Merge branch 'main' into leeoniya/state-timeline-fix-dual-time-multi-series

Docs: Fix missing link for OTEL in Grafana's about page (#106324 )
Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>
2025-06-11 11:08:14 -05:00 · 2025-06-11 14:54:20 +00:00 · 2025-06-11 10:36:28 -04:00 · 2025-06-11 16:36:14 +02:00 · 2025-06-11 15:28:06 +01:00 · 2025-06-11 16:06:31 +02:00
4632 changed files with 265539 additions and 108420 deletions
@@ -10,6 +10,7 @@ const testingLibraryPlugin = require('eslint-plugin-testing-library');

 const grafanaConfig = require('@grafana/eslint-config/flat');
 const grafanaPlugin = require('@grafana/eslint-plugin');
+const grafanaI18nPlugin = require('@grafana/i18n/eslint-plugin');

 // Include the Grafana config and remove the rules,
 // as we just want to pull in all of the necessary configuration but not run the rules
@@ -65,6 +66,7 @@ module.exports = [
      'no-barrel-files': barrelPlugin,
      '@grafana': grafanaPlugin,
      'testing-library': testingLibraryPlugin,
+      '@grafana/i18n': grafanaI18nPlugin,
    },
    linterOptions: {
      // This reports unused disable directives that we can clean up but
@@ -96,33 +98,57 @@ module.exports = [
    },
  },
  {
-    files: ['**/*.{ts,tsx}'],
-    ignores: ['**/*.{test,spec}.{ts,tsx}', '**/__mocks__/**', '**/public/test/**', '**/mocks.{ts,tsx}'],
+    files: ['**/*.{js,jsx,ts,tsx}'],
+    ignores: [
+      '**/*.{test,spec}.{ts,tsx}',
+      '**/__mocks__/**',
+      '**/public/test/**',
+      '**/mocks.{ts,tsx}',
+      '**/spec/**/*.{ts,tsx}',
+    ],
    rules: {
      '@typescript-eslint/consistent-type-assertions': ['error', { assertionStyle: 'never' }],
    },
  },
+  {
+    files: ['**/*.{js,jsx,ts,tsx}'],
+    ignores: [
+      '**/*.{test,spec}.{ts,tsx}',
+      '**/__mocks__/**',
+      '**/public/test/**',
+      '**/mocks.{ts,tsx}',
+      '**/spec/**/*.{ts,tsx}',
+    ],
+    rules: {
+      'no-restricted-syntax': [
+        'error',
+        {
+          selector: 'Identifier[name=localStorage]',
+          message: 'Direct usage of localStorage is not allowed. import store from @grafana/data instead',
+        },
+        {
+          selector: 'MemberExpression[object.name=localStorage]',
+          message: 'Direct usage of localStorage is not allowed. import store from @grafana/data instead',
+        },
+        {
+          selector:
+            'Program:has(ImportDeclaration[source.value="@grafana/ui"] ImportSpecifier[imported.name="Card"]) JSXOpeningElement[name.name="Card"]:not(:has(JSXAttribute[name.name="noMargin"]))',
+          message:
+            'Add noMargin prop to Card components to remove built-in margins. Use layout components like Stack or Grid with the gap prop instead for consistent spacing.',
+        },
+        {
+          selector:
+            'Program:has(ImportDeclaration[source.value="@grafana/ui"] ImportSpecifier[imported.name="Field"]) JSXOpeningElement[name.name="Field"]:not(:has(JSXAttribute[name.name="noMargin"]))',
+          message:
+            'Add noMargin prop to Field components to remove built-in margins. Use layout components like Stack or Grid with the gap prop instead for consistent spacing.',
+        },
+      ],
+    },
+  },
  {
    files: ['public/app/**/*.{ts,tsx}'],
    rules: {
      'no-barrel-files/no-barrel-files': 'error',
    },
  },
-  {
-    files: ['public/**/*.tsx', 'packages/grafana-ui/**/*.tsx'],
-    ignores: ['public/app/plugins/**', '**/*.story.tsx', '**/*.{test,spec}.{ts,tsx}', '**/__mocks__/', 'public/test'],
-    rules: {
-      '@grafana/no-untranslated-strings': [
-        'error',
-        {
-          forceFix: [
-            // Add paths here that are happy to be auto fixed by this rule,
-            // for example
-            // 'public/app/features/alerting'
-          ],
-        },
-      ],
-      '@grafana/no-translation-top-level': 'error',
-    },
-  },
 ];
@@ -0,0 +1,41 @@
+## API
+
+### Adding and Upgrading Tools
+
+To add a new tool, execute the installation script:
+
+```bash
+install.sh <tool>
+```
+
+#### Example
+
+The following command will add `lefthook` to the tracked tools if it is not already installed, or update its version:
+
+```bash
+install.sh github.com/evilmartians/lefthook@v1.11.10
+```
+
+Behind the scenes, the script performs a few simple steps:
+
+- Creates a Go module under the `.citools/src/<toolname>` directory to track the tool version and its dependencies.
+- Creates a reference to the tool binary in the `.citools/Variables.mk` file.
+
+### Using Tools in the Makefile
+
+Our Makefile imports `.citools/Variables.mk`, so you can call a tool binary using standard Make syntax.
+
+#### Example
+
+```make
+run:
+    $(bra) run
+```
+
+### Using Tracked Tools Without the Makefile
+
+If you want to use a tool outside of the Makefile, you can locate the tool binary by executing the following command:
+
+```bash
+GOWORK=off go tool -n -modfile=<path_to_modfile> <toolname>
+```
@@ -0,0 +1,34 @@
+# Generated tool paths
+tools_dir := $(shell cd $(dir $(lastword $(MAKEFILE_LIST))) && pwd)
+src_dir := $(tools_dir)/src
+
+# Due to a race condition, after initial call to `go tool` golang may report a wrong binary location pointing to the invalid `/tmp/go-buildXXX` directory
+define compile_tool
+$(shell \
+  (cd $(src_dir)/$(1) \
+  && GOWORK=off go tool -n $(2) > /dev/null \
+  && GOWORK=off go tool -n $(2)) | sed 's/^[[:space:]]*//g'; \
+)
+endef
+
+
+# Tool: "bra"
+bra = "$(call compile_tool,bra,github.com/unknwon/bra)"
+
+# Tool: "cog"
+cog = "$(call compile_tool,cog,github.com/grafana/cog/cmd/cli)"
+
+# Tool: "cue"
+cue = "$(call compile_tool,cue,cuelang.org/go/cmd/cue)"
+
+# Tool: "golangci-lint"
+golangci-lint = "$(call compile_tool,golangci-lint,github.com/golangci/golangci-lint/v2/cmd/golangci-lint)"
+
+# Tool: "jb"
+jb = "$(call compile_tool,jb,github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb)"
+
+# Tool: "lefthook"
+lefthook = "$(call compile_tool,lefthook,github.com/evilmartians/lefthook)"
+
+# Tool: "swagger"
+swagger = "$(call compile_tool,swagger,github.com/go-swagger/go-swagger/cmd/swagger)"
@@ -0,0 +1,36 @@
+#!/bin/bash
+set -euo pipefail
+
+TOOLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+TOOLS_SRC_DIR="$TOOLS_DIR/src"
+TOOLS_MK="$TOOLS_DIR/Variables.mk"
+
+echo "# Generated tool paths" > "$TOOLS_MK"
+
+cat <<'EOL' >> "$TOOLS_MK"
+tools_dir := $(shell cd $(dir $(lastword $(MAKEFILE_LIST))) && pwd)
+src_dir := $(tools_dir)/src
+
+# Due to a race condition, after initial call to `go tool` golang may report a wrong binary location pointing to the invalid `/tmp/go-buildXXX` directory
+define compile_tool
+$(shell \
+  (cd $(src_dir)/$(1) \
+  && GOWORK=off go tool -n $(2) > /dev/null \
+  && GOWORK=off go tool -n $(2)) | sed 's/^[[:space:]]*//g'; \
+)
+endef
+
+EOL
+
+for tooldir in "$TOOLS_SRC_DIR"/*; do
+  [ -d "$tooldir" ] || continue
+  tool=$(basename "$tooldir")
+  fqtn=$(awk '/^tool / { print $2 }' "$tooldir/go.mod")
+
+  cat <<EOL >> "$TOOLS_MK"
+
+# Tool: "$tool"
+${tool} = "\$(call compile_tool,${tool},${fqtn})"
+EOL
+done
@@ -0,0 +1,33 @@
+#!/bin/bash
+set -euo pipefail
+
+TOOLS_BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+TOOLS_SRC_DIR="$TOOLS_BASE_DIR/src"
+
+IMPORT_PATH_WITH_VERSION="$1"
+
+if [[ "$IMPORT_PATH_WITH_VERSION" != *"@"* ]]; then
+  echo "Error: tool version must be specified (e.g., github.com/foo/bar@v1.2.3)"
+  exit 1
+fi
+
+TOOL_PATH="${IMPORT_PATH_WITH_VERSION%@*}"
+TOOL_NAME="${TOOL_PATH##*/}"
+
+TOOL_DIR="$TOOLS_SRC_DIR/$TOOL_NAME"
+MOD_FILE="$TOOL_DIR/go.mod"
+
+mkdir -p "$TOOL_DIR"
+cd "$TOOL_DIR"
+
+  # Create a new module if go.mod doesn't exist
+if [ ! -f go.mod ]; then
+  go mod init "$TOOL_NAME"
+fi
+
+go get -tool --modfile="$MOD_FILE" "$IMPORT_PATH_WITH_VERSION"
+echo "Installed $TOOL_NAME"
+echo "  Directory: $TOOL_DIR"
+echo "  Modfile: $MOD_FILE"
+
+exec "$TOOLS_BASE_DIR/generate.sh"
@@ -17,7 +17,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d // indirect
-	github.com/grafana/cog v0.0.28 // indirect
+	github.com/grafana/cog v0.0.34 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
@@ -27,8 +27,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d h1:hrXbGJ5jgp6yNITzs5o+zXq0V5yT3siNJ+uM8LGwWKk=
 github.com/grafana/codejen v0.0.4-0.20230321061741-77f656893a3d/go.mod h1:zmwwM/DRyQB7pfuBjTWII3CWtxcXh8LTwAYGfDfpR6s=
-github.com/grafana/cog v0.0.28 h1:0+FNuxyfNWm1OBZPPjgBIno3nzR4gOpSxsVe34hdN7g=
-github.com/grafana/cog v0.0.28/go.mod h1:wZWsTLV7uX0jCbGpqvjawQ7JbaDVT9oW+PQhHwqanHc=
+github.com/grafana/cog v0.0.34 h1:tXtjIB0A0Y6jeZ5iAQBJIAz5vkAJsV0iEFfX94PH/+Q=
+github.com/grafana/cog v0.0.34/go.mod h1:UDstzYqMdgIROmbfkHL8fB9XWQO2lnf5z+4W/eJo4Dc=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -131,7 +131,7 @@ require (
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/quasilyte/go-ruleguard v0.4.4 // indirect
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
 	github.com/quasilyte/gogrep v0.5.0 // indirect
@@ -185,7 +185,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/sync v0.14.0 // indirect
@@ -310,8 +310,8 @@ github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
 github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.16.0 h1:xh6oHhKwnOJKMYiYBDWmkHqQPyiY40sny36Cmx2bbsM=
+github.com/prometheus/procfs v0.16.0/go.mod h1:8veyXUu3nGP7oaCxhX6yeaM5u4stL2FeMXnCqhDthZg=
 github.com/quasilyte/go-ruleguard v0.4.4 h1:53DncefIeLX3qEpjzlS1lyUmQoUEeOWPFWqaTJq9eAQ=
 github.com/quasilyte/go-ruleguard v0.4.4/go.mod h1:Vl05zJ538vcEEwu16V/Hdu7IYZWyKSwIy4c88Ro1kRE=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
@@ -453,8 +453,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac h1:TSSpLIG4v+p0rPv1pNOQtl1I8knsO4S9trOxNMOLVP4=
@@ -42,10 +42,11 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -88,8 +88,8 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
@@ -134,7 +134,7 @@ steps:
  environment:
    HOST: start-storybook
    PORT: "9001"
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-storybook-suite
 trigger:
  event:
@@ -488,24 +488,26 @@ steps:
    token:
      from_secret: drone_token
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --version
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --uninstall 'qemu-*'
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --install all
-  - /src/grafana-build artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
+  - go run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
-    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.4 --yarn-cache=$$YARN_CACHE_FOLDER
-    --build-id=$$DRONE_BUILD_NUMBER --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3
-    --tag-format='{{ .version_base }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{
-    .version_base }}-{{ .buildID }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD
-    > packages.txt
+    -a docker:grafana:linux/arm/v7:ubuntu --yarn-cache=$$YARN_CACHE_FOLDER --build-id=$$DRONE_BUILD_NUMBER
+    --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3 --tag-format='{{ .version_base
+    }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{ .version_base }}-{{ .buildID
+    }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD > packages.txt
  - find ./dist -name '*docker*.tar.gz' -type f | xargs -n1 docker load -i
  depends_on:
  - yarn-install
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-package
  pull: always
  volumes:
@@ -559,7 +561,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-dashboards-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/dashboards-suite
@@ -568,7 +570,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/dashboards-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite smoke-tests-suite
@@ -577,7 +579,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-smoke-tests-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/smoke-tests-suite
@@ -586,7 +588,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/smoke-tests-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite panels-suite
@@ -595,7 +597,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-panels-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/panels-suite
@@ -604,7 +606,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/panels-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite various-suite
@@ -613,7 +615,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-various-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/various-suite
@@ -622,7 +624,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/various-suite
 - commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
@@ -640,7 +642,7 @@ steps:
      from_secret: azure_tenant
    CYPRESS_CI: "true"
    HOST: grafana-server
-  image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
+  image: us-docker.pkg.dev/grafanalabs-dev/docker-oss-plugin-partnerships-dev/e2e-14.3.2:1.0.0
  name: end-to-end-tests-cloud-plugins-suite-azure
  volumes:
  - name: github-app
@@ -1656,7 +1658,7 @@ steps:
  environment:
    HOST: start-storybook
    PORT: "9001"
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-storybook-suite
 trigger:
  branch: main
@@ -1772,24 +1774,26 @@ steps:
  image: node:22.11.0-alpine
  name: build-frontend-packages
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --version
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --uninstall 'qemu-*'
  - docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --install all
-  - /src/grafana-build artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
+  - go run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
-    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.4 --yarn-cache=$$YARN_CACHE_FOLDER
-    --build-id=$$DRONE_BUILD_NUMBER --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3
-    --tag-format='{{ .version_base }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{
-    .version_base }}-{{ .buildID }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD
-    > packages.txt
+    -a docker:grafana:linux/arm/v7:ubuntu --yarn-cache=$$YARN_CACHE_FOLDER --build-id=$$DRONE_BUILD_NUMBER
+    --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3 --tag-format='{{ .version_base
+    }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{ .version_base }}-{{ .buildID
+    }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD > packages.txt
  - find ./dist -name '*docker*.tar.gz' -type f | xargs -n1 docker load -i
  depends_on:
  - update-package-json-version
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-package
  pull: always
  volumes:
@@ -1847,7 +1851,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-dashboards-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/dashboards-suite
@@ -1856,7 +1860,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/dashboards-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite smoke-tests-suite
@@ -1865,7 +1869,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-smoke-tests-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/smoke-tests-suite
@@ -1874,7 +1878,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/smoke-tests-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite panels-suite
@@ -1883,7 +1887,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-panels-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/panels-suite
@@ -1892,7 +1896,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/panels-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite various-suite
@@ -1901,7 +1905,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-various-suite
 - commands:
  - ./bin/build e2e-tests --port 3001 --suite old-arch/various-suite
@@ -1910,7 +1914,7 @@ steps:
  - build-test-plugins
  environment:
    HOST: grafana-server
-  image: cypress/included:13.10.0
+  image: cypress/included:14.3.2
  name: end-to-end-tests-old-arch/various-suite
 - commands:
  - GITHUB_TOKEN=$(cat /github-app/token)
@@ -1928,7 +1932,7 @@ steps:
      from_secret: azure_tenant
    CYPRESS_CI: "true"
    HOST: grafana-server
-  image: us-docker.pkg.dev/grafanalabs-dev/cloud-data-sources/e2e-13.10.0:1.0.0
+  image: us-docker.pkg.dev/grafanalabs-dev/docker-oss-plugin-partnerships-dev/e2e-14.3.2:1.0.0
  name: end-to-end-tests-cloud-plugins-suite-azure
  volumes:
  - name: github-app
@@ -3626,9 +3630,12 @@ platform:
 services: []
 steps:
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - cd /src && ./scripts/drone_build_main.sh
+  - ./pkg/build/daggerbuild/scripts/drone_build_main.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
@@ -3647,7 +3654,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -3659,7 +3665,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-build
  pull: always
  volumes:
@@ -3701,9 +3707,12 @@ platform:
 services: []
 steps:
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - cd /src && ./scripts/drone_build_tag_grafana.sh
+  - ./pkg/build/daggerbuild/scripts/drone_build_tag_grafana.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
@@ -3722,7 +3731,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -3734,7 +3742,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-build
  pull: always
  volumes:
@@ -3818,9 +3826,12 @@ platform:
 services: []
 steps:
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - cd /src && ./scripts/drone_build_tag_grafana.sh
+  - ./pkg/build/daggerbuild/scripts/drone_build_tag_grafana.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
@@ -3839,7 +3850,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -3851,7 +3861,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-build
  pull: always
  volumes:
@@ -4055,9 +4065,12 @@ platform:
 services: []
 steps:
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - cd /src && ./scripts/drone_build_nightly_grafana.sh
+  - ./pkg/build/daggerbuild/scripts/drone_build_nightly_grafana.sh
  environment:
    _EXPERIMENTAL_DAGGER_CLOUD_TOKEN:
      from_secret: dagger_token
@@ -4076,7 +4089,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4088,7 +4100,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-build
  pull: always
  volumes:
@@ -4197,9 +4209,12 @@ steps:
  image: google/cloud-sdk:alpine
  name: rgm-copy
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GRAFANA_DIR=$$(pwd)
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - cd /src && ./scripts/drone_publish_nightly_grafana.sh
+  - ./pkg/build/daggerbuild/scripts/drone_publish_nightly_grafana.sh
  depends_on:
  - rgm-copy
  environment:
@@ -4220,7 +4235,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4232,7 +4246,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-publish
  pull: always
  volumes:
@@ -4324,10 +4338,13 @@ steps:
  - name: github-app
    path: /github-app
 - commands:
+  - wget -qO- https://github.com/dagger/dagger/releases/download/v0.18.8/dagger_v0.18.8_linux_amd64.tar.gz
+    | tar zx -C /bin
+  - apk add docker
  - export GITHUB_TOKEN=$(cat /github-app/token)
-  - dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
-    --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION}
-    --go-version=1.24.4
+  - dagger run --silent go run ./pkg/build/cmd artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
+    --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --build-id=$${DRONE_BUILD_NUMBER}
+    --version=$${VERSION}
  depends_on:
  - github-app-generate-token
  environment:
@@ -4348,7 +4365,6 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.4
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4360,7 +4376,7 @@ steps:
    STORYBOOK_DESTINATION:
      from_secret: rgm_storybook_destination
    UBUNTU_BASE: ubuntu:22.04
-  image: grafana/grafana-build:main
+  image: golang:1.24.4-alpine
  name: rgm-build
  pull: always
  volumes:
@@ -4915,7 +4931,7 @@ steps:
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/drone-downstream
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/docker-puppeteer:1.1.0
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM grafana/docs-base:latest
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM cypress/included:13.10.0
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM cypress/included:14.3.2
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM jwilder/dockerize:0.6.1
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM koalaman/shellcheck:stable
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM rockylinux:9
@@ -4953,7 +4969,7 @@ steps:
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/drone-downstream
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/docker-puppeteer:1.1.0
  - trivy --exit-code 1 --severity HIGH,CRITICAL grafana/docs-base:latest
-  - trivy --exit-code 1 --severity HIGH,CRITICAL cypress/included:13.10.0
+  - trivy --exit-code 1 --severity HIGH,CRITICAL cypress/included:14.3.2
  - trivy --exit-code 1 --severity HIGH,CRITICAL jwilder/dockerize:0.6.1
  - trivy --exit-code 1 --severity HIGH,CRITICAL koalaman/shellcheck:stable
  - trivy --exit-code 1 --severity HIGH,CRITICAL rockylinux:9
@@ -5190,6 +5206,6 @@ kind: secret
 name: gcr_credentials
 ---
 kind: signature
-hmac: bcd4bde155138cc6ddd9e501f98b6a882cca14aa27a114b19470bc14e7406d59
+hmac: 7f318d682f431d61add0d60afcb9360f390217961709adeb88c34f11feec35b0

