/pull/97590), [@aangelisc](https://github.com/aangelisc)
-
-<!-- 10.4.15 END -->
 <!-- 11.4.0 START -->
 
 # 11.4.0 (2024-12-05)

Dockerfile

@@ -3,10 +3,10 @@
 # to maintain formatting of multiline commands in vscode, add the following to settings.json:
 # "docker.languageserver.formatter.ignoreMultilineInstructions": true
 
-ARG BASE_IMAGE=alpine:3.20
+ARG BASE_IMAGE=alpine:3.21
 ARG JS_IMAGE=node:22-alpine
 ARG JS_PLATFORM=linux/amd64
-ARG GO_IMAGE=golang:1.23.5-alpine
+ARG GO_IMAGE=golang:1.24.3-alpine
 
 # Default to building locally
 ARG GO_SRC=go-builder
@@ -22,6 +22,7 @@ WORKDIR /tmp/grafana
 COPY package.json project.json nx.json yarn.lock .yarnrc.yml ./
 COPY .yarn .yarn
 COPY packages packages
+COPY plugins-bundled plugins-bundled
 COPY public public
 COPY LICENSE ./
 COPY conf/defaults.ini ./conf/defaults.ini
@@ -62,24 +63,23 @@ COPY go.* ./
 COPY .bingo .bingo
 
 # Include vendored dependencies
-COPY pkg/util/xorm pkg/util/xorm
-COPY pkg/apiserver pkg/apiserver
-COPY pkg/apimachinery pkg/apimachinery
-COPY pkg/build pkg/build
-COPY pkg/build/wire pkg/build/wire
-COPY pkg/promlib pkg/promlib
-COPY pkg/storage/unified/resource pkg/storage/unified/resource
-COPY pkg/storage/unified/apistore pkg/storage/unified/apistore
-COPY pkg/semconv pkg/semconv
-COPY pkg/aggregator pkg/aggregator
-COPY apps/playlist apps/playlist
-COPY apps/investigations apps/investigations
-COPY apps/advisor apps/advisor
+COPY pkg/util/xorm/go.* pkg/util/xorm/
+COPY pkg/apiserver/go.* pkg/apiserver/
+COPY pkg/apimachinery/go.* pkg/apimachinery/
+COPY pkg/build/go.* pkg/build/
+COPY pkg/build/wire/go.* pkg/build/wire/
+COPY pkg/promlib/go.* pkg/promlib/
+COPY pkg/storage/unified/resource/go.* pkg/storage/unified/resource/
+COPY pkg/storage/unified/apistore/go.* pkg/storage/unified/apistore/
+COPY pkg/semconv/go.* pkg/semconv/
+COPY pkg/aggregator/go.* pkg/aggregator/
+COPY apps/playlist/go.* apps/playlist/
+COPY apps/investigation/go.* apps/investigation/
 COPY apps apps
 COPY kindsv2 kindsv2
-COPY apps/alerting/notifications apps/alerting/notifications
-COPY pkg/codegen pkg/codegen
-COPY pkg/plugins/codegen pkg/plugins/codegen
+COPY apps/alerting/notifications/go.* apps/alerting/notifications/
+COPY pkg/codegen/go.* pkg/codegen/
+COPY pkg/plugins/codegen/go.* pkg/plugins/codegen/
 
 RUN go mod download
 RUN if [[ "$BINGO" = "true" ]]; then \

MAINTAINERS.md

@@ -8,4 +8,4 @@
   - @davkal
 - Docs:
   - @chri2547
-  - @JohnnyK-Grafana
+  - @brendamuir

Makefile

@@ -8,7 +8,7 @@ WIRE_TAGS = "oss"
 include .bingo/Variables.mk
 
 GO = go
-GO_VERSION = 1.23.5
+GO_VERSION = 1.24.3
 GO_LINT_FILES ?= $(shell ./scripts/go-workspace/golangci-lint-includes.sh)
 GO_TEST_FILES ?= $(shell ./scripts/go-workspace/test-includes.sh)
 SH_FILES ?= $(shell find ./scripts -name *.sh)
@@ -149,7 +149,7 @@ gen-cue: ## Do all CUE/Thema code generation
 .PHONY: gen-cuev2
 gen-cuev2: ## Do all CUE code generation
 	@echo "generate code from .cue files (v2)"
-	@$(MAKE) -C ./kindsv2 all
+	go generate ./kindsv2/gen.go
 
 .PHONY: gen-feature-toggles
 gen-feature-toggles:
@@ -211,6 +211,7 @@ build-cli: ## Build Grafana CLI application.
 build-js: ## Build frontend assets.
 	@echo "build frontend"
 	yarn run build
+	yarn run plugins:build-bundled
 
 PLUGIN_ID ?=
 
@@ -271,14 +272,6 @@ test-go-integration-alertmanager: ## Run integration tests for the remote alertm
 	AM_URL=http://localhost:8080 AM_TENANT_ID=test \
 	$(GO) test $(GO_RACE_FLAG) -count=1 -run "^TestIntegrationRemoteAlertmanager" -covermode=atomic -timeout=5m ./pkg/services/ngalert/...
 
-.PHONY: test-go-integration-grafana-alertmanager
-test-go-integration-grafana-alertmanager: ## Run integration tests for the grafana alertmanager
-	@echo "test grafana alertmanager integration tests"
-	@export GRAFANA_VERSION=11.5.0-81938; \
-	$(GO) run tools/setup_grafana_alertmanager_integration_test_images.go; \
-	$(GO) clean -testcache; \
-	$(GO) test $(GO_RACE_FLAG) -count=1 -run "^TestAlertmanagerIntegration" -covermode=atomic -timeout=10m ./pkg/tests/alertmanager/...
-
 .PHONY: test-go-integration-postgres
 test-go-integration-postgres: devenv-postgres ## Run integration tests for postgres backend with flags.
 	@echo "test backend integration postgres tests"
@@ -429,7 +422,6 @@ protobuf: ## Compile protobuf definitions
 	buf generate pkg/plugins/backendplugin/secretsmanagerplugin --template pkg/plugins/backendplugin/secretsmanagerplugin/buf.gen.yaml
 	buf generate pkg/storage/unified/resource --template pkg/storage/unified/resource/buf.gen.yaml
 	buf generate pkg/services/authz/proto/v1 --template pkg/services/authz/proto/v1/buf.gen.yaml
-	buf generate pkg/services/ngalert/store/proto/v1 --template pkg/services/ngalert/store/proto/v1/buf.gen.yaml
 
 .PHONY: clean
 clean: ## Clean up intermediate build artifacts.

README.md

@@ -43,7 +43,7 @@ If you're interested in contributing to the Grafana project:
 - If you have a specific question, check out our [discussion forums](https://community.grafana.com/).
 - For general discussions, join us on the [official Slack](https://slack.grafana.com) team.
 
-This project is tested with [BrowserStack](https://www.browserstack.com/).
+This project is tested with [BrowserStack](https://www.browserstack.com/)
 
 ## License
 

apps/advisor/.gitignore

@@ -1 +0,0 @@
-plugin/src