 ...
@@ -49,6 +49,7 @@
 /docs/sources/developers/plugins/                                                 @grafana/plugins-platform-frontend @grafana/plugins-platform-backend

 /docs/sources/panels-visualizations/query-transform-data/transform-data/index.md  @imatwawana @baldm0mma
+/docs/sources/panels-visualizations/query-transform-data/sql-expressions/index.md  @lwandz13 @irenerl24
 # END Technical documentation

 # Backend code
@@ -78,6 +79,7 @@
 /apps/playlist/ @grafana/grafana-app-platform-squad
 /apps/investigations/ @fcjack @matryer @svennergr
 /apps/advisor/ @grafana/plugins-platform-backend
+/apps/iam/ @grafana/access-squad
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
 /pkg/apis/query @grafana/grafana-datasources-core-services
@@ -133,7 +135,7 @@
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
 /pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
-/pkg/services/correlations/ @grafana/dataviz-squad
+/pkg/services/correlations/ @grafana/datapro
 /pkg/services/dashboardimport/ @grafana/grafana-backend-group
 /pkg/services/dashboards/ @grafana/grafana-app-platform-squad
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
@@ -166,7 +168,7 @@
 /pkg/services/tag/ @grafana/grafana-search-and-storage
 /pkg/services/team/ @grafana/access-squad
 /pkg/services/temp_user/ @grafana/grafana-backend-group
-/pkg/services/updatechecker/ @grafana/grafana-backend-group
+/pkg/services/updatemanager/ @grafana/grafana-backend-group
 /pkg/services/user/ @grafana/access-squad
 /pkg/services/validations/ @grafana/grafana-backend-group
 /pkg/setting/ @grafana/grafana-backend-services-squad
@@ -174,7 +176,8 @@
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
 /pkg/tests/apis/query @grafana/grafana-datasources-core-services
 /pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
-/pkg/tests/api/correlations/ @grafana/dataviz-squad
+/pkg/tests/api/correlations/ @grafana/datapro
+/pkg/tests/apis/secret/ @grafana/grafana-operator-experience-squad
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
 /pkg/util/ @grafana/grafana-backend-group
@@ -188,8 +191,8 @@
 /devenv/docker/blocks/auth/ @grafana/identity-access-team

 # Logs code, developers environment
-/devenv/docker/blocks/loki* @grafana/observability-logs
-/devenv/docker/blocks/elastic* @grafana/aws-datasources
+/devenv/docker/blocks/loki* @grafana/oss-big-tent
+/devenv/docker/blocks/elastic* @grafana/partner-datasources
 /devenv/docker/blocks/self-instrumentation* @grafana/oss-big-tent

 /devenv/bulk-dashboards/ @grafana/dashboards-squad
@@ -226,7 +229,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad

-/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/aws-datasources
+/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
@@ -256,7 +259,6 @@
 /devenv/docker/blocks/etcd @grafana/grafana-app-platform-squad
 /devenv/docker/blocks/grafana/ @grafana/grafana-as-code
 /devenv/docker/blocks/graphite/ @grafana/partner-datasources
-/devenv/docker/blocks/graphite09/ @grafana/partner-datasources
 /devenv/docker/blocks/graphite1/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb1/ @grafana/partner-datasources
@@ -330,8 +332,8 @@

 # Observability backend code
 /pkg/tsdb/prometheus/ @grafana/oss-big-tent
-/pkg/tsdb/elasticsearch/ @grafana/aws-datasources
-/pkg/tsdb/loki/ @grafana/observability-logs
+/pkg/tsdb/elasticsearch/ @grafana/partner-datasources
+/pkg/tsdb/loki/ @grafana/oss-big-tent
 /pkg/tsdb/tempo/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/grafana-pyroscope-datasource/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/parca/ @grafana/oss-big-tent
@@ -401,7 +403,7 @@
 # Packages
 /packages/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
 /packages/grafana-data/src/**/*logs* @grafana/observability-logs
-/packages/grafana-data/src/transformations/ @grafana/dataviz-squad
+/packages/grafana-data/src/transformations/ @grafana/datapro
 /packages/grafana-e2e-selectors/ @grafana/grafana-frontend-platform
 /packages/grafana-flamegraph/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/ @grafana/observability-logs
@@ -438,6 +440,8 @@
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
 /packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
 /packages/grafana-alerting/ @grafana/alerting-frontend
+/packages/grafana-i18n/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
+/packages/grafana-test-utils @grafana/grafana-frontend-platform

 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
@@ -465,6 +469,7 @@
 /stylelint.config.js @grafana/frontend-ops
 /tools/ @grafana/frontend-ops
 /lefthook.yml @grafana/frontend-ops
+/lefthook.rc @grafana/frontend-ops
 /.husky/pre-commit @grafana/frontend-ops
 /cypress.config.js @grafana/grafana-frontend-platform
 /.levignore.js @grafana/plugins-platform-frontend
@@ -480,7 +485,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/core/components/TimelineChart/ @grafana/dataviz-squad
 /public/app/core/components/Form/ @grafana/grafana-frontend-platform
 /public/app/core/components/OptionsUI/ @grafana/dashboards-squad @grafana/dataviz-squad
-
+/public/app/dev-utils.ts @grafana/grafana-frontend-platform

 /public/app/core/history/ @grafana/observability-traces-and-profiling
 /public/app/features/admin/ @grafana/identity-access-team
@@ -491,32 +496,31 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/actions/ @grafana/dataviz-squad
 /public/app/features/auth-config/ @grafana/identity-squad
 /public/app/features/annotations/ @grafana/dashboards-squad
-/public/app/features/api-keys/ @grafana/identity-squad
 /public/app/features/canvas/ @grafana/dataviz-squad
 /public/app/features/geo/ @grafana/dataviz-squad
 /public/app/features/visualization/data-hover/ @grafana/dataviz-squad
-/public/app/features/commandPalette/ @grafana/grafana-frontend-platform
+/public/app/features/commandPalette/ @grafana/grafana-search-navigate-organise
 /public/app/features/connections/ @grafana/plugins-platform-frontend
-/public/app/features/correlations/ @grafana/dataviz-squad
+/public/app/features/correlations/ @grafana/datapro
 /public/app/features/dashboard/ @grafana/dashboards-squad
-/public/app/features/dashboard/components/TransformationsEditor/ @grafana/dataviz-squad
+/public/app/features/dashboard/components/TransformationsEditor/ @grafana/datapro
 /public/app/features/dashboard-scene/ @grafana/dashboards-squad
-/public/app/features/scopes/ @grafana/dashboards-squad
+/public/app/features/scopes/ @grafana/grafana-operator-experience-squad
 /public/app/features/datasources/ @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
 /public/app/features/explore/ @grafana/observability-traces-and-profiling
 /public/app/features/expressions/ @grafana/grafana-datasources-core-services
-/public/app/features/folders/ @grafana/grafana-frontend-platform
+/public/app/features/folders/ @grafana/grafana-search-navigate-organise
 /public/app/features/inspector/ @grafana/dashboards-squad
-/public/app/features/invites/ @grafana/grafana-frontend-platform
+/public/app/features/invites/ @grafana/sharing-squad
 /public/app/features/library-panels/ @grafana/dashboards-squad
 /public/app/features/logs/ @grafana/observability-logs
 /public/app/features/live/ @grafana/dashboards-squad
 /public/app/features/apiserver/ @grafana/grafana-app-platform-squad
 /public/app/features/manage-dashboards/ @grafana/dashboards-squad
-/public/app/features/notifications/ @grafana/grafana-frontend-platform
-/public/app/features/org/ @grafana/grafana-frontend-platform
+/public/app/features/notifications/ @grafana/grafana-search-navigate-organise
+/public/app/features/org/ @grafana/grafana-search-navigate-organise
 /public/app/features/panel/ @grafana/dashboards-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
@@ -524,27 +528,27 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/runtime/ @ryantxu
 /public/app/features/query/ @grafana/dashboards-squad
 /public/app/features/sandbox/ @grafana/grafana-frontend-platform
-/public/app/features/browse-dashboards/ @grafana/grafana-frontend-platform
-/public/app/features/search/ @grafana/grafana-frontend-platform
+/public/app/features/browse-dashboards/ @grafana/grafana-search-navigate-organise
+/public/app/features/search/ @grafana/grafana-search-navigate-organise
 /public/app/features/serviceaccounts/ @grafana/identity-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
 /public/app/features/trails/ @grafana/observability-metrics
-/public/app/features/transformers/ @grafana/dataviz-squad
+/public/app/features/transformers/ @grafana/datapro
 /public/app/features/transformers/timeSeriesTable/ @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
 /public/app/features/preferences/ @grafana/grafana-frontend-platform
-/public/app/features/bookmarks/ @grafana/grafana-frontend-platform
+/public/app/features/bookmarks/ @grafana/grafana-search-navigate-organise
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
-/public/app/plugins/panel/annolist/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/annolist/ @grafana/dashboards-squad
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
 /public/app/plugins/panel/bargauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/dashlist/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/dashlist/ @grafana/grafana-search-navigate-organise
 /public/app/plugins/panel/debug/ @ryantxu
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/gettingstarted/ @grafana/grafana-search-navigate-organise
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
@@ -563,12 +567,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/canvas/ @grafana/dataviz-squad
 /public/app/plugins/panel/candlestick/ @grafana/dataviz-squad
 /public/app/plugins/panel/live/ @grafana/dashboards-squad
-/public/app/plugins/panel/news/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/news/ @grafana/dataviz-squad
 /public/app/plugins/panel/stat/ @grafana/dataviz-squad
-/public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
-/public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/text/ @grafana/dataviz-squad
+/public/app/plugins/panel/welcome/ @grafana/grafana-search-navigate-organise
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
-/public/app/routes/ @grafana/grafana-frontend-platform
+/public/app/routes/ @grafana/grafana-search-navigate-organise
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
@@ -596,7 +600,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/explore/NodeGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/FlameGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/TraceView/ @grafana/observability-traces-and-profiling
-/public/app/features/explore/QueryLibrary/ @grafana/grafana-frontend-platform

 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
@@ -605,6 +608,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/dev.ts @grafana/frontend-ops
 /public/app/core/utils/metrics.ts @grafana/plugins-platform-frontend
 /public/app/index.ts @grafana/frontend-ops
+/public/app/initApp.ts @grafana/frontend-ops
 /public/app/AppWrapper.tsx @grafana/frontend-ops
 /public/app/partials/ @grafana/grafana-frontend-platform

@@ -614,7 +618,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/circle-* @grafana/grafana-developer-enablement-squad
 /scripts/publish-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
 /scripts/validate-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
-/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad
+/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad @grafana/datapro
 /scripts/cli/ @grafana/grafana-frontend-platform
 /scripts/clean-git-or-error.sh @grafana/grafana-as-code
 /scripts/grafana-server/ @grafana/grafana-frontend-platform
@@ -637,8 +641,9 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/levitate-parse-json-report.js @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
 /scripts/codemods/explicit-barrel-imports.cjs @grafana/frontend-ops
+/scripts/rtk-client-generator/ @grafana/grafana-search-navigate-organise

-/scripts/**/generate-transformations* @grafana/dataviz-squad
+/scripts/**/generate-transformations* @grafana/datapro
 /scripts/webpack/ @grafana/frontend-ops
 /scripts/generate-a11y-report.sh @grafana/grafana-frontend-platform
 .pa11yci.conf.js @grafana/grafana-frontend-platform
@@ -652,14 +657,14 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Core datasources
 /public/app/plugins/datasource/dashboard/ @grafana/dashboards-squad
 /public/app/plugins/datasource/cloudwatch/ @grafana/aws-datasources
-/public/app/plugins/datasource/elasticsearch/ @grafana/aws-datasources
+/public/app/plugins/datasource/elasticsearch/ @grafana/partner-datasources
 /public/app/plugins/datasource/grafana/ @grafana/grafana-frontend-platform
 /public/app/plugins/datasource/grafana-testdata-datasource/ @grafana/plugins-platform-frontend
 /public/app/plugins/datasource/azuremonitor/ @grafana/partner-datasources
 /public/app/plugins/datasource/graphite/ @grafana/partner-datasources
 /public/app/plugins/datasource/influxdb/ @grafana/partner-datasources
 /public/app/plugins/datasource/jaeger/ @grafana/oss-big-tent
-/public/app/plugins/datasource/loki/ @grafana/observability-logs
+/public/app/plugins/datasource/loki/ @grafana/oss-big-tent
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
@@ -683,6 +688,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/dashboardsnapshots/ @grafana/sharing-squad
 /pkg/services/publicdashboards/ @grafana/sharing-squad
 /pkg/services/rendering/ @grafana/sharing-squad
+/public/app/features/explore/QueryLibrary/ @grafana/sharing-squad

 # SSE - Server Side Expressions
 /pkg/expr/ @grafana/grafana-datasources-core-services
@@ -700,7 +706,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/signingkeys/ @grafana/identity-squad
 /pkg/services/dashboards/accesscontrol.go @grafana/access-squad
 /pkg/services/datasources/guardian/ @grafana/access-squad
-/pkg/services/guardian/ @grafana/access-squad
 /pkg/services/ldap/ @grafana/identity-squad
 /pkg/services/login/ @grafana/identity-squad
 /pkg/services/loginattempt/ @grafana/identity-squad
@@ -733,11 +738,11 @@ embed.go @grafana/grafana-as-code
 /pkg/kinds/ @grafana/grafana-as-code
 /pkg/registry/ @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
-/pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
 /pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
 /pkg/registry/apps/advisor @grafana/plugins-platform-backend
+/pkg/registry/apps/alerting @grafana/alerting-backend
 /pkg/codegen/ @grafana/grafana-as-code
 /pkg/codegen/generators @grafana/grafana-as-code
 /pkg/kinds/*/*_gen.go @grafana/grafana-as-code
@@ -753,13 +758,13 @@ embed.go @grafana/grafana-as-code
 /.github/commands.json @torkelo
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
-/.github/metrics-collector.json @torkelo
 /.github/pr-checks.json @tolzhabayev
 /.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
 /.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
-/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
 /.github/actions/setup-grafana-bench/ @Proximyst
+/.github/workflows/actionlint-format.txt @grafana/grafana-developer-enablement-squad
+/.github/workflows/actionlint.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
 /.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
@@ -767,7 +772,8 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
 /.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
-/.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backport-trigger.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backport-workflow.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
@@ -785,14 +791,15 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
 /.github/workflows/lint-build-docs.yml @grafana/docs-tooling
-/.github/workflows/metrics-collector.yml @torkelo
 /.github/workflows/pr-checks.yml @tolzhabayev
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
+/.github/workflows/pr-external-labelling.yml @Proximyst
 /.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-patch-check.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
-/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
+/.github/workflows/reject-gh-secrets.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
@@ -807,29 +814,31 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
 /.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
+/.github/workflows/e2e-dashboard-new-layouts.yml  @grafana/dashboards-squad
 /.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
-/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
+/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-operator-experience-squad
 /.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
-/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
+/.github/workflows/scripts/crowdin/create-tasks.ts @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
+/.github/workflows/trufflehog.yml @Proximyst
 /.github/workflows/changelog.yml @zserge
 /.github/actions/changelog @zserge
 /.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
 /.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
 /.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
 /.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
 /.github/zizmor.yml @grafana/grafana-developer-enablement-squad
+/.github/license_finder.yaml @bergquist

 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot
@@ -1,6 +1,7 @@
-import { appendFileSync, writeFileSync } from 'fs';
-import { exec as execCallback } from 'node:child_process';
-import { promisify } from 'node:util';
+import {appendFileSync, writeFileSync} from 'fs';
+import {exec as execCallback} from 'node:child_process';
+import {promisify} from 'node:util';
+import {findPreviousVersion, semverParse} from "./semver.js";

 //
 // Github Action core utils: logging (notice + debug log levels), must escape
@@ -9,35 +10,6 @@ import { promisify } from 'node:util';
 const escapeData = (s) => s.replace(/%/g, '%25').replace(/\r/g, '%0D').replace(/\n/g, '%0A');
 const LOG = (msg) => console.log(`::notice::${escapeData(msg)}`);

-//
-// Semver utils: parse, compare, sort etc (using official regexp)
-// https://regex101.com/r/Ly7O1x/3/
-//
-const semverRegExp =
-  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
-
-const semverParse = (tag) => {
-  const m = tag.match(semverRegExp);
-  if (!m) {
-    return;
-  }
-  const [_, major, minor, patch, prerelease] = m;
-  return [+major, +minor, +patch, prerelease, tag];
-};
-
-// semverCompare takes two parsed semver tags and comparest them more or less
-// according to the semver specs
-const semverCompare = (a, b) => {
-  for (let i = 0; i < 3; i++) {
-    if (a[i] !== b[i]) {
-      return a[i] < b[i] ? 1 : -1;
-    }
-  }
-  if (a[3] !== b[3]) {
-    return a[3] < b[3] ? 1 : -1;
-  }
-  return 0;
-};

 // Using `git tag -l` output find the tag (version) that goes semantically
 // right before the given version. This might not work correctly with some
@@ -45,29 +17,32 @@ const semverCompare = (a, b) => {
 // into this action explicitly to avoid this step.
 const getPreviousVersion = async (version) => {
  const exec = promisify(execCallback);
-  const { stdout } = await exec('git tag -l');
-  const prev = stdout
+  const {stdout} = await exec('git for-each-ref --sort=-creatordate --format \'%(refname:short)\' refs/tags');
+
+  const parsedTags = stdout
    .split('\n')
    .map(semverParse)
-    .filter((tag) => tag)
-    .sort(semverCompare)
-    .find((tag) => semverCompare(tag, semverParse(version)) > 0);
+    .filter(Boolean);
+
+  const parsedVersion = semverParse(version);
+  const prev = findPreviousVersion(parsedTags, parsedVersion);
  if (!prev) {
    throw `Could not find previous git tag for ${version}`;
  }
-  return prev[4];
+  return prev[5];
 };

+
 // A helper for Github GraphQL API endpoint
 const graphql = async (ghtoken, query, variables) => {
-  const { env } = process;
+  const {env} = process;
  const results = await fetch('https://api.github.com/graphql', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      Authorization: `Bearer ${ghtoken}`,
    },
-    body: JSON.stringify({ query, variables }),
+    body: JSON.stringify({query, variables}),
  });

  const res = await results.json();
@@ -100,7 +75,7 @@ const getCommitishDate = async (name, owner, target) => {
        }
      }
    `,
-    { name, owner, target }
+    {name, owner, target}
  );
  return result.repository.object.committedDate;
 };
@@ -160,7 +135,7 @@ const getHistory = async (name, owner, from, to) => {

  let cursor;
  let nodes = [];
-  for (;;) {
+  for (; ;) {
    const result = await graphql(ghtoken, query, {
      name,
      owner,
@@ -170,7 +145,7 @@ const getHistory = async (name, owner, from, to) => {
    });
    LOG(`GraphQL: ${JSON.stringify(result)}`);
    nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
-    const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
+    const {hasNextPage, endCursor} = result.repository.ref.compare.commits.pageInfo;
    if (!hasNextPage) {
      break;
    }
@@ -186,7 +161,7 @@ const getHistory = async (name, owner, from, to) => {
 // PR grouping relies on Github labels only, not on the PR contents.
 const getChangeLogItems = async (name, owner, from, to) => {
  // check if a node contains a certain label
-  const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
+  const hasLabel = ({labels}, label) => labels.nodes.some(({name}) => name === label);
  // get all the PRs between the two "commitish" items
  const history = await getHistory(name, owner, from, to);

@@ -197,17 +172,17 @@ const getChangeLogItems = async (name, owner, from, to) => {
      return [];
    }
    const item = changes[0];
-    const { number, url, labels } = item;
+    const {number, url, labels} = item;
    const title = item.title.replace(/^\[[^\]]+\]:?\s*/, '');
    // for changelog PRs try to find a suitable category.
    // Note that we can not detect "deprecation notices" like that
    // as there is no suitable label yet.
-    const isBug = /fix/i.test(title) || hasLabel({ labels }, 'type/bug');
-    const isBreaking = hasLabel({ labels }, 'breaking change');
+    const isBug = /fix/i.test(title) || hasLabel({labels}, 'type/bug');
+    const isBreaking = hasLabel({labels}, 'breaking change');
    const isPlugin =
-      hasLabel({ labels }, 'area/grafana/ui') ||
-      hasLabel({ labels }, 'area/grafana/toolkit') ||
-      hasLabel({ labels }, 'area/grafana/runtime');
+      hasLabel({labels}, 'area/grafana/ui') ||
+      hasLabel({labels}, 'area/grafana/toolkit') ||
+      hasLabel({labels}, 'area/grafana/runtime');
    const author = item.commits.nodes[0].commit.author.user?.login;
    return {
      repo: name,
@@ -227,7 +202,7 @@ const getChangeLogItems = async (name, owner, from, to) => {
 // ======================================================

 LOG(`Changelog action started`);
-
+console.log(process.argv);
 const ghtoken = process.env.GITHUB_TOKEN || process.env.INPUT_GITHUB_TOKEN;
 if (!ghtoken) {
  throw 'GITHUB_TOKEN is not set and "github_token" input is empty';
@@ -286,15 +261,15 @@ const markdown = (changelog) => {
      : `### ${title}

 ${items
-  .map(
-    (item) =>
-      `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
-        item.repo === 'grafana-enterprise'
-          ? '(Enterprise)'
-          : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
-      }`
-  )
-  .join('\n')}
+        .map(
+          (item) =>
+            `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
+              item.repo === 'grafana-enterprise'
+                ? '(Enterprise)'
+                : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
+            }`
+        )
+        .join('\n')}
  `;

  // Render all present sections for the given changelog
@@ -0,0 +1,92 @@
+//
+// Semver utils: parse, compare, sort etc (using official regexp)
+// https://regex101.com/r/Ly7O1x/3/
+//
+const semverRegExp =
+  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
+
+export function semverParse(tag) {
+  const m = tag.match(semverRegExp);
+  if (!m) {
+    return;
+  }
+  const [_, major, minor, patch, prerelease, build] = m;
+  return [+major, +minor, +patch, prerelease, build, tag];
+};
+
+// semverCompare takes two parsed semver tags and comparest them more or less
+// according to the semver specs
+export function semverCompare(a, b) {
+  for (let i = 0; i < 3; i++) {
+    if (a[i] !== b[i]) {
+      return a[i] < b[i] ? 1 : -1;
+    }
+  }
+  if (a[3] !== b[3]) {
+    return a[3] < b[3] ? 1 : -1;
+  }
+  return 0;
+};
+
+
+// Finds the highest version that is lower than the target version.
+//
+// This function relies on the following invariant: versions are sorted by the release date.
+// It will produce wrong result if invariant doesn't hold.
+export const findPreviousVersion = (versionByDate, target) => {
+  let prev = null;
+
+  for (let i = 0; i < versionByDate.length; i++) {
+    const version = versionByDate[i];
+
+    // version is greater than the target
+    if (semverCompare(target, version) > 0) {
+      continue;
+    }
+
+    // we came across the target version, all versions seen previously have greater release date.
+    if (semverCompare(target, version) === 0 && target[4] === version[4]) {
+      prev = null;
+      continue;
+    }
+
+    if (prev == null) {
+      prev = version;
+      continue;
+    }
+
+    if (semverCompare(prev, version) > 0) {
+      prev = version;
+    }
+  }
+
+  return prev;
+};
+
+
+const versionsByDate = [
+  "v10.4.19", "v12.0.1", "v11.6.2", "v11.5.5", "v11.4.5", "v11.3.7", "v11.2.10", "v12.0.0+security-01", "v11.2.9+security-01", "v11.3.6+security-01",
+  "v11.6.1+security-01", "v11.4.4+security-01", "v11.5.4+security-01", "v10.4.18+security-01", "v12.0.0", "v11.6.1",
+  "v11.5.4", "v11.4.4", "v11.3.6", "v11.2.9", "v10.4.18", "v11.6.0+security-01", "v11.5.3+security-01", "v11.4.3+security-01",
+  "v11.3.5+security-01", "v11.2.8+security-01", "v10.4.17+security-01", "v11.2.8", "v11.6.0", "v11.5.2", "v11.4.2",
+  "v11.3.4", "v11.2.7", "v11.1.12", "v11.0.11", "v10.4.16", "v11.5.1", "v11.5.0", "v11.3.3", "v11.1.11", "v11.2.6",
+  "v11.0.10", "v10.4.15", "v11.4.1", "v11.4.0", "v11.3.2", "v11.2.5", "v11.1.10", "v11.0.9", "v10.4.14", "v11.3.1",
+  "v11.2.4", "v11.1.9", "v11.0.8", "v10.4.13", "v11.0.2", "v10.4.6", "v10.3.8", "v10.2.9", "v11.1.0", "v11.0.1",
+  "v10.4.5", "v10.3.7", "v10.2.8", "v9.5.20", "v10.4.4", "v9.5.19", "v10.1.10", "v10.2.7", "v10.3.6", "v10.4.3",
+  "v11.0.0", "v10.4.2", "v11.0.0-preview", "v10.1.9", "v10.0.13", "v9.2.0", "v9.1.8",
+].map(semverParse);
+
+function test(version, expected) {
+  const v1 = semverParse(version);
+  const prev = findPreviousVersion(versionsByDate, v1);
+
+  const failureMessage = `FAIILED. Expected ${expected}, but was ${prev[5]}`;
+
+  console.log(`Test ${version}, ${prev[5] === expected ? 'PASSED' : failureMessage}`);
+}
+
+test("v11.5.4+security-01", "v11.5.4");
+test("v11.5.4", "v11.5.3+security-01");
+test("v12.0.0", "v11.6.1");
+test("v12.0.0+security-01", "v12.0.0");
+test("v11.0.0", "v11.0.0-preview");
@@ -1,50 +0,0 @@
-name: 'Go Coverage Processor'
-description: 'Process Go test coverage files and generate reports'
-
-inputs:
-  test-type:
-    description: 'Type of test (e.g., be-unit, be-integration)'
-    required: true
-    type: string
-  coverage-file:
-    description: 'Path to the Go coverage file (.cov)'
-    required: true
-    type: string
-  codecov-token:
-    description: 'Token for CodeCov (required for CodeCov reporting)'
-    required: false
-    default: ''
-  codecov-flag:
-    description: 'Flag to categorize the upload to CodeCov'
-    required: false
-    default: ''
-  codecov-name:
-    description: 'Custom name for the upload to CodeCov'
-    required: false
-    default: ''
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Process Go coverage output
-      shell: bash
-      env:
-        COVERAGE_FILE: ${{ inputs.coverage-file }}
-      run: |
-        # Ensure valid coverage file even if empty
-        if [ ! -s "$COVERAGE_FILE" ]; then
-          echo "Coverage file is empty, creating a minimal valid file"
-          echo "mode: set" > "$COVERAGE_FILE"
-        fi
-
-    - name: Report coverage to CodeCov
-      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
-      if: inputs.codecov-token != ''
-      with:
-        files: ${{ inputs.coverage-file }}
-        flags: ${{ inputs.codecov-flag || inputs.test-type }}
-        name: ${{ inputs.codecov-name || inputs.test-type }}
-        slug: grafana/grafana
-        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
-        url: https://codecov-webhook.grafana-dev.net
-        token: ${{ inputs.codecov-token }}
@@ -128,7 +128,7 @@
    "name": "datasource/Loki",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/203"
+      "url": "https://github.com/orgs/grafana/projects/457"
    }
  },
  {
@@ -160,7 +160,7 @@
    "name": "datasource/Elasticsearch",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/97"
+      "url": "https://github.com/orgs/grafana/projects/190"
    }
  },
  {
@@ -488,7 +488,23 @@
    "name": "area/transformations",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/56"
+      "url": "https://github.com/orgs/grafana/projects/908"
+    }
+  },
+  {
+    "type": "label",
+    "name": "area/correlations",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/908"
+    }
+  },
+  {
+    "type": "label",
+    "name": "area/area/expressions/sql",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/908"
    }
  },
  {
@@ -1194,5 +1210,13 @@
    "addToProject": {
      "url": "https://github.com/orgs/grafana/projects/699"
    }
+  },
+  {
+    "type": "label",
+    "name": "type/docs",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/69"
+    }
  }
 ]
@@ -0,0 +1,128 @@
+---
+- - :permit
+  - MIT
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:11:50.696368005 Z
+- - :permit
+  - Apache 2.0
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:12:09.344787957 Z
+- - :permit
+  - New BSD
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:12:09.344787957 Z
+- - :permit
+  - Simplified BSD
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:12:09.344787957 Z
+- - :permit
+  - Mozilla Public License 2.0
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:12:09.344787957 Z
+- - :permit
+  - ISC
+  - :who: Carl Bergquist
+    :why: Compatible license
+    :versions: []
+    :when: 2021-03-25 11:12:09.344787957 
+- - :license
+  - github.com/grafana/alerting
+  - GNU Affero GPL
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/advisor
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/alerting/notifications
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/dashboard
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/folder
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/investigations
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/apps/playlist
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/aggregator
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/apimachinery
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/apis/secret
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/apiserver
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/promlib
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
+- - :license
+  - github.com/grafana/grafana/pkg/semconv
+  - unknown
+  - :who: Carl Bergquist
+    :why: repository is owned by Grafana Labs
+    :versions: []
+    :when: 2025-05-03 13:10:00.000000000 Z
@@ -1,32 +0,0 @@
-{
-  "queries": [
-    {
-      "name": "type_bug",
-      "query": "label:\"type/bug\" is:issue is:open"
-    },
-    {
-      "name": "type_docs",
-      "query": "label:\"type/docs\" is:issue is:open"
-    },
-    {
-      "name": "needs_investigation",
-      "query": "label:\"needs investigation\" is:issue is:open"
-    },
-    {
-      "name": "needs_more_info",
-      "query": "label:\"needs more info\" is:issue is:open"
-    },
-    {
-      "name": "triage_needs_confirmation",
-      "query": "label:\"triage/needs-confirmation\" is:issue is:open"
-    },
-    {
-      "name": "unlabeled",
-      "query": "is:open is:issue no:label"
-    },
-    {
-      "name": "open_prs",
-      "query": "is:open is:pull-request"
-    }
-  ]
-}
@@ -253,38 +253,6 @@
    "action": "updateLabel",
    "addLabel": "area/alerting"
  },
-  {
-    "type": "label",
-    "name": "area/alerting",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/52"
-    }
-  },
-  {
-    "type": "author",
-    "name": "pr/external",
-    "notMemberOf": {
-      "org": "grafana"
-    },
-    "ignoreList": [
-      "renovate[bot]",
-      "dependabot[bot]",
-      "grafana-delivery-bot[bot]",
-      "grafanabot",
-      "alerting-team[bot]"
-    ],
-    "action": "updateLabel",
-    "addLabel": "pr/external"
-  },
-  {
-    "type": "label",
-    "name": "type/docs",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/69"
-    }
-  },
  {
    "type": "changedfiles",
    "matches": [
@@ -445,71 +413,5 @@
    ],
    "action": "updateLabel",
    "addLabel": "area/panel/table"
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/azuremonitor/**/*",
-      "pkg/tsdb/azuremonitor/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/graphite/**/*",
-      "pkg/tsdb/graphite/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/influxdb/**/*",
-      "pkg/tsdb/influx/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/elasticsearch/**/*",
-      "pkg/tsdb/elasticsearch/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/cloud-monitoring/**/*",
-      "pkg/tsdb/cloud-monitoring/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
-  },
-  {
-    "type": "changedfiles",
-    "matches": [
-      "public/app/plugins/datasource/opentsdb/**/*",
-      "pkg/tsdb/opentsdb/**/*"
-    ],
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
-    }
  }
 ]
@@ -2,6 +2,15 @@
  extends: ["config:recommended"],
  enabledManagers: ["npm"],
  ignoreDeps: [
+    // ignoring these until we can upgrade to react 19
+    // see epic here: https://github.com/grafana/grafana/issues/98813
+    '@types/react',
+    '@types/react-dom',
+    'eslint-plugin-react-hooks',
+    'react',
+    'react-dom',
+    'react-refresh',
+
    "@types/history", // this can be removed entirely when we upgrade history since v5 exposes types directly
    "history", // we should bump this together with react-router-dom (see https://github.com/grafana/grafana/issues/76744)
    "react-router", // we should bump this together with history and react-router-dom
@@ -0,0 +1,66 @@
+{
+    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    "version": "2.1.0",
+    "runs": [
+        {
+            "tool": {
+                "driver": {
+                    "name": "GitHub Actions lint",
+                    "version": {{ getVersion | json }},
+                    "informationUri": "https://github.com/rhysd/actionlint",
+                    "rules": [
+                        {{$first := true}}
+                        {{range $ := allKinds }}
+                            {{if $first}}{{$first = false}}{{else}},{{end}}
+                            {
+                                "id": {{json $.Name}},
+                                "name": {{$.Name | toPascalCase | json}},
+                                "defaultConfiguration": {
+                                    "level": "error"
+                                },
+                                "properties": {
+                                    "description": {{json $.Description}},
+                                    "queryURI": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
+                                },
+                                "fullDescription": {
+                                    "text": {{json $.Description}}
+                                },
+                                "helpUri": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
+                            }
+                        {{end}}
+                    ]
+                }
+            },
+            "results": [
+                {{$first := true}}
+                {{range $ := .}}
+                    {{if $first}}{{$first = false}}{{else}},{{end}}
+                    {
+                        "ruleId": {{json $.Kind}},
+                        "message": {
+                            "text": {{json $.Message}}
+                        },
+                        "locations": [
+                            {
+                                "physicalLocation": {
+                                    "artifactLocation": {
+                                        "uri": {{json $.Filepath}},
+                                        "uriBaseId": "%SRCROOT%"
+                                    },
+                                    "region": {
+                                        "startLine": {{$.Line}},
+                                        "startColumn": {{$.Column}},
+                                        "endColumn": {{$.EndColumn}},
+                                        "snippet": {
+                                            "text": {{json $.Snippet}}
+                                        }
+                                    }
+                                }
+                            }
+                        ]
+                    }
+                {{end}}
+            ]
+        }
+    ]
+}
@@ -0,0 +1,60 @@
+# This workflow depends on the ./actionlint-format.txt file. It is MIT licensed (thanks, rhysd!): https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
+name: Actionlint
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  run-actionlint:
+    name: Lint GitHub Actions files
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # to check out the code
+      actions: read # to read the workflow files
+      security-events: write # for uploading the SARIF report
+
+    env:
+      ACTIONLINT_VERSION: 1.7.7
+      # curl -LXGET https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt | grep linux_amd64
+      CHECKSUM: 023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      # GitHub Actions only runs x86_64. This will break if that assumption changes.
+      - name: Download Actionlint
+        run: |
+          set -euo pipefail
+          curl -OLXGET https://github.com/rhysd/actionlint/releases/download/v"${ACTIONLINT_VERSION}"/actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
+          echo "${CHECKSUM}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzf actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
+          test -f actionlint
+          chmod +x actionlint
+
+      - name: Run Actionlint
+        run: ./actionlint -format "$(cat .github/workflows/actionlint-format.txt)" | tee results.sarif
+
+      - name: Upload to GitHub security events
+        if: success() || failure()
+        # If there are security problems, GitHub will automatically comment on the PR for us.
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        with:
+          sarif_file: results.sarif
+          category: actionlint
@@ -37,7 +37,7 @@ jobs:
        id: current-commit
        run: |
          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
-          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
+          echo "from_commit=$FROM_COMMIT" >> "$GITHUB_OUTPUT"

      - name: Get current branch name
        id: current-branch-name
@@ -47,14 +47,14 @@ jobs:
        id: latest-commit
        env:
          GH_TOKEN: ${{ github.token }}
+          BRANCH: ${{ steps.current-branch-name.outputs.name }}
        run: |
-          BRANCH="${{ steps.current-branch-name.outputs.name }}"
-          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
+          TO_COMMIT="$(gh api repos/grafana/alerting/commits/"$BRANCH" --jq '.sha')"
           if [ -z "$TO_COMMIT" ]; then
            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
            exit 1
          fi
-          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
+          echo "to_commit=$TO_COMMIT" >> "$GITHUB_OUTPUT"

      - name: Compare commit hashes
        run: |
@@ -74,26 +74,31 @@ jobs:
        id: check-commits
        env:
          GH_TOKEN: ${{ github.token }}
+          FROM_COMMIT: ${{ steps.current-commit.outputs.from_commit }}
+          TO_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
        run: |
-          # get all commits that contains 'Alerting:' in the message          
-          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
-            --jq '.commits[].commit.message | split("\n")[0]') || true
-          
+          # get all commits that contains 'Alerting:' in the message
+          ALERTING_COMMITS="$(gh api repos/grafana/alerting/compare/"$FROM_COMMIT"..."$TO_COMMIT" \
+            --jq '.commits[].commit.message | split("\n")[0]')" || true
+
          # Use printf instead of echo -e for better multiline handling
          printf "%s\n" "$ALERTING_COMMITS"
-          
+
          # make the list for markdown and replace PR numbers with links
-          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
-          
-          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
-          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          ALERTING_COMMITS_FORMATTED="$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)"
+
+          {
+            echo "alerting_commits<<EOF"
+            echo "$ALERTING_COMMITS_FORMATTED"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"

      - name: Update alerting module
        env:
          GOSUMDB: off
+          PINNED_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
        run: |
-          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
+          go get github.com/grafana/alerting@"$PINNED_COMMIT"
          make update-workspace

      - id: get-secrets
@@ -124,7 +129,7 @@ jobs:
            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
            <details>
            <summary>Commits</summary>
-            
+
            ${{ steps.check-commits.outputs.alerting_commits }}

            </details>
@@ -132,6 +137,10 @@ jobs:
            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
      - name: Add PR URL to Summary
        if: steps.create-pr.outputs.pull-request-url != ''
+        env:
+          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
        run: |
-          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
-          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## Pull Request Created"
+            echo "🔗 [View Pull Request]($PR_URL)"
+          } >> "$GITHUB_STEP_SUMMARY"
@@ -3,9 +3,13 @@ name: Analytics Events Report
 on:
  workflow_dispatch:

+permissions: {}
+
 jobs:
  generate-report:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
@@ -21,7 +21,7 @@ permissions: {}

 jobs:
  grafana:
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
+    # Run this workflow only for PRs from forks
    # the `pr-backend-unit-tests-enterprise` workflow will run instead
    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
    strategy:
@@ -58,6 +58,7 @@ jobs:

  grafana-enterprise:
    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    # If it gets merged into `main` or `release-*`, then a junit test result is uploaded to GCS.
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
    strategy:
      matrix:
@@ -73,6 +74,7 @@ jobs:
      contents: read
      id-token: write
    steps:
+      # Set up repository clone
      - name: Checkout code
        uses: actions/checkout@v4
        with:
@@ -85,11 +87,44 @@ jobs:
        uses: ./.github/actions/setup-enterprise
        with:
          github-app-name: 'grafana-ci-bot'
+
+      # Prepare what we need to upload test results
+      - run: echo "RESULTS_FILE=$(date --rfc-3339=seconds --utc | sed -s 's/ /-/g')_${SHARD/\//_}.xml" >> "$GITHUB_ENV"
+        env:
+          SHARD: ${{ matrix.shard }}
+      - run: go install github.com/jstemmer/go-junit-report/v2@85bf4716ac1f025f2925510a9f5e9f5bb347c009
+
+      # Run code
      - name: Generate Go code
        run: make gen-go
      - name: Run unit tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
+          set -euo pipefail
+
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
-          go test -short -timeout=30m "${PACKAGES[@]}"
+          # This tee requires pipefail to be set, otherwise `go test`'s exit code is thrown away.
+          # That means having no `-o pipefail` => failing tests => exit code 0, which is wrong.
+          go test -short -v -timeout=30m "${PACKAGES[@]}" | tee >(go-junit-report -set-exit-code > "$RESULTS_FILE")
+
+      # Upload results to GCS
+      - name: Log in to GCS
+        if: github.repository == 'grafana/grafana' && (success() || failure())
+        uses: grafana/shared-workflows/actions/login-to-gcs@login-to-gcs-v0.2.0
+        with:
+          service_account: github-junit-uploader@grafanalabs-workload-identity.iam.gserviceaccount.com
+          bucket: grafana-test-results
+      - if: github.repository == 'grafana/grafana' && (success() || failure())
+        run: echo "BUCKET_PATH=go-unit-tests/$(echo ${REF_NAME} | sed 's/\//-/g')" >> "$GITHUB_ENV"
+        env:
+          REF_NAME: ${{ github.ref_name }}
+      - name: Upload test results
+        if: github.repository == 'grafana/grafana' && (success() || failure())
+        uses: grafana/shared-workflows/actions/push-to-gcs@push-to-gcs-v0.2.0
+        with:
+          bucket: grafana-test-results
+          service_account: github-junit-uploader@grafanalabs-workload-identity.iam.gserviceaccount.com
+          environment: "dev" # Can be dev/prod (defaults to dev)
+          path: ${{ env.RESULTS_FILE }}
+          bucket_path: ${{ env.BUCKET_PATH }}
@@ -0,0 +1,47 @@
+# We need secrets to backport, but they're not available for actions ran by forks.
+# So this workflow is used as a 'trigger', which the backport-workflow.yml will with
+# via workflow_run
+
+name: Backport (trigger)
+on:
+  pull_request:
+    types:
+      - closed
+      - labeled
+
+permissions: {}
+
+jobs:
+  trigger:
+    # Only run this job if the PR has been merged and has a label containing "backport v"
+    if: |
+      github.repository == 'grafana/grafana' &&
+      github.event.pull_request.merged == true &&
+      contains(join(github.event.pull_request.labels.*.name, ','), 'backport v')
+    runs-on: ubuntu-latest
+    steps:
+      # TODO: save this as job summary instead?
+      - name: Trigger
+        run: |
+          echo "Triggering workflow"
+          echo "See https://github.com/${{ github.repository }}/actions/workflows/workflow_run.yml for progress"
+
+      # Create a JSON artifact with details of this PR to pass to the backport workflow.
+      # The { action: 'labelled', label: 'backport-1.23.x' } can only be determined from this event payload,
+      # and is needed to do a backport after a PR has been merged
+      #
+      # Important that we don't run *anything* from the PR which could modify the backport_data.json file
+      - name: Create action data
+        run: |
+          jq '{
+            action: .action,
+            label: .label.name,
+            pr_number: .number,
+          }' "$GITHUB_EVENT_PATH" > /tmp/pr_info.json
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr_info
+          path: /tmp/pr_info.json
+          retention-days: 1
@@ -0,0 +1,88 @@
+# Runs the actual backport, after being triggered by the backport-trigger.yml workflow.
+
+name: Backport (workflow)
+run-name: "Backport for ${{ github.event.workflow_run.head_branch }} #${{ github.event.workflow_run.run_number }}"
+on:
+  workflow_run: # zizmor: ignore[dangerous-triggers] backport-trigger.yml does not run any user code
+    workflows: ["Backport (trigger)"]
+    types:
+      - completed
+
+permissions: {}
+
+jobs:
+  backport:
+    # Only run this job if the triggering workflow was not skipped (and on grafana repo)
+    if: github.repository == 'grafana/grafana' && github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      actions: read
+    steps:
+      - name: Get vault secrets
+        id: secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          export_env: false
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ fromJSON(steps.secrets.outputs.secrets).APP_PEM }}
+
+      - name: Download PR info artifact
+        uses: actions/download-artifact@v4
+        id: download-pr-info
+        with:
+          github-token: ${{ github.token }}
+          run-id: ${{ github.event.workflow_run.id }}
+          name: pr_info
+
+      - name: Get PR info
+        id: pr-info
+        env:
+          PR_INFO_FILE: ${{ steps.download-pr-info.outputs.download-path }}/pr_info.json
+        # jq-magic to convert the JSON object into a list of key=value pairs for $GITHUB_OUTPUT
+        run:
+          jq -r 'to_entries[] | select(.value | type != "object") | "\(.key)=\(.value)"' "$PR_INFO_FILE" >> "$GITHUB_OUTPUT"
+
+      - name: Print PR info
+        env:
+          PR_ACTION: ${{ steps.pr-info.outputs.action }}
+          PR_LABEL: ${{ steps.pr-info.outputs.label }}
+          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
+        run: |
+          echo "PR action: $PR_ACTION"
+          echo "PR label: $PR_LABEL"
+          echo "PR number: $PR_NUMBER"
+
+      - name: Checkout Grafana
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 2
+          fetch-tags: false
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: true
+
+      - name: Configure git user
+        run: |
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local --add --bool push.autoSetupRemote true
+
+      - name: Run backport
+        uses: grafana/grafana-github-actions-go/backport@dev
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          # If triggered by being labelled, only backport that label.
+          # Otherwise, the action will backport all labels.
+          pr_label: ${{ steps.pr-info.outputs.action == 'labeled' && steps.pr-info.outputs.label || '' }}
+          pr_number: ${{ steps.pr-info.outputs.pr_number }}
+          repo_owner: ${{ github.repository_owner }}
+          repo_name: ${{ github.event.repository.name }}
@@ -1,32 +0,0 @@
-name: Backport PR Creator
-on:
-  pull_request_target:
-    types:
-      - closed
-      - labeled
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4 # 4.2.2
-        with:
-          persist-credentials: false
-      - run: git config --local user.name "github-actions[bot]"
-      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
-      - run: git config --local --add --bool push.autoSetupRemote true
-      - name: Set remote URL
-        env:
-          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
-      - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
@@ -44,4 +44,4 @@ jobs:
          git add .
          git commit -m "bump version ${VERSION}"
          git push
-          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
+          gh pr create --dry-run="$DRY_RUN" -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
@@ -22,11 +22,10 @@ on:
        required: false
        default: false
        type: boolean
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
+      work_branch:
+        required: false
+        type: string
+        description: "Use specific branch for changelog"

  workflow_dispatch:
    inputs:
@@ -50,6 +49,10 @@ on:
        required: false
        default: false
        type: boolean
+      work_branch:
+        required: false
+        type: string
+        description: "Use specific branch for changelog"

 permissions: {}

@@ -67,25 +70,32 @@ jobs:
      contents: write
      pull-requests: write
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
        with:
          ref: main
          sparse-checkout: |
            .github/workflows
+            .github/actions
            CHANGELOG.md
            .nvmrc
            .prettierignore
            .prettierrc.js
          fetch-depth: 0
          fetch-tags: true
-          persist-credentials: false
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
@@ -96,7 +106,20 @@ jobs:
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true
      - name: "Create branch"
-        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
+        run: |
+          if [[ "$WORK_BRANCH" == '' ]]; then
+            git switch -c "changelog/${RUN_ID}/${VERSION}"
+            exit 0
+          fi
+
+          # Checkout the changelog branch if exists, otherwise create a new one
+          if git show-ref --verify --quiet "refs/remotes/origin/$WORK_BRANCH"; then
+            git switch --track "origin/$WORK_BRANCH"
+          else
+            git switch -c "$WORK_BRANCH"
+          fi
+        env:
+          WORK_BRANCH: ${{ inputs.work_branch }}
      - name: "Generate changelog"
        id: changelog
        uses: ./.github/actions/changelog
@@ -140,16 +163,29 @@ jobs:
      - name: "Commit changelog changes"
        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
      - name: "git push"
-        if: ${{ inputs.dry_run }} != true
+        if: inputs.dry_run != true
        run: git push
      - name: "Create changelog PR"
-        run: >
-          gh pr create \
-            --dry-run=${DRY_RUN} \
-            --label "no-backport" \
-            --label "no-changelog" \
-            -B "${TARGET}" \
-            --title "Release: update changelog for ${VERSION}" \
-            --body "Changelog changes for release ${VERSION}"
+        run: |
+          if gh pr view &>/dev/null; then
+            echo "Changelog pr has already been created"
+          else
+
+            gh pr create \
+              --dry-run="${DRY_RUN}" \
+              --label "no-backport" \
+              --label "no-changelog" \
+              -B "${TARGET}" \
+              --title "Release: update changelog for ${TARGET}" \
+              --body "Changelog changes for release versions:"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: "Add release version to PR description"
+        if: inputs.dry_run != true
+        run: |
+          gh pr view --json body --jq .body > pr_body.md
+          echo " -  ${VERSION}" >> pr_body.md
+          gh pr edit --body-file pr_body.md
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -4,9 +4,13 @@ on:
  pull_request:
    branches: [ main ]

+permissions: {}
+
 jobs:
  codeowners-validator:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      # Checks-out your repository, which is validated in the next step
      - uses: actions/checkout@v4
@@ -23,7 +27,7 @@ jobs:

          # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
          experimental_checks: "notowned,avoid-shadowing"
-          
+
          # The repository path in which CODEOWNERS file should be validated."
          repository_path: "."

@@ -37,4 +41,4 @@ jobs:
          owner_checker_allow_unowned_patterns: "false"

          # Specifies whether only teams are allowed as owners of files.
-          owner_checker_owners_must_be_teams: "false"          
+          owner_checker_owners_must_be_teams: "false"
@@ -33,8 +33,9 @@ jobs:
      fail-fast: false
      matrix:
        # Override automatic language detection by changing the below list
-        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
-        language: ['javascript', 'go', 'python']
+        # Supported options are listed here
+        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
+        language: ['actions', 'javascript', 'go']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

@@ -24,7 +24,7 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

@@ -42,15 +42,15 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
-            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem

-      - name: "Generate token"
+      - name: Generate token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}

      - name: Checkout Actions
        uses: actions/checkout@v4 # v4.2.2
@@ -65,6 +65,6 @@ jobs:
      - name: Run Commands
        uses: ./actions/commands
        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          metricsWriteAPIKey: ""
          token: ${{ steps.generate_token.outputs.token }}
          configPath: commands
@@ -11,11 +11,6 @@ on:
        required: false
        default: false
        description: When enabled, this workflow will print a preview instead of creating an actual post.
-    secrets:
-      GRAFANA_MISC_STATS_API_KEY:
-        required: true
-      GRAFANABOT_FORUM_KEY:
-        required: true
  workflow_dispatch:
    inputs:
      version:
@@ -30,17 +25,25 @@ on:

 permissions:
  contents: read
+  id-token: write

 jobs:
  main:
    runs-on: ubuntu-latest
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/community_release path in Vault
+          repo_secrets: |
+            GRAFANABOT_FORUM_KEY=community_release:GRAFANABOT_FORUM_KEY
+
      - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/community-release@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
-          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
-          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
+          community_api_key: ${{ env.GRAFANABOT_FORUM_KEY }}
          community_api_username: grafanabot
          dry_run: ${{ inputs.dry_run }}
@@ -48,7 +48,7 @@ jobs:
          persist-credentials: false
      - name: Verify inputs
        run: |
-          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z "$PLUGIN_ID" ]; then echo "Missing plugin ID"; exit 1; fi
      - id: get-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
        with:
@@ -72,13 +72,13 @@ jobs:
        shell: bash
        id: get_dir
        run: |
-          dir=$(dirname \
-            $(egrep -lir --include=plugin.json --exclude-dir=dist \
-              '"id": "${PLUGIN_ID}"' \
+          dir="$(dirname \
+            "$(grep -Elir --include=plugin.json --exclude-dir=dist \
+              '"id": "'"${PLUGIN_ID}"'"' \
              public/app/plugins \
-            ) \
-          )
-          echo "dir=${dir}" >> $GITHUB_OUTPUT
+            )" \
+          )"
+          echo "dir=${dir}" >> "$GITHUB_OUTPUT"
      - name: Install frontend dependencies
        shell: bash
        working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -88,17 +88,17 @@ jobs:
        shell: sh
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
-          [ ! -d ./bin ] && mkdir -pv ./bin || true
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
+          mkdir -pv ./bin
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v"$GRABPL_VERSION"/grabpl
          chmod 0755 ./bin/grabpl
      - name: Check backend
        id: check_backend
        shell: bash
        run: |
-          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
-            echo "has_backend=true" >> $GITHUB_OUTPUT
+          if grep -Eqr --include=main.go 'datasource.Manage\('"$PLUGIN_ID" pkg/tsdb; then
+            echo "has_backend=true" >> "$GITHUB_OUTPUT"
          else
-            echo "has_backend=false" >> $GITHUB_OUTPUT
+            echo "has_backend=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Setup golang environment
        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
@@ -149,6 +149,8 @@ jobs:
      - name: build:frontend
        shell: bash
        id: build_frontend
+        env:
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
        run: |
          command="plugin:build:commit"
          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
@@ -156,15 +158,15 @@ jobs:
            command="plugin:build"
          fi
          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
-          version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
-          echo "version=${version}" >> $GITHUB_OUTPUT
+          version="$(jq -r .info.version "$OUTPUT_DIR"/dist/plugin.json)"
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
      - name: build:backend
        if: steps.check_backend.outputs.has_backend == 'true'
        shell: bash
        env:
          VERSION: ${{ steps.build_frontend.outputs.version }}  
        run: |
-          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
+          make build-plugin-go PLUGIN_ID="$PLUGIN_ID"
      - name: package
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
@@ -177,16 +179,17 @@ jobs:
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}  
+          GCOM_API: ${{ env.GCOM_API }}
        run: |
-          api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
-            -H 'accept: application/json')
-          api_res_code=$(echo $api_res | jq -r .code)
+          api_res="$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
+            "$GCOM_API/api/plugins/$PLUGIN_ID?version=$VERSION" \
+            -H 'accept: application/json')"
+          api_res_code="$(echo "$api_res" | jq -r .code)"
          if [ "$api_res_code" = "NotFound" ]; then
            echo "No existing release found"
          else
            echo "Expecting a missing release, got:"
-            echo $api_res
+            echo "$api_res"
            exit 1
          fi
      - name: store build artifacts
@@ -197,55 +200,46 @@ jobs:
      - name: Publish release to Google Cloud Storage
        working-directory: ${{ steps.get_dir.outputs.dir }}
        env:
-          VERSION: ${{ steps.build_frontend.outputs.version }}  
+          VERSION: ${{ steps.build_frontend.outputs.version }}
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
        run: |
          echo "Publish release to Google Cloud Storage:"
+          set -x
          touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
-          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
-          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
-          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
+          gsutil -m cp -r ci/packages/*windows* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/windows"
+          gsutil -m cp -r ci/packages/*linux* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/linux"
+          gsutil -m cp -r ci/packages/*darwin* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/darwin"
+          gsutil -m cp -r ci/packages/*any* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any"
      - name: Publish new plugin version on grafana.com
        if: steps.check_backend.outputs.has_backend == 'true'
        working-directory: ${{ steps.get_dir.outputs.dir }}
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}  
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
+          GCOM_API: ${{ env.GCOM_API }}
        run: |
          echo "Publish new plugin version on grafana.com:"
          echo "Plugin version: ${VERSION}"
-          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
-            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
-            \"download\": {
-              \"linux-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
-                \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
-              },
-              \"linux-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
-                \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
-              },
-              \"linux-arm\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
-                \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
-              },
-              \"windows-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
-                \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
-              },
-              \"darwin-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
-                \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
-              },
-              \"darwin-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
-                \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
-              }
-            }
-          }"`
-          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
+
+          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
+          jq -n '{"url": env.OUTPUT_URL}' > body.json
+          osarchs=(linux_amd64 linux_arm64 linux_arm windows_amd64 darwin_amd64 darwin_arm64)
+          for osarch in "${osarchs[@]}"; do
+            echo "Processing $osarch"
+            KEY="${osarch//_/-}" \
+            OSARCH="$osarch" \
+            jq -s '. as $i | .[0] | .download[env.KEY] = {
+              "url": "https://storage.googleapis.com/\(env.GCP_BUCKET)/\(env.PLUGIN_ID)/release/\(env.VERSION)/linux/\(env.PLUGIN_ID)-\(env.VERSION).\(env.OSARCH).zip",
+              "md5": $i[1].plugin.md5
+            }' body.json ci/packages/info-"$osarch".json > tmp.json && mv tmp.json body.json
+          done
+
+          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
+          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
            echo "Failed to publish plugin version. Got:"
-            echo $result
+            echo "$result"
            exit 1
          fi
      - name: Publish new plugin version on grafana.com (frontend only)
@@ -254,20 +248,29 @@ jobs:
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}
+          GCOM_API: ${{ env.GCOM_API }}
+          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
+          GCP_BUCKET: ${{ env.GCP_BUCKET }}
        run: |
          echo "Publish new plugin version on grafana.com:"
          echo "Plugin version: ${VERSION}"
-          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
-            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
-            \"download\": {
-              \"any\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
-                \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
+
+          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
+          DOWNLOAD_URL="https://storage.googleapis.com/$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip" \
+          MD5_CHECKSUM="$(jq -r '.plugin.md5' ci/packages/info-any.json)" \
+          jq -rn '{
+            "url": env.OUTPUT_URL,
+            "download": {
+              "any": {
+                "url": env.DOWNLOAD_URL,
+                "md5": env.MD5_CHECKSUM
              }
            }
-          }"`
-          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
+          }' > body.json
+
+          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
+          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
            echo "Failed to publish plugin version. Got:"
-            echo $result
+            echo "$result"
            exit 1
          fi
@@ -10,11 +10,6 @@ on:
        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
        type: string
        required: true
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
    outputs:
      branch:
        description: The new branch that was created
@@ -27,23 +22,32 @@ on:
        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
        type: string
        required: true
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
  main:
    runs-on: ubuntu-latest
    outputs:
      branch: ${{ steps.branch.outputs.branch }}
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          repositories: "[\"grafana\", \"grafana-enterprise\"]"
+          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
      - name: Create release branch
        id: branch
        uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
@@ -11,7 +11,7 @@ env:
  ORGANIZATION: ${{ github.repository_owner }}
  REPO: ${{ github.event.repository.name }}
  TARGET_PROJECT: 202
-  LABEL_IDs: "LA_kwDOAOaWjc8AAAABT38U-A"
+  LABEL_IDS: "LA_kwDOAOaWjc8AAAABT38U-A"

 concurrency:
  group: issue-label-when-in-project-${{ github.event.number }}
@@ -26,25 +26,26 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
-            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem

-      - name: "Generate token"
+      - name: Generate token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
      - name: Check if issue is in target project
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
          ISSUE_NUMBER: ${{ github.event.issue.number }}
          TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
        run: |
+          # shellcheck disable=SC2016 # we don't want the $s to be expanded
          gh api graphql -f query='
-            query($org: String!, $repo: String!) {
+            query($org: String!, $repo: String!, $issueNumber: Int!) {
              repository(name: $repo, owner: $org) {
-                issue (number: $ISSUE_NUMBER) {
+                issue (number: $issueNumber) {
                  id
                  projectItems(first:20) {
                    nodes {
@@ -55,15 +56,18 @@ jobs:
                  }
                }
              }
-            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
+            }' -f org="$ORGANIZATION" -f repo="$REPO" -F issueNumber="$ISSUE_NUMBER" > projects_data.json

-            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
-            echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
+            {
+              echo "IN_TARGET_PROJ=$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json)"
+              echo "ITEM_ID=$(jq '.data.repository.issue.id' projects_data.json)"
+            } >> "$GITHUB_ENV"
      - name: Set up label array
        if: env.IN_TARGET_PROJ
        env:
          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
+          # shellcheck disable=SC2153 # we define the variable on the line above in 'read'
          IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
          for item in "${LABEL_IDs[@]}"; do
            echo "Item: $item"
@@ -74,6 +78,7 @@ jobs:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
+          # shellcheck disable=SC2016 # we don't want the $s to be expanded
          gh api graphql -f query='
            mutation ($labelableId: ID!, $labelIds: [ID!]!) {
              addLabelsToLabelable(
@@ -81,4 +86,4 @@ jobs:
              ) {
                  clientMutationId
              }
-            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS
+            }' -f labelableId="$ITEM_ID" -f labelIds="$LABEL_IDS"
@@ -9,6 +9,8 @@ on:
    paths:
      - "docs/sources/**"

+permissions: {}
+
 jobs:
  deploy-pr-preview:
    permissions:
@@ -31,6 +31,7 @@ jobs:
        with:
          path: './pr'
          persist-credentials: false
+
      - uses: actions/setup-node@v4
        with:
          node-version: 22.11.0
@@ -81,6 +82,7 @@ jobs:
        with:
          path: './base'
          ref: ${{ github.event.pull_request.base.ref }}
+          persist-credentials: false

      - uses: actions/setup-node@v4
        with:
@@ -129,6 +131,9 @@ jobs:

    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
      - uses: actions/setup-node@v4
        with:
          node-version: 22.11.0
@@ -152,8 +157,8 @@ jobs:
      - id: 'auth'
        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
        with:
-          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
-          service_account: ${{ secrets.LEVITATE_SA }}
+          workload_identity_provider: projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider
+          service_account: github-plugins-data-levitate@grafanalabs-workload-identity.iam.gserviceaccount.com
          project_id: 'grafanalabs-global'

      - name: 'Set up Cloud SDK'
@@ -172,7 +177,11 @@ jobs:
      - name: Persisting the check output
        run: |
            mkdir -p ./levitate
-            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json
+            echo "{ \"exit_code\": ${IS_BREAKING}, \"message\": \"${MESSAGE}\", \"pr_number\": \"${PR_NUMBER}\" }" > ./levitate/result.json
+        env:
+          IS_BREAKING: ${{ steps.breaking-changes.outputs.is_breaking }}
+          MESSAGE: ${{ steps.breaking-changes.outputs.message }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}

      - name: Upload check output as artifact
        uses: actions/upload-artifact@v4
@@ -190,14 +199,24 @@ jobs:
      id-token: write

    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
        with:
-          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
+          # Secrets placed in the ci/repo/grafana/grafana in vault
+          repo_secrets: |
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+
+      - name: Generate token
+        id: generate_token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}

      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: 'Download artifact'
        uses: actions/download-artifact@v4
@@ -205,7 +224,7 @@ jobs:
          name: levitate

      - name: Parsing levitate result
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        id: levitate-run
        with:
          script: |
@@ -216,7 +235,7 @@ jobs:
      # Check if label exists
      - name: Check if "levitate breaking change" label exists
        id: does-label-exist
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        with:
@@ -295,7 +314,7 @@ jobs:
                  "fields": [
                    {
                      "type": "mrkdwn",
-                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>"
+                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n\nAuthor: ${{ github.event.pull_request.user.login }}"
                    },
                    {
                      "type": "mrkdwn",
@@ -309,7 +328,7 @@ jobs:
      # Add the label
      - name: Add "levitate breaking change" label
        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -325,7 +344,7 @@ jobs:
      # Remove label (no more breaking changes)
      - name: Remove "levitate breaking change" label
        if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -343,7 +362,7 @@ jobs:
      # Related issue: https://github.com/renovatebot/renovate/issues/1908
      - name: Add "grafana/plugins-platform-frontend" as a reviewer
        if: steps.levitate-run.outputs.exit_code == 1
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -360,7 +379,7 @@ jobs:
      # Remove reviewers (no more breaking changes)
      - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
        if: steps.levitate-run.outputs.exit_code == 0
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -376,9 +395,11 @@ jobs:

      - name: Exit
        run: |
-          if [ "${{ steps.levitate-run.outputs.exit_code }}" -ne 0 ]; then
+          if [ "${LV_EXIT_CODE}" -ne 0 ]; then
            echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
          fi

-          exit ${{ steps.levitate-run.outputs.exit_code }}
+          exit "${LV_EXIT_CODE}"
        shell: bash
+        env:
+          LV_EXIT_CODE: ${{ steps.levitate-run.outputs.exit_code }}
@@ -4,11 +4,18 @@ on:
    branches: ["main"]
    paths: ["docs/sources/**"]
  workflow_dispatch:
+
+permissions: {}
+
 jobs:
  vale:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
    container:
-      image: grafana/vale:latest
+      image: grafana/vale:latest # zizmor: ignore[unpinned-images]
    steps:
      - uses: actions/checkout@v4
        with:
@@ -0,0 +1,42 @@
+name: Run e2e for dashboardNewLayouts
+
+on:
+  pull_request:
+    branches:
+      - '**' 
+    paths:
+      - 'e2e/dashboard-new-layouts/**'
+      - 'public/app/features/dashboard-scene/**'
+
+env:
+  ARCH: linux-amd64
+
+jobs:
+  dashboard-new-layouts-e2e:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Pin Go version to mod file
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - run: go version
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'yarn'
+      - name: Install dependencies
+        run: yarn install --immutable
+      - name: Build grafana
+        run: make build
+      - name: Install Cypress dependencies
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          runTests: false
+      - name: Run dashboardNewLayouts e2e
+        run: yarn e2e:dashboard-new-layouts
@@ -1,47 +1,48 @@
-name: 'Ephemeral instances'
+name: "Ephemeral instances"
+
 on:
  issue_comment:
    types: [created]
  pull_request:
    types: [closed]
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.EI_APP_ID != '' &&
-                        secrets.EI_APP_PRIVATE_KEY != '' &&
-                        secrets.EI_GCOM_HOST != '' &&
-                        secrets.EI_GCOM_TOKEN != '' &&
-                        secrets.EI_EPHEMERAL_INSTANCES_REGISTRY != '' &&
-                        secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 != '' &&
-                        secrets.EI_EPHEMERAL_ORG_ID != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi

-  handle-pull-request-event:
-    needs: config
-    if: needs.config.outputs.has-secrets &&
-        ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') }}
+permissions: {}
+
+jobs:
+  handle-ephemeral-instances:
+    if: ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') && github.repository_owner == 'grafana' }}
    runs-on:
      labels: ubuntu-latest-8-cores
    continue-on-error: true
+    permissions:
+      # For commenting.
+      pull-requests: write
+      # No contents permission is needed because we will impersonate an app to create the PR instead.
+      id-token: write # required for vault access
+
    steps:
+      - name: Get vault secrets
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in ci/repo/grafana/grafana/
+          repo_secrets: |
+            APP_ID=ephemeral-instances-bot:app-id
+            APP_PEM=ephemeral-instances-bot:app-private-key
+            GCOM_HOST=ephemeral-instances-bot:gcom-host
+            GCOM_TOKEN=ephemeral-instances-bot:gcom-token
+            REGISTRY=ephemeral-instances-bot:registry
+            GCP_SA_ACCOUNT_KEY_BASE64=ephemeral-instances-bot:sa-key
+
      - name: Generate a GitHub app installation token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
        with:
-          app_id: ${{ secrets.EI_APP_ID }}
-          private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}
+          app_id: ${{ env.APP_ID }}
+          private_key: ${{ env.APP_PEM }}

      - name: Checkout ephemeral instances repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          repository: grafana/ephemeral-grafana-instances-github-action
          token: ${{ steps.generate_token.outputs.token }}
@@ -52,11 +53,11 @@ jobs:
      - name: build and deploy ephemeral instance
        uses: ./ephemeral
        with:
-          github-token:  ${{ steps.generate_token.outputs.token }}
-          gcom-host: ${{ secrets.EI_GCOM_HOST }}
-          gcom-token: ${{ secrets.EI_GCOM_TOKEN }}
-          registry: "${{ secrets.EI_EPHEMERAL_INSTANCES_REGISTRY }}"
-          gcp-service-account-key: "${{ secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 }}"
-          ephemeral-org-id: "${{ secrets.EI_EPHEMERAL_ORG_ID }}"
+          github-token: ${{ steps.generate_token.outputs.token }}
+          gcom-host: ${{ env.GCOM_HOST }}
+          gcom-token: ${{ env.GCOM_TOKEN }}
+          registry: "${{ env.REGISTRY }}"
+          gcp-service-account-key: ${{ env.GCP_SA_ACCOUNT_KEY_BASE64 }}
+          ephemeral-org-id: ephemeral
          oss-or-enterprise: oss
          verbose: true
@@ -7,9 +7,15 @@ on:
      - 'pkg/services/featuremgmt/registry.go'
      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'

+permissions: {}
+
 jobs:
  test:
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v4
        with:
@@ -26,13 +26,14 @@ jobs:
        cache-dependency-path: 'yarn.lock'
    - run: yarn install --immutable --check-cache
    - run: |
+        # shellcheck disable=SC2102,SC2016,SC2125 # this is just a string. we _want_ all the bash features to be disabled.
        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
        make i18n-extract || (echo "${extract_error_message}" && false)
    - run: |
        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
        file_diff=$(git diff --dirstat public/locales)
        if [ -n "$file_diff" ]; then
-            echo $file_diff
+            echo "$file_diff"
            echo "${uncommited_error_message}"
            exit 1
        fi
@@ -47,6 +48,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -65,6 +68,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -88,6 +93,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -105,6 +112,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -124,6 +133,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -34,6 +34,7 @@ on:
 permissions:
  # contents: write allows the action(s) to create github releases
  contents: write
+  id-token: write

 jobs:
  main:
@@ -44,6 +45,5 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
-          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
          latest: ${{ inputs.latest }}
          dry_run: ${{ inputs.dry_run }}
@@ -1,27 +1,14 @@
-name: Crowdin Create Tasks
+name: Crowdin automatic task management

 on:
  workflow_dispatch:
+  # once a week on Sunday at midnight
+  # TODO enable once we're ready to create tasks automatically
  # schedule:
-  #   - cron: "0 0 * * *"
+  #   - cron: "0 0 * * 0"

 jobs:
  create-tasks-in-crowdin:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-
-      - name: Create tasks
-        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
-        run: node ./.github/workflows/scripts/crowdin/create-tasks.js
+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-create-tasks.yml@main
+    with:
+      crowdin_project_id: 5
@@ -7,153 +7,9 @@ on:

 jobs:
  download-sources-from-crowdin:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: write # needed to commit changes into the PR
-      pull-requests: write # needed to update PR description, labels, etc
-      id-token: write # needed to get vault secrets
-
-    steps:
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
-
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-          token: ${{ steps.generate_token.outputs.token }}
-          persist-credentials: false
-
-      - name: Download sources
-        id: crowdin-download
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
-        with:
-          upload_sources: false
-          upload_translations: false
-          download_sources: false
-          download_translations: true
-          export_only_approved: true
-          localization_branch_name: i18n_crowdin_translations
-          create_pull_request: true
-          pull_request_title: 'I18n: Download translations from Crowdin'
-          pull_request_body:  |
-            :robot: Automatic download of translations from Crowdin.
-
-            This runs once per day and will merge automatically if all the required checks pass.
-
-            If there's a conflict, close the pull request and **delete the branch**.
-            You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
-          pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
-          pull_request_base_branch_name: 'main'
-          base_url: 'https://grafana.api.crowdin.com'
-          config: 'crowdin.yml'
-          source: 'public/locales/en-US/grafana.json'
-          translation: 'public/locales/%locale%/%original_file_name%'
-          # Magic details of the github-actions bot user, to pass CLA checks
-          github_user_name: "github-actions[bot]"
-          github_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
-
-      - name: Get pull request ID
-        if: steps.crowdin-download.outputs.pull_request_url
-        shell: bash
-        # Crowdin action returns us the URL of the pull request, but we need an ID for the GraphQL API
-        # that looks like 'PR_kwDOAOaWjc5mP_GU'
-        run: |
-          pr_id=$(gh pr view ${{ steps.crowdin-download.outputs.pull_request_url }} --json id -q .id)
-          echo "PULL_REQUEST_ID=$pr_id" >> "$GITHUB_ENV"
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      - name: Get project board ID
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
-        id: get-project-id
-        if: steps.crowdin-download.outputs.pull_request_url
-        with:
-          # Frontend Platform project - https://github.com/orgs/grafana/projects/78
-          org: grafana
-          project_number: 78
-          query: |
-            query getProjectId($org: String!, $project_number: Int!){
-              organization(login: $org) {
-                projectV2(number: $project_number) {
-                  title
-                  id
-                }
-              }
-            }
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      - name: Add to project board
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
-        if: steps.crowdin-download.outputs.pull_request_url
-        with:
-          projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
-          prid: ${{ env.PULL_REQUEST_ID }}
-          query: |
-            mutation addPullRequestToProject($projectid: ID!, $prid: ID!){
-              addProjectV2ItemById(input: {projectId: $projectid, contentId: $prid}) {
-                item {
-                  id
-                }
-              }
-            }
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
-        if: steps.crowdin-download.outputs.pull_request_url
-        with:
-          pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
-          token: ${{ steps.generate_token.outputs.token }}
-
-      - name: Get vault secrets
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
-          repo_secrets: |
-            GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
-            GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
-
-      - name: Generate approver token
-        if: steps.crowdin-download.outputs.pull_request_url
-        id: generate_approver_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
-          private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
-
-      - name: Approve and automerge PR
-        if: steps.crowdin-download.outputs.pull_request_url
-        shell: bash
-        # Only approve if:
-        # - the PR does not modify files other than json files under the public/locales/ directory
-        # - the PR does not modify the en-US locale
-        run: |
-          filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
-
-          if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
-            echo "Non-i18n changes detected, not approving"
-            exit 1
-          fi
-
-          if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
-            echo "public/locales/en-US changes detected, not approving"
-            exit 1
-          fi
-
-          echo "Approving and enabling automerge"
-          gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
-          gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}
+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-download.yml@main
+    with:
+      crowdin_project_id: 5
+      pr_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
+      github_board_id: 78 # Frontend Platform project
+      en_paths: public/locales/en-US/grafana.json, public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json, public/app/plugins/datasource/mssql/locales/en-US/mssql.json
@@ -5,31 +5,13 @@ on:
  push:
    paths:
      - 'public/locales/en-US/grafana.json'
+      - 'public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json'
+      - 'public/app/plugins/datasource/mssql/locales/en-US/mssql.json'
    branches:
      - main

 jobs:
  upload-sources-to-crowdin:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Upload sources
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
-        with:
-          upload_sources: true
-          upload_sources_args: '--dest=public/locales/en-US/grafana.json'
-          upload_translations: false
-          download_translations: false
-          create_pull_request: false
-          base_url: 'https://grafana.api.crowdin.com'
-          config: 'crowdin.yml'
-          source: 'public/locales/en-US/grafana.json'
-          translation: 'public/locales/%locale%/%original_file_name%'
-        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+    uses: grafana/grafana-github-actions/.github/workflows/crowdin-upload.yml@main
+    with:
+      crowdin_project_id: 5
@@ -43,20 +43,19 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
-            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+            GITHUB_APP_ID=grafana_pr_automation_app:app_id
+            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem

-      - name: "Generate token"
+      - name: Generate token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}

      - name: Run Commands
        uses: ./actions/commands
        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
          token: ${{ steps.generate_token.outputs.token }}
          configPath: "issue-opened"

@@ -77,18 +76,20 @@ jobs:
          repo_secrets: |
            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
-            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
-            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+            GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
+            GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem

-      - name: "Generate token"
+      - name: Generate token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}

      - name: Checkout
        uses: actions/checkout@v4 # v4.2.2
+        with:
+          persist-credentials: false

      - name: Send issue to the auto triager action
        id: auto_triage
@@ -16,10 +16,16 @@ on:
      - 'packages/**/*.md'
      - 'latest.json'

+permissions: {}
+
 jobs:
  docs:
    name: Build & Verify Docs
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -45,18 +51,18 @@ jobs:
        run: |
          # Create and start a container from the docs-base image in detached mode
          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
-          
+
          # Create the directory structure inside the container
          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
-          
+
          # Create the _index.md file
          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
-          
+
          # Copy the docs sources from the host to the container
          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
-          
+
          # Run the make prod command inside the container
          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
-          
+
          # Clean up the container
          docker rm -f docs-builder
@@ -1,54 +0,0 @@
-#
-# When triggered by the cron job it will also collect metrics for:
-#  * number of issues without label
-#  * number of issues with "needs more info"
-#  * number of issues with "needs investigation"
-#  * number of issues with label type/bug
-#  * number of open issues in current milestone
-#
-# https://github.com/grafana/grafana-github-actions/blob/main/metrics-collector/index.ts
-#
-name: Github issue metrics collection
-on:
-  schedule:
-    - cron: "*/10 * * * *"
-  issues:
-    types: [opened, closed]
-
-permissions:
-  contents: read
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-          persist-credentials: false
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: Run metrics collector
-        uses: ./actions/metrics-collector
-        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.GITHUB_TOKEN}}
-          configPath: "metrics-collector"
@@ -15,11 +15,6 @@ on:
        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
        required: true
        type: string
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
  workflow_dispatch:
    inputs:
      from:
@@ -34,24 +29,30 @@ on:
        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
        required: true
        type: string
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID:
-        required: true
-      GRAFANA_DELIVERY_BOT_APP_PEM:
-        required: true
+
+permissions:
+  contents: read
+  id-token: write

 jobs:
  main:
    runs-on: ubuntu-latest
    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Migrate PRs
-        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main
        with:
          token: ${{ steps.generate_token.outputs.token }}
          ownerRepo: ${{ inputs.ownerRepo }}
@@ -1,71 +0,0 @@
-name: Coverage
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - 'docs/**'
-      - '**/*.md'
-
-permissions:
-  contents: read
-  id-token: write
-
-env:
-  EDITION: 'oss'
-  WIRE_TAGS: 'oss'
-
-jobs:
-  main:
-    name: Backend Unit Tests
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y build-essential shared-mime-info
-          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
-      - name: Generate Go code
-        run: make gen-go
-      - name: Run unit tests
-        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
-      - name: Process and upload coverage
-        uses: ./.github/actions/test-coverage-processor
-        with:
-          test-type: 'be-unit'
-          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
-          coverage-file: 'unit.cov'
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
-          codecov-flag: 'be-unit'
-          codecov-name: 'be-unit'
-
-      - name: Install Grafana Bench
-        # We can't allow forks here, as we need secret access.
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: ./.github/actions/setup-grafana-bench
-
-      - name: Process output for Bench
-        if: ${{ github.event_name != 'pull_request' }}
-        run: |
-          grafana-bench report \
-            --trigger pr-backend-unit-tests-oss \
-            --report-input go \
-            --report-output log \
-            --grafana-version "$(git rev-parse HEAD)" \
-            --suite-name grafana-oss-unit-tests \
-            /tmp/unit.log || true
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
@@ -25,11 +25,24 @@ jobs:
        fetch-depth: 2
        persist-credentials: false

+    - name: Check for Python files
+      id: check-python
+      run: |
+        if [ -z "$(find . -name '*.py' -type f)" ]; then
+          echo "No Python files found, skipping analysis"
+          echo "skip=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Python files found, proceeding with analysis"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+        fi
+
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
+      if: steps.check-python.outputs.skip != 'true'
      uses: github/codeql-action/init@v3
      with:
        languages: "python"

    - name: Perform CodeQL Analysis
+      if: steps.check-python.outputs.skip != 'true'
      uses: github/codeql-action/analyze@v3
@@ -5,28 +5,14 @@ on:
      - labeled
      - opened
      - synchronize
+permissions: {}
 concurrency:
  group: pr-commands-${{ github.event.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_PR_AUTOMATION_APP_ID != '' &&
-                        secrets.GRAFANA_PR_AUTOMATION_APP_PEM != '' &&
-                        secrets.GRAFANA_MISC_STATS_API_KEY != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
+    permissions:
+      contents: read
+      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
@@ -38,15 +24,8 @@ jobs:
          persist-credentials: false
      - name: Install Actions
        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
      - name: Run Commands
        uses: ./actions/commands
        with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{ steps.generate_token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
          configPath: pr-commands
@@ -65,5 +65,5 @@ jobs:
        if ! git diff --exit-code --quiet; then
          echo "Committing and pushing workspace changes"
          git commit -a -m "update workspace"
-          git push origin $BRANCH_NAME
+          git push origin "$BRANCH_NAME"
        fi
@@ -11,27 +11,26 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}

+permissions: {}
+
 jobs:
  build-grafana:
    name: Build & Package Grafana
    runs-on: ubuntu-latest-16-cores
+    permissions:
+      contents: read
    outputs:
      artifact: ${{ steps.artifact.outputs.artifact }}
    steps:
-      - uses: actions/checkout@v4
-        with:
-          repository: 'grafana/grafana-build'
-          ref: 'main'
-          persist-credentials: false
      - uses: actions/checkout@v4
        with:
          path: ./grafana
-      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
+          persist-credentials: false
      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
        with:
          verb: run
-          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
-      - run: mv $(cat out.txt) grafana.tar.gz
+          args: go -C grafana run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir="${PWD}/grafana" > out.txt
+      - run: mv "$(cat out.txt)" grafana.tar.gz
      - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
        id: artifact
      - uses: actions/upload-artifact@v4
@@ -40,33 +39,98 @@ jobs:
          retention-days: 1
          name: ${{ steps.artifact.outputs.artifact }}
          path: grafana.tar.gz
-  e2e-matrix:
+
+  build-e2e-runner:
+    name: Build E2E test runner
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      artifact: ${{ steps.artifact.outputs.artifact }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: ${{ !github.event.pull_request.head.repo.fork }}
+      - name: Build E2E test runner
+        id: artifact
+        run: |
+          # We want a static binary, so we need to set CGO_ENABLED=0
+          CGO_ENABLED=0 go build -o ./e2e-runner ./e2e/
+          echo "artifact=e2e-runner-${{github.run_number}}" >> "$GITHUB_OUTPUT"
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          retention-days: 1
+          name: ${{ steps.artifact.outputs.artifact }}
+          path: e2e-runner
+
+  run-e2e-tests:
+    needs:
+      - build-grafana
+      - build-e2e-runner
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - suite: various-suite
+            path: e2e/various-suite
+          - suite: dashboards-suite
+            path: e2e/dashboards-suite
+          - suite: smoke-tests-suite
+            path: e2e/smoke-tests-suite
+          - suite: panels-suite
+            path: e2e/panels-suite
+          - suite: various-suite (old arch)
+            path: e2e/old-arch/various-suite
+            flags: --flags="--env dashboardScene=false"
+          - suite: dashboards-suite (old arch)
+            path: e2e/old-arch/dashboards-suite
+            flags: --flags="--env dashboardScene=false"
+          - suite: smoke-tests-suite (old arch)
+            path: e2e/old-arch/smoke-tests-suite
+            flags: --flags="--env dashboardScene=false"
+          - suite: panels-suite (old arch)
+            path: e2e/old-arch/panels-suite
+            flags: --flags="--env dashboardScene=false"
    name: ${{ matrix.suite }}
-    strategy:
-      matrix:
-        suite:
-          - various-suite
-          - dashboards-suite
-          - smoke-tests-suite
-          - panels-suite
-    needs:
-      - build-grafana
-    uses: ./.github/workflows/run-e2e-suite.yml
-    with:
-      package: ${{ needs.build-grafana.outputs.artifact }}
-      suite: ${{ matrix.suite }}
-  e2e-matrix-old-arch:
-    name: ${{ matrix.suite }} (old arch)
-    strategy:
-      matrix:
-        suite:
-          - old-arch/various-suite
-          - old-arch/dashboards-suite
-          - old-arch/smoke-tests-suite
-          - old-arch/panels-suite
-    needs:
-      - build-grafana
-    uses: ./.github/workflows/run-e2e-suite.yml
-    with:
-      package: ${{ needs.build-grafana.outputs.artifact }}
-      suite: ${{ matrix.suite }}
+    runs-on: ubuntu-latest-8-cores
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-grafana.outputs.artifact }}
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-e2e-runner.outputs.artifact }}
+      - name: chmod +x
+        run: chmod +x ./e2e-runner
+      - name: Run E2E tests
+        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./pkg/build/e2e --package=grafana.tar.gz
+            --suite=${{ matrix.path }}
+            ${{ matrix.flags }}
+      - name: Set suite name
+        id: set-suite-name
+        if: success() || failure()
+        env:
+          SUITE: ${{ matrix.path }}
+        run: |
+          echo "suite=$(echo "$SUITE" | sed 's/\//-/g')" >> "$GITHUB_OUTPUT"
+      - uses: actions/upload-artifact@v4
+        if: success() || failure()
+        with:
+          name: ${{ steps.set-suite-name.outputs.suite }}-${{ github.run_number }}
+          path: videos
+          retention-days: 1
@@ -0,0 +1,25 @@
+name: External PR labelling
+
+on:
+  # We need "write" permissions on the PR to be able to add a label.
+  pull_request_target: # zizmor: ignore[dangerous-triggers] We need this to have labelling permissions. There are no user inputs here, so we should be fine.
+    types:
+      - opened
+
+permissions: {}
+
+jobs:
+  label-if-external:
+    name: Add 'pr/external' label if the PR is external
+    if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # to write the label
+
+    steps:
+      - name: Add the 'pr/external' label
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          echo "Adding 'pr/external' label to the PR"
+          gh pr edit "$PR_NUMBER" --add-label pr/external
@@ -52,6 +52,8 @@ jobs:
        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
    steps:
    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -1,63 +1,27 @@
-# Owned by grafana-delivery-squad
-# Intended to be dropped into the base repo Ex: grafana/grafana
 name: Dispatch check for patch conflicts
-run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
 on:
-  pull_request_target:
+  pull_request:
    types:
      - opened
      - reopened
      - synchronize
    branches:
      - "main"
-      - "v*.*.*"
      - "release-*"

-permissions: {}
+permissions:
+  id-token: write
+  contents: read

 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
  dispatch-job:
-    permissions:
-      id-token: write
-      contents: read
-      actions: write
-    env:
-      HEAD_REF: ${{ github.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-      REPO: ${{ github.repository }}
-      SENDER: ${{ github.event.sender.login }}
-      SHA: ${{ github.sha }}
-      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: "Dispatch job"
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'security-patch-actions',
-                workflow_id: 'test-patches-event.yml',
-                ref: 'main',
-                inputs: {
-                  src_repo: REPO,
-                  src_ref: HEAD_REF,
-                  src_merge_sha: SHA,
-                  src_pr_commit_sha: PR_COMMIT_SHA,
-                  patch_repo: REPO + '-security-patches',
-                  patch_ref: BASE_REF,
-                  triggering_github_handle: SENDER
-                }
-            })
+    uses: grafana/grafana/.github/workflows/pr-patch-check.yml@main
+    with:
+      head_ref: ${{ github.head_ref }}
+      base_ref: ${{ github.base_ref }}
+      repo: ${{ github.repository }}
+      sender_login: ${{ github.event.sender.login }}
+      sha: ${{ github.sha }}
+      pr_commit_sha: ${{ github.event.pull_request.head.sha }}
@@ -0,0 +1,78 @@
+name: Dispatch check for patch conflicts
+on:
+  workflow_call:
+    inputs:
+      head_ref:
+        type: string
+        required: true
+      base_ref:
+        type: string
+        required: true
+      repo:
+        type: string
+        required: true
+      sender_login:
+        type: string
+        required: true
+      sha:
+        type: string
+        required: true
+      pr_commit_sha:
+        type: string
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  dispatch-job:
+    env:
+      HEAD_REF: ${{ inputs.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+      REPO: ${{ inputs.repo }}
+      SENDER: ${{ inputs.sender_login }}
+      SHA: ${{ inputs.sha }}
+      PR_COMMIT_SHA: ${{ inputs.pr_commit_sha }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          permissions: "{\"actions\": \"write\", \"workflows\": \"write\"}"
+          repositories: "[\"security-patch-actions\"]"
+      - name: "Dispatch job"
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'test-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_repo: REPO,
+                  src_ref: HEAD_REF,
+                  src_merge_sha: SHA,
+                  src_pr_commit_sha: PR_COMMIT_SHA,
+                  patch_repo: REPO + '-security-patches',
+                  patch_ref: BASE_REF,
+                  triggering_github_handle: SENDER
+                }
+            })
@@ -15,6 +15,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}

+permissions: {}
+
 jobs:
  sqlite:
    strategy:
@@ -27,6 +29,8 @@ jobs:

    name: Sqlite (${{ matrix.shard }})
    runs-on: ubuntu-latest-8-cores
+    permissions:
+      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -56,6 +60,8 @@ jobs:

    name: MySQL (${{ matrix.shard }})
    runs-on: ubuntu-latest-8-cores
+    permissions:
+      contents: read
    env:
      GRAFANA_TEST_DB: mysql
      MYSQL_HOST: 127.0.0.1
@@ -73,6 +79,8 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -117,6 +125,8 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -8,25 +8,17 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    if: github.repository == 'grafana/grafana'
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
+permissions: {}

+jobs:
  main:
-    needs: config
-    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
    runs-on: "ubuntu-latest"
+    permissions:
+      contents: read # cloning repo
+      actions: read # reading .github/workflows/ dir
+      id-token: write # reading vault secrets
+
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@@ -42,12 +34,20 @@ jobs:
      - name: "Verify kinds"
        run: go run .github/workflows/scripts/kinds/verify-kinds.go

+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        run: "git clone --single-branch --no-tags --depth 1 -b master https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/website-sync ./.github/actions/website-sync"
@@ -10,25 +10,17 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    if: github.repository == 'grafana/grafana'
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
+permissions: {}

+jobs:
  main:
-    needs: config
-    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
    runs-on: "ubuntu-latest"
+    permissions:
+      contents: read # cloning repo
+      actions: read # reading .github/workflows/ dir
+      id-token: write # reading vault secrets
+
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@@ -50,6 +42,7 @@ jobs:
        with:
          repository: "grafana/grafana-github-actions"
          path: "./actions"
+          persist-credentials: false

      - name: "Install Actions from library"
        run: "npm install --production --prefix ./actions"
@@ -62,12 +55,20 @@ jobs:
          release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
          release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"

+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        if: "steps.has-matching-release-tag.outputs.bool == 'true'"
@@ -16,6 +16,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
        with:
          website_directory: content/docs/grafana/next
@@ -0,0 +1,31 @@
+name: Reject GitHub secrets
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main
+      - release-*
+
+permissions: {}
+
+jobs:
+  reject-gh-secrets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - name: Grep for secrets accesses
+        run: |
+          if grep -E '\$\{\{\s*secrets\s*\.\s*[a-zA-Z0-9_\-]+\s*\}\}' .github/workflows/*.yml | grep -vF 'secrets.GITHUB_TOKEN' | grep -vF '# nolint:reject-gh-secrets'; then
+            echo "Found secrets access in the codebase. Please remove it in favour of Vault secrets."
+            echo "If you are sure this is correct, add '# nolint:reject-gh-secrets' to the end of the line. Be VERY careful with this."
+            exit 1
+          fi
@@ -21,6 +21,11 @@ on:
    - 'main'
    - 'release-*.*.*'

+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
 jobs:
  setup:
    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) }}
@@ -30,6 +35,8 @@ jobs:
      release_branch: ${{ steps.output.outputs.release_branch }}
      dry_run: ${{ steps.output.outputs.dry_run }}
      latest: ${{ steps.output.outputs.latest }}
+      private_key: ${{ steps.output.outputs.delivery_bot_pem }}
+      app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
    env:
      HEAD_REF: ${{ github.head_ref }}
      DRY_RUN: ${{ inputs.dry_run }}
@@ -39,36 +46,34 @@ jobs:
    steps:
    - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
      run: |
-        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
-        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
-        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
+        {
+        echo "VERSION=$(echo "${HEAD_REF}" | sed -e 's/release\/.*\//v/g')"
+        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}"
+        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}"
+        } >> "$GITHUB_ENV"
    - id: output
      run: |
        echo "dry_run: $DRY_RUN"
        echo "latest: $LATEST"
        echo "version: $VERSION"

-        echo "release_branch=$(echo $VERSION | sed -s 's/^v/release-/g')" >> "$GITHUB_OUTPUT"
-        echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
-        echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
-        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+        {
+          echo "release_branch=$(echo "$VERSION" | sed -s 's/^v/release-/g')"
+          echo "dry_run=$DRY_RUN"
+          echo "latest=$LATEST"
+          echo "version=$VERSION"
+        } >> "$GITHUB_OUTPUT"
  create_next_release_branch_grafana:
    name: Create next release branch (Grafana)
    needs: setup
-    uses: ./.github/workflows/create-next-release-branch.yml
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
    with:
      ownerRepo: 'grafana/grafana'
      source: ${{ needs.setup.outputs.release_branch }}
  create_next_release_branch_enterprise:
    name: Create next release branch (Grafana Enterprise)
    needs: setup
-    uses: ./.github/workflows/create-next-release-branch.yml
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
    with:
      ownerRepo: 'grafana/grafana-enterprise'
      source: ${{ needs.setup.outputs.release_branch }}
@@ -92,10 +97,7 @@ jobs:
    needs:
      - setup
      - create_next_release_branch_grafana
-    uses: ./.github/workflows/migrate-prs.yml
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
    with:
      ownerRepo: 'grafana/grafana'
      from: ${{ needs.setup.outputs.release_branch }}
@@ -104,20 +106,14 @@ jobs:
    needs:
      - setup
      - create_next_release_branch_enterprise
-    uses: ./.github/workflows/migrate-prs.yml
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
    with:
      ownerRepo: 'grafana/grafana-enterprise'
      from: ${{ needs.setup.outputs.release_branch }}
      to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
  post_changelog_on_forum:
    needs: setup
-    uses: ./.github/workflows/community-release.yml
-    secrets:
-      GRAFANA_MISC_STATS_API_KEY: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
-      GRAFANABOT_FORUM_KEY: ${{ secrets.GRAFANABOT_FORUM_KEY }}
+    uses: grafana/grafana/.github/workflows/community-release.yml@main
    with:
      version: ${{ needs.setup.outputs.version }}
      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -126,7 +122,7 @@ jobs:
    # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API
    # endpoint.
    needs: setup
-    uses: ./.github/workflows/github-release.yml
+    uses: grafana/grafana/.github/workflows/github-release.yml@main
    with:
      version: ${{ needs.setup.outputs.version }}
      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -139,5 +135,5 @@ jobs:
      VERSION: ${{ needs.setup.outputs.version }}
    steps:
    - run: |
-        echo announce on slack that $VERSION has been released
-        echo dry run: $DRY_RUN
+        echo announce on slack that "$VERSION" has been released
+        echo dry run: "$DRY_RUN"
@@ -15,15 +15,15 @@ on:
      version:
        required: true
        type: string
-        description: The version of Grafana that is being released
-      target:
-        required: true
-        type: string
-        description: The release branch pattern (eg v9.5.x) that these changes are being merged into
-      backport:
+        description: The version of Grafana that is being released (without the `v` prefix)`
+      changelog:
        required: false
-        type: string
-        description: Branch to backport these changes to
+        type: boolean
+        default: true
+      bump:
+        required: false
+        type: boolean
+        default: true
      dry_run:
        required: false
        default: false
@@ -32,29 +32,63 @@ on:
        required: false
        default: false
        type: boolean
+      release_date:
+        required: false
+        type: string
+        description: "Release date in format YYYY-MM-DD"

-permissions: {}
+permissions:
+  contents: read

 jobs:
+  capture-date:
+    runs-on: ubuntu-latest
+    outputs:
+      release_date: ${{ steps.set_release_date.outputs.release_date }}
+    steps:
+      - name: compute_release_date
+        run: |
+          if [ -n "$DATE" ]; then
+            echo "release_date=$DATE" >> "$GITHUB_ENV"
+            exit 0
+          fi
+
+          echo "Fetching workflow run creation date..."
+          created_at=$(gh run view "$GITHUB_RUN_ID" --repo "$GH_REPO" --json createdAt -q .createdAt)
+          formatted_date=$(date -d "$created_at" +%Y-%m-%d)
+          echo "release_date=$formatted_date" >> "$GITHUB_ENV"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          DATE: ${{ inputs.release_date }}
+
+      - id: set_release_date
+        run: echo "release_date=$release_date" >> "$GITHUB_OUTPUT"
+
  push-changelog-to-main:
+    needs: capture-date
    permissions:
      contents: write
+      id-token: write
      pull-requests: write
+
    name: Create PR to main to update the changelog
    uses: ./.github/workflows/changelog.yml
+    concurrency:
+      group: grafana-release-pr-update-changelog-main
+      cancel-in-progress: false
    with:
      previous_version: ${{inputs.previous_version}}
      version: ${{ inputs.version }}
      latest: ${{ inputs.latest }}
      dry_run: ${{ inputs.dry_run }}
      target: main
-    secrets:
-      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      work_branch: changelog/update-changelog-${{ needs.capture-date.outputs.release_date }}

  create-prs:
    permissions:
      contents: write
+      id-token: write
      pull-requests: write
    name: Create Release PR
    runs-on: ubuntu-latest
@@ -64,55 +98,62 @@ jobs:
      LATEST: ${{ inputs.latest }}
      DRY_RUN: ${{ inputs.dry_run }}
    steps:
-      - name: Get release branch
-        id: branch
-        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          ownerRepo: 'grafana/grafana'
-          pattern: ${{ inputs.target }}
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+      - name: Generate token
+        id: generate_changelog_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          repositories: "[\"grafana\", \"grafana-enterprise\"]"
+          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
+      - run: echo "RELEASE_BRANCH=release-${VERSION}" >> "$GITHUB_ENV"
      - name: Checkout Grafana
        uses: actions/checkout@v4
        with:
-          ref: ${{ steps.branch.outputs.branch }}
+          token: ${{ steps.generate_changelog_token.outputs.token }}
+          ref: ${{ env.RELEASE_BRANCH }}
          fetch-tags: true
-          token: ${{ secrets.GITHUB_TOKEN }}
-          persist-credentials: false
+          fetch-depth: 0
      - name: Checkout Grafana (main)
        uses: actions/checkout@v4
        with:
+          token: ${{ steps.generate_changelog_token.outputs.token }}
          ref: main
          fetch-depth: '0'
-          fetch-tags: 'false'
          path: .grafana-main
-          token: ${{ secrets.GITHUB_TOKEN }}
-          persist-credentials: false
+
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
          node-version-file: .nvmrc
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
      - name: Configure git user
        run: |
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "grafana-delivery-bot[bot]"
+          git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true

      - name: Create branch
-        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
-      - name: Generate changelog token
-        id: generate_changelog_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+        run: git checkout -b "release/${{ github.run_number }}/$VERSION"
      - name: Generate changelog
        id: changelog
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        uses: ./.grafana-main/.github/actions/changelog
        with:
+          previous: ${{inputs.previous_version}}
          github_token: ${{ steps.generate_changelog_token.outputs.token }}
          target: v${{ env.VERSION }}
          output_file: changelog_items.md
      - name: Patch CHANGELOG.md
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: |
          # Prepare CHANGELOG.md content with version delimiters
          (
@@ -144,58 +185,43 @@ jobs:

          git diff CHANGELOG.md
      - name: "Prettify CHANGELOG.md"
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: npx prettier --write CHANGELOG.md
      - name: Commit CHANGELOG.md changes
+        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
-
-      - name: Update package.json versions
-        uses: ./.grafana-main/pkg/build/actions/bump-version
+      - name: Bump versions
+        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
+        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
        with:
-          version: 'patch'
+          verb: run
+          args: go run -C .grafana-main ./pkg/build/actions/bump-version -version="patch"

+      - name: make gen-cue
+        shell: bash
+        run: make gen-cue
      - name: Add package.json changes
+        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
        run: |
          git add package.json lerna.json yarn.lock packages public
          test -e e2e/test-plugins && git add e2e/test-plugins
          git commit -m "Update version to $VERSION"

      - name: Git push
-        if: ${{ inputs.dry_run }} != true
-        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
-
-      - name: Create PR without backports
-        if: "${{ inputs.backport == '' }}"
+        run: git push
+      - name: Create PR
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: ${{ steps.branch.outputs.branch }}
+          DRY_RUN: ${{ inputs.dry_run }}
        run: |
-          LATEST_FLAG=""
+          LATEST_FLAG=()
          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG='-l "release/latest"'
+            LATEST_FLAG=(-l "release/latest")
          fi
          gh pr create \
-            $LATEST_FLAG \
+            "${LATEST_FLAG[@]}" \
            -l "no-changelog" \
            --dry-run="$DRY_RUN" \
-            -B "$BRANCH" \
-            --title "Release: $VERSION" \
-            --body "These code changes must be merged after a release is complete"
-
-      - name: Create PR with backports
-        if: "${{ inputs.backport != '' }}"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: ${{ steps.branch.outputs.branch }}
-        run: |
-          LATEST_FLAG=""
-          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG='-l "release/latest"'
-          fi
-          gh pr create \
-            $LATEST_FLAG \
-            -l "product-approved" \
-            -l "no-changelog" \
-            --dry-run="$DRY_RUN" \
-            -B "$BRANCH" \
+            -B "${RELEASE_BRANCH}" \
            --title "Release: $VERSION" \
            --body "These code changes must be merged after a release is complete"
@@ -2,7 +2,7 @@ name: run-dashboard-search-e2e

 on:
  workflow_run:
-    workflows: 
+    workflows:
      - trigger-dashboard-search-e2e
    types:
      - completed
@@ -40,7 +40,7 @@ jobs:
          cache: 'yarn'
      - name: Cache Node Modules
        id: cache-node-modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |
            node_modules
@@ -56,7 +56,7 @@ jobs:
          runTests: false
      - name: Cache Grafana Build and Dependencies
        id: cache-grafana
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: |
            bin/
@@ -74,9 +74,11 @@ jobs:

      - name: Get list of .ini files
        id: get_files
+        env:
+          WORKSPACE: ${{ github.workspace }}
        run: |
-          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
-          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
+          INI_FILES="$(find "$WORKSPACE"/e2e/dashboards-search-suite/ -type f -name '*.ini' | jq -R -s -c 'split("\n")[:-1]')"
+          echo "ini_files=$INI_FILES" >> "$GITHUB_OUTPUT"
        shell: bash

  run_tests:
@@ -95,8 +97,10 @@ jobs:
      steps:
        - name: Checkout repository
          uses: actions/checkout@v4
+          with:
+            persist-credentials: false
        - name: Restore Cached Node Modules
-          uses: actions/cache@v3
+          uses: actions/cache@v4
          with:
            path: |
              node_modules
@@ -104,7 +108,7 @@ jobs:
            key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}

        - name: Restore Cached Grafana Build and Dependencies
-          uses: actions/cache@v3
+          uses: actions/cache@v4
          with:
            path: |
              bin/
@@ -120,11 +124,12 @@ jobs:
          env:
            INI_NAME: ${{ matrix.ini_file }}
          run: |
-            FILE_NAME=$(basename "$env.INI_NAME" .ini)
-            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
+            FILE_NAME="$(basename "$INI_NAME" .ini)"
+            echo "FILE_NAME=$FILE_NAME" >> "$GITHUB_OUTPUT"
        - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
          env:
            INI_NAME: ${{ matrix.ini_file }}
+            WORKSPACE: ${{ github.workspace }}
          run: |
-            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
+            cp -rf "$INI_NAME" "$WORKSPACE"/scripts/grafana-server/custom.ini
            yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"
@@ -1,39 +0,0 @@
-name: e2e suite
-
-on:
-  workflow_call:
-    inputs:
-      package:
-        type: string
-        required: true
-      suite:
-        type: string
-        required: true
-
-jobs:
-  main:
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ inputs.package }}
-      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          verb: run
-          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
-      - name: Set suite name
-        id: set-suite-name
-        if: always()
-        env:
-          SUITE: ${{ inputs.suite }}
-        run: |
-          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
-          path: videos
-          retention-days: 1
@@ -1,84 +0,0 @@
-const crowdin = require('@crowdin/crowdin-api-client');
-const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
-
-const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
-if (!API_TOKEN) {
-  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
-  process.exit(1);
-}
-
-const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
-if (!PROJECT_ID) {
-  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
-  process.exit(1);
-}
-
-const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
-  token: API_TOKEN,
-  organization: 'grafana'
-});
-
-const languages = await getLanguages();
-const fileIds = await getFileIds();
-console.log('Languages: ', languages);
-console.log('File IDs: ', fileIds);
-
-// for (const language of languages) {
-//   const { name, id } = language;
-//   await createTask(`Translate to ${name}`, id, fileIds);
-// }
-
-async function getLanguages() {
-  try {
-    const project = await projectsGroupsApi.getProject(PROJECT_ID);
-    const languages = project.data.targetLanguages;
-    return languages;
-  } catch (error) {
-    console.error('Failed to fetch languages: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getFileIds() {
-  try {
-    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
-    const files = response.data;
-    const fileIds = files.map(file => file.data.id);
-    return fileIds;
-  } catch (error) {
-    console.error('Failed to fetch file IDs: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function createTask(title, languageId, fileIds) {
-  try {
-    const taskParams = {
-      title,
-      description: TRANSLATED_CONNECTOR_DESCRIPTION,
-      languageId,
-      type: 2, // Translation by vendor
-      workflowStepId: 78, // Translation step ID
-      skipAssignedStrings: true,
-      fileIds,
-    };
-
-    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
-
-    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
-    console.log(`Task created successfully! Task ID: ${response.data.id}`);
-    return response.data;
-  } catch (error) {
-    console.error('Failed to create Crowdin task: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
@@ -0,0 +1,110 @@
+import crowdinImport from '@crowdin/crowdin-api-client';
+const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
+const TRANSLATE_BY_VENDOR_WORKFLOW_TYPE = 'TranslateByVendor'
+
+// TODO Remove this type assertion when https://github.com/crowdin/crowdin-api-client-js/issues/508 is fixed
+// @ts-expect-error
+const crowdin = crowdinImport.default as typeof crowdinImport;
+
+const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
+if (!API_TOKEN) {
+  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
+  process.exit(1);
+}
+
+const PROJECT_ID = process.env.CROWDIN_PROJECT_ID ? parseInt(process.env.CROWDIN_PROJECT_ID, 10) : undefined;
+if (!PROJECT_ID) {
+  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
+  process.exit(1);
+}
+
+const credentials = {
+  token: API_TOKEN,
+  organization: 'grafana'
+};
+
+const { tasksApi, projectsGroupsApi, sourceFilesApi, workflowsApi } = new crowdin(credentials);
+
+const languages = await getLanguages(PROJECT_ID);
+const fileIds = await getFileIds(PROJECT_ID);
+const workflowStepId = await getWorkflowStepId(PROJECT_ID);
+
+for (const language of languages) {
+  const { name, id } = language;
+  await createTask(PROJECT_ID, `Translate to ${name}`, id, fileIds, workflowStepId);
+}
+
+async function getLanguages(projectId: number) {
+  try {
+    const project = await projectsGroupsApi.getProject(projectId);
+    const languages = project.data.targetLanguages;
+    console.log('Fetched languages successfully!');
+    return languages;
+  } catch (error) {
+    console.error('Failed to fetch languages: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getFileIds(projectId: number) {
+  try {
+    const response = await sourceFilesApi.listProjectFiles(projectId);
+    const files = response.data;
+    const fileIds = files.map(file => file.data.id);
+    console.log('Fetched file ids successfully!');
+    return fileIds;
+  } catch (error) {
+    console.error('Failed to fetch file IDs: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getWorkflowStepId(projectId: number) {
+  try {
+    const response = await workflowsApi.listWorkflowSteps(projectId);
+    const workflowSteps = response.data;
+    const workflowStepId = workflowSteps.find(step => step.data.type === TRANSLATE_BY_VENDOR_WORKFLOW_TYPE)?.data.id;
+    if (!workflowStepId) {
+      throw new Error(`Workflow step with type "${TRANSLATE_BY_VENDOR_WORKFLOW_TYPE}" not found`);
+    }
+    console.log('Fetched workflow step ID successfully!');
+    return workflowStepId;
+  } catch (error) {
+    console.error('Failed to fetch workflow step ID: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function createTask(projectId: number, title: string, languageId: string, fileIds: number[], workflowStepId: number) {
+  try {
+    const taskParams = {
+      title,
+      description: TRANSLATED_CONNECTOR_DESCRIPTION,
+      languageId,
+      workflowStepId,
+      skipAssignedStrings: true,
+      fileIds,
+    };
+
+    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
+
+    const response = await tasksApi.addTask(projectId, taskParams);
+    console.log(`Task created successfully! Task ID: ${response.data.id}`);
+    return response.data;
+  } catch (error) {
+    console.error('Failed to create Crowdin task: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
@@ -1,15 +1,15 @@
-name: Add issues and PRs to Skye project board
+name: Add issues to Skye project board
 on:
  workflow_dispatch:
    inputs:
      manual_issue_number:
-        description: 'Issue/PR number to add to project'
+        description: 'Issue to add to project'
        required: false
        type: number
+  # Ideally we could trigger this for PRs as well, but getting the secrets on that is tricky
+  # so we just won't bother for now
  issues:
    types: [opened]
-  pull_request:
-    types: [opened]

 permissions:
  contents: read
@@ -47,26 +47,16 @@ jobs:
          app_id: ${{ env.GH_APP_ID }}
          private_key: ${{ env.GH_APP_PEM }}

-      # Check if the user is in the list from the secret
+      # We do the check in the Github Actions expression and then export it to the output
+      # to reuse it
      - name: Check if user is allowed
        id: check_user
        env:
-          ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
-          USERNAME: ${{ github.event.sender.login }}
+          USER_IS_ALLOWED: ${{ contains(fromJSON(env.ALLOWED_USERS), github.event.sender.login) }}
        run: |
-          # Convert the comma-separated list to an array
-          IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"
+          echo "user_allowed=${USER_IS_ALLOWED}" >> "$GITHUB_OUTPUT"

-          # Check if user is in the allowed list
-          for allowed_user in "${ALLOWED_USERS[@]}"; do
-            if [ "$allowed_user" = "$USERNAME" ]; then
-              echo "user_allowed=true" >> $GITHUB_OUTPUT
-              exit 0
-            fi
-          done
-          echo "user_allowed=false" >> $GITHUB_OUTPUT
-
-      # Convert the issue/PR number to a node ID for the GraphQL API
+      # Convert the issue to a node ID for the GraphQL API
      - name: Get node ID for item
        if: steps.check_user.outputs.user_allowed == 'true'
        id: get_node_id
@@ -88,7 +78,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

-      # Finally, add the issue/PR to the project board
+      # Finally, add the issue to the project board
      - name: Add to project board
        if: steps.check_user.outputs.user_allowed == 'true'
        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
@@ -14,26 +14,30 @@ on:
      - '!docs/**'
      - '!*.md'

+permissions: {}
+
 jobs:
  verify-storybook:
    name: Verify Storybook
    runs-on: ubuntu-latest
-    
+    permissions:
+      contents: read
+
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
-      
+
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version-file: 'package.json'
          cache: 'yarn'
-      
+
      - name: Install dependencies
        run: yarn install --immutable
-      
+
      - name: Run Storybook and E2E tests
        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
        with:
@@ -0,0 +1,35 @@
+name: Trufflehog
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  trufflehog:
+    name: Run Trufflehog
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # clone the repo
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+          ref: ${{ github.head_ref }}
+      - name: Trufflehog
+        uses: trufflesecurity/trufflehog@90190deac64289cb10bb694894be8db9ead8790b # v3.88.29
+        with:
+          base: ${{ github.event.pull_request.base.sha }}
+          head: ${{ github.event.pull_request.head.sha }}
+          extra_args: --results=verified
@@ -21,6 +21,7 @@ rules:
      - pr-frontend-unit-tests.yml
      - pr-test-integration.yml
      - publish-kinds-release.yml
+      - pr-e2e-tests.yml
  dangerous-triggers:
    ignore:
      - auto-milestone.yml
@@ -29,3 +30,6 @@ rules:
      - pr-commands.yml
      - pr-patch-check-event.yml
      - run-dashboard-search-e2e.yml
+  excessive-permissions:
+    ignore:
+      - release-comms.yml
@@ -41,7 +41,6 @@ __debug_bin*
 # This is the new place of the block, but I leave the previous here for a while
 /devenv/docker/blocks/auth/saml-enterprise
 /devenv/docker/blocks/auth/signer
-/devenv/docker/blocks/spanner_tests
 /devenv/docker/blocks/mt-db

 /tmp
@@ -293,6 +293,7 @@ linters:
      - third_party$
      - builtin$
      - examples$
+      - pkg/util/xorm
 issues:
  max-same-issues: 0
 formatters:
@@ -19,4 +19,3 @@
 # This is the new place of the block, but I leave the previous here for a while
 !/devenv/docker/blocks/auth/saml-enterprise
 !/devenv/docker/blocks/auth/signer
-!/devenv/docker/blocks/spanner_tests
@@ -35,7 +35,8 @@ public/openapi3.json
 public/mockServiceWorker.js

 # Crowdin files
-public/locales/**/*.json
+# Ignore `locales` directory so we also catch enterprise files
+**/locales/**/*.json

 /.nx/cache
-/.nx/workspace-data
+/.nx/workspace-data
@@ -82,6 +82,16 @@
      "cwd": "${workspaceFolder}",
      "args": ["server", "target", "--homepath", "${workspaceFolder}", "--packaging", "dev"]
    },
+    {
+      "name": "Run Frontend Server",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}/pkg/cmd/grafana/",
+      "cwd": "${workspaceFolder}",
+      "env": { "GF_DEFAULT_TARGET": "frontend-server", "GF_SERVER_HTTP_PORT": "3003" },
+      "args": ["server", "target", "--homepath", "${workspaceFolder}", "--packaging", "dev"]
+    },
    {
      "name": "Attach to Chrome",
      "port": 9222,
@@ -7,7 +7,7 @@ enableTelemetry: false
 nodeLinker: node-modules

 packageExtensions:
-  'croact-css-styled@1.1.9':
+  croact-css-styled@1.1.9:
    dependencies:
      croact: 1.0.4
  doctrine@3.0.0:
@@ -20,13 +20,9 @@ packageExtensions:

 plugins:
  - path: .yarn/plugins/@yarnpkg/plugin-outdated.cjs
-    spec: 'https://mskelton.dev/yarn-outdated/v2'
+    spec: "https://mskelton.dev/yarn-outdated/v2"
+  - checksum: 374f735053958b77583ef7b70e56a59540d1d9c681f04b8ab7a600f4325301d2e1fb67c51d34ba75bbbc4e71f8c003fbc52b1f22d7daa30dca655f1a1bf205a1
+    path: .yarn/plugins/@yarnpkg/plugin-licenses.cjs
+    spec: "https://raw.githubusercontent.com/mhassan1/yarn-plugin-licenses/v0.15.0/bundles/@yarnpkg/plugin-licenses.js"

 yarnPath: .yarn/releases/yarn-4.6.0.cjs
-# Uncomment the following lines if you want to use Verdaccio local npm registry. Read more at packages/README.md
-#npmScopes:
-# grafana:
-#   npmRegistryServer: http://localhost:4873
-#
-#unsafeHttpWhitelist:
-# - 'localhost'
@@ -1,18 +1,3 @@
-<!-- 12.0.2+security-01 START -->
-
-# 12.0.2+security-01 (2025-07-17)
-
-### Features and enhancements
-
- **Profiles:** Stop passing response headers for Grafana-Pyroscope and parca datasources [#106730](https://github.com/grafana/grafana/pull/106730), [@simonswine](https://github.com/simonswine)
-
-### Bug fixes
-
- **FlameGraph:** Fix bug for function names that conflict with JavaScript object prototype properties [#106625](https://github.com/grafana/grafana/pull/106625), [@simonswine](https://github.com/simonswine)
- **Security:** Fixed CVE-2025-6023
- **Security:** Fixed CVE-2025-6197
-
-<!-- 12.0.2+security-01 END -->
 <!-- 12.0.1 START -->

 # 12.0.1 (2025-05-22)
@@ -37,10 +22,538 @@
 - **Prometheus:** Fix semver import path [#104945](https://github.com/grafana/grafana/pull/104945), [@jackw](https://github.com/jackw)
 - **Themes:** Prevent duplicated API call in drawer [#105611](https://github.com/grafana/grafana/pull/105611), [@ashharrison90](https://github.com/ashharrison90)
 - **XYChart:** Coerce threshold steps to numbers [#104492](https://github.com/grafana/grafana/pull/104492), [@leeoniya](https://github.com/leeoniya)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 12.0.1 END -->
+<!-- 11.6.2 START -->
+
+# 11.6.2 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105103](https://github.com/grafana/grafana/pull/105103), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/blevesearch/bleve/v2 from v2.4.4-git to v2.5.0 [#105443](https://github.com/grafana/grafana/pull/105443), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.6 to v1.8.12 [#105369](https://github.com/grafana/grafana/pull/105369), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.126.0 to v0.132.0 [#105251](https://github.com/grafana/grafana/pull/105251), [@macabu](https://github.com/macabu)
+
+### Bug fixes
+
+- **Dashboard:** Fixes issue with row repeats and first row [#104467](https://github.com/grafana/grafana/pull/104467), [@torkelo](https://github.com/torkelo)
+- **Graphite:** Ensure template variables are interpolated correctly [#105388](https://github.com/grafana/grafana/pull/105388), [@aangelisc](https://github.com/aangelisc)
+- **Graphite:** Fix Graphite series interpolation [#104568](https://github.com/grafana/grafana/pull/104568), [@aangelisc](https://github.com/aangelisc)
+- **Prometheus:** Fix semver import path [#104943](https://github.com/grafana/grafana/pull/104943), [@jackw](https://github.com/jackw)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 11.6.2 END -->
+<!-- 11.5.5 START -->
+
+# 11.5.5 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105109](https://github.com/grafana/grafana/pull/105109), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/blevesearch/bleve/v2 from v2.4.3 to v2.5.0 [#105441](https://github.com/grafana/grafana/pull/105441), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.5 to v1.8.12 [#105373](https://github.com/grafana/grafana/pull/105373), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.126.0 to v0.132.0 [#105252](https://github.com/grafana/grafana/pull/105252), [@macabu](https://github.com/macabu)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 11.5.5 END -->
+<!-- 11.4.5 START -->
+
+# 11.4.5 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105110](https://github.com/grafana/grafana/pull/105110), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/blevesearch/bleve/v2 from v2.4.2 to v2.5.0 [#105445](https://github.com/grafana/grafana/pull/105445), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.5 to v1.8.12 [#105375](https://github.com/grafana/grafana/pull/105375), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.125.0 to v0.132.0 [#105253](https://github.com/grafana/grafana/pull/105253), [@macabu](https://github.com/macabu)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 11.4.5 END -->
+<!-- 11.3.7 START -->
+
+# 11.3.7 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105112](https://github.com/grafana/grafana/pull/105112), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/blevesearch/bleve/v2 from v2.4.2 to v2.5.0 [#105447](https://github.com/grafana/grafana/pull/105447), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.5 to v1.8.12 [#105376](https://github.com/grafana/grafana/pull/105376), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.125.0 to v0.132.0 [#105254](https://github.com/grafana/grafana/pull/105254), [@macabu](https://github.com/macabu)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 11.3.7 END -->
+<!-- 11.2.10 START -->
+
+# 11.2.10 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105113](https://github.com/grafana/grafana/pull/105113), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.5 to v1.8.12 [#105378](https://github.com/grafana/grafana/pull/105378), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.125.0 to v0.132.0 [#105255](https://github.com/grafana/grafana/pull/105255), [@macabu](https://github.com/macabu)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 11.2.10 END -->
+<!-- 10.4.19 START -->
+
+# 10.4.19 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105115](https://github.com/grafana/grafana/pull/105115), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump golang.org/x/net from v0.37.0 to v0.40.0 [#105449](https://github.com/grafana/grafana/pull/105449), [@macabu](https://github.com/macabu)
+- **Security:** Fix CVE-2025-4123
+- **Security:** Fix CVE-2025-3580
+
+<!-- 10.4.19 END -->
+<!-- 12.0.0+security-01 START -->
+
+# 12.0.0+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 12.0.0+security-01 END -->
+<!-- 11.6.1+security-01 START -->
+
+# 11.6.1+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 11.6.1+security-01 END -->
+<!-- 11.5.4+security-01 START -->
+
+# 11.5.4+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 11.5.4+security-01 END -->
+<!-- 11.4.4+security-01 START -->
+
+# 11.4.4+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 11.4.4+security-01 END -->
+<!-- 11.3.6+security-01 START -->
+
+# 11.3.6+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 11.3.6+security-01 END -->
+<!-- 11.2.9+security-01 START -->
+
+# 11.2.9+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 11.2.9+security-01 END -->
+<!-- 10.4.18+security-01 START -->
+
+# 10.4.18+security-01 (2025-05-21)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-4123
+
+<!-- 10.4.18+security-01 END -->
+<!-- 12.0.0 START -->
+
+# 12.0.0 (2025-05-05)
+
+### Features and enhancements
+
+- **Alerting:** API to convert submitted Prometheus rules to GMA [#102231](https://github.com/grafana/grafana/pull/102231), [@fayzal-g](https://github.com/fayzal-g)
+- **Alerting:** Add HMAC signature config to the webhook integration [#100960](https://github.com/grafana/grafana/pull/100960), [@alexander-akhmetov](https://github.com/alexander-akhmetov)
+- **Alerting:** Add MissingSeriesEvalsToResolve to the APIs [#102150](https://github.com/grafana/grafana/pull/102150), [@alexander-akhmetov](https://github.com/alexander-akhmetov)
+- **Alerting:** Add UI migration feature toggle [#102217](https://github.com/grafana/grafana/pull/102217), [@tomratcliffe](https://github.com/tomratcliffe)
+- **Alerting:** Add backend support for keep_firing_for [#100750](https://github.com/grafana/grafana/pull/100750), [@alexander-akhmetov](https://github.com/alexander-akhmetov)
+- **Alerting:** Add details and edit pages for groups [#100884](https://github.com/grafana/grafana/pull/100884), [@konrad147](https://github.com/konrad147)
+- **Alerting:** Add keep_firing_for and Recovering state [#103248](https://github.com/grafana/grafana/pull/103248), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Add migration to clean up rule versions table [#102484](https://github.com/grafana/grafana/pull/102484), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Add missing_series_evals_to_resolve option to alert rule form [#102808](https://github.com/grafana/grafana/pull/102808), [@tomratcliffe](https://github.com/tomratcliffe)
+- **Alerting:** Delete permanently deleted alert rules. [#102960](https://github.com/grafana/grafana/pull/102960), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Detect target folder rules and show warning [#103673](https://github.com/grafana/grafana/pull/103673), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Migration UI [#102010](https://github.com/grafana/grafana/pull/102010), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Recover deleted alert rules [#101869](https://github.com/grafana/grafana/pull/101869), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Remove constraints for uniqueness of rule title [#102067](https://github.com/grafana/grafana/pull/102067), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Remove feature flag `alertingNoDataErrorExecution` [#102156](https://github.com/grafana/grafana/pull/102156), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Sequential evaluation of rules in group [#98829](https://github.com/grafana/grafana/pull/98829), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Skip rules that are managed by plugins when importing datasource-managed rules [#103573](https://github.com/grafana/grafana/pull/103573), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Stop allowing manual editing/restore of internal AM config via settings [#103884](https://github.com/grafana/grafana/pull/103884), [@tomratcliffe](https://github.com/tomratcliffe)
+- **Alerting:** Template preview enhancements [#103817](https://github.com/grafana/grafana/pull/103817), [@JacobsonMT](https://github.com/JacobsonMT)
+- **Alerting:** Update alerting module to 58ba6c617ff05eb1d6f65c59d369a6a16923dff6 [#102812](https://github.com/grafana/grafana/pull/102812), [@yuri-tceretian](https://github.com/yuri-tceretian)
+- **Alerting:** Use 'Grafana IRM' wording in alerting contact point [#102014](https://github.com/grafana/grafana/pull/102014), [@brojd](https://github.com/brojd)
+- **Alerting:** Webhook Improvements - Templateable Payloads [#103818](https://github.com/grafana/grafana/pull/103818), [@JacobsonMT](https://github.com/JacobsonMT)
+- **AppChrome:** Move kiosk button into profile menu [#103600](https://github.com/grafana/grafana/pull/103600), [@torkelo](https://github.com/torkelo)
+- **AppPlatform:** Introduce experimental Github integration for dashboard configuration management [#96329](https://github.com/grafana/grafana/pull/96329), [@MissingRoberto](https://github.com/MissingRoberto)
+- **Authorization:** Add group to role DisplayName to make filtered list more clear [#102950](https://github.com/grafana/grafana/pull/102950), [@forsethc](https://github.com/forsethc)
+- **Azure Monitor:** Add logs query builder [#99055](https://github.com/grafana/grafana/pull/99055), [@alyssabull](https://github.com/alyssabull)
+- **Azure:** Mark Azure Prometheus exemplars as GA and enable by default [#100595](https://github.com/grafana/grafana/pull/100595), [@aangelisc](https://github.com/aangelisc)
+- **AzureMonitor:** Improve selection of Basic Logs tables in the query builder [#103820](https://github.com/grafana/grafana/pull/103820), [@aangelisc](https://github.com/aangelisc)
+- **BrowseDashboards:** Switch to list view if sort is set [#102196](https://github.com/grafana/grafana/pull/102196), [@Clarity-89](https://github.com/Clarity-89)
+- **Checkbox:** Add z-index to description [#103847](https://github.com/grafana/grafana/pull/103847), [@Clarity-89](https://github.com/Clarity-89)
+- **Chore:** Promoting feature toggle pluginsSriChecks GA [#102212](https://github.com/grafana/grafana/pull/102212), [@tolzhabayev](https://github.com/tolzhabayev)
+- **CloudMigrations:** Add sorting and error filtering to Snapshot Results backend [#102753](https://github.com/grafana/grafana/pull/102753), [@mmandrus](https://github.com/mmandrus)
+- **CloudMigrations:** Change onPremToCloudMigrations feature toggle to GA [#103212](https://github.com/grafana/grafana/pull/103212), [@dana-axinte](https://github.com/dana-axinte)
+- **CloudMigrations:** Enable high-level resource type selection [#103011](https://github.com/grafana/grafana/pull/103011), [@macabu](https://github.com/macabu)
+- **CloudMigrations:** Implement table sorting in the UI [#103061](https://github.com/grafana/grafana/pull/103061), [@mmandrus](https://github.com/mmandrus)
+- **CloudWatch:** Migrate to aws-sdk-go-v2 [#103106](https://github.com/grafana/grafana/pull/103106), [@njvrzm](https://github.com/njvrzm)
+- **Cloudwatch:** Do not parse log query grouping field to float [#102244](https://github.com/grafana/grafana/pull/102244), [@iwysiu](https://github.com/iwysiu)
+- **Cloudwatch:** Migrate to aws-sdk-go-v2 [#99643](https://github.com/grafana/grafana/pull/99643), [@njvrzm](https://github.com/njvrzm)
+- **Cloudwatch:** Revert aws sdk go v2 [#103644](https://github.com/grafana/grafana/pull/103644), [@iwysiu](https://github.com/iwysiu)
+- **Config:** Removes setting `viewers_can_edit` [#102275](https://github.com/grafana/grafana/pull/102275), [@eleijonmarck](https://github.com/eleijonmarck)
+- **Dashboard Restore:** Remove experimental functionality under feature flag `dashboardRestore` for now - this will be reworked [#103204](https://github.com/grafana/grafana/pull/103204), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **Dashboards:** Add Dashboard Schema validation (1) [#103662](https://github.com/grafana/grafana/pull/103662), [@marcoabreu](https://github.com/marcoabreu)
+- **Dashboards:** Add a config setting that limits the number of series that will be displayed in a panel. Users can opt in to render all series. [#103405](https://github.com/grafana/grafana/pull/103405), [@oscarkilhed](https://github.com/oscarkilhed)
+- **Dashboards:** Prevent saving to a non-existent folder [#103503](https://github.com/grafana/grafana/pull/103503), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **Dashboards:** Prevent version restore to same data [#102665](https://github.com/grafana/grafana/pull/102665), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **Dependencies:** Bump github.com/redis/go-redis/v9 from 9.7.0 to 9.7.3 [#102555](https://github.com/grafana/grafana/pull/102555), [@dependabot[bot]](https://github.com/dependabot[bot])
+- **Docs:** Standard Datetime units limited to millisecond precision [#103610](https://github.com/grafana/grafana/pull/103610), [@axelavargas](https://github.com/axelavargas)
+- **ElasticSearch:** Improve index pattern error messaging and docs [#103899](https://github.com/grafana/grafana/pull/103899), [@idastambuk](https://github.com/idastambuk)
+- **ElasticSearch:** Make script field input a text area [#103708](https://github.com/grafana/grafana/pull/103708), [@idastambuk](https://github.com/idastambuk)
+- **Extensions:** Expose new observable APIs for accessing components and links [#103063](https://github.com/grafana/grafana/pull/103063), [@leventebalogh](https://github.com/leventebalogh)
+- **Feat:** Make expressions work with plugins that set `alerting:false` but `backend:true` in their `plugin.json` files [#102232](https://github.com/grafana/grafana/pull/102232), [@tolzhabayev](https://github.com/tolzhabayev)
+- **FlameGraphPanel:** Add units to standard options (#89815) [#102720](https://github.com/grafana/grafana/pull/102720), [@snyderdan](https://github.com/snyderdan)
+- **Frontend:** Remove Angular [#99760](https://github.com/grafana/grafana/pull/99760), [@jackw](https://github.com/jackw)
+- **Go:** Bump to 1.24.2 [#103521](https://github.com/grafana/grafana/pull/103521), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+- **I18n:** Add 13 new languages for translations [#102971](https://github.com/grafana/grafana/pull/102971), [@joshhunt](https://github.com/joshhunt)
+- **Influx:** Support PDC for Influx SQL [#103032](https://github.com/grafana/grafana/pull/103032), [@aangelisc](https://github.com/aangelisc)
+- **JWT:** Add org role mapping support to the JWT provider [#101584](https://github.com/grafana/grafana/pull/101584), [@QuentinBisson](https://github.com/QuentinBisson)
+- **K8s:** Dashboards: Add fine grained access control checks to /apis [#104418](https://github.com/grafana/grafana/pull/104418), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **K8s:** Enable kubernetesClientDashboardsFolders by default [#103843](https://github.com/grafana/grafana/pull/103843), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **LBAC for data sources:** PublicPreview and self serve enablement [#102276](https://github.com/grafana/grafana/pull/102276), [@eleijonmarck](https://github.com/eleijonmarck)
+- **Live:** Remove queryOverLive and live-service-web-worker experimental feature flags [#103518](https://github.com/grafana/grafana/pull/103518), [@ryantxu](https://github.com/ryantxu)
+- **Logs Panel:** Add ISO8601 date to log download files [#102932](https://github.com/grafana/grafana/pull/102932), [@gtk-grafana](https://github.com/gtk-grafana)
+- **Logs Table:** Add new Controls component to Explore [#103467](https://github.com/grafana/grafana/pull/103467), [@matyax](https://github.com/matyax)
+- **Logs:** Add new Controls component to Explore [#103401](https://github.com/grafana/grafana/pull/103401), [@matyax](https://github.com/matyax)
+- **Logs:** Always keep displayed fields with changed queries [#102493](https://github.com/grafana/grafana/pull/102493), [@svennergr](https://github.com/svennergr)
+- **Logs:** Clean up Explore meta information [#103801](https://github.com/grafana/grafana/pull/103801), [@matyax](https://github.com/matyax)
+- **Logs:** Prevent automatic scrolling on refresh after changing scroll position [#102463](https://github.com/grafana/grafana/pull/102463), [@matyax](https://github.com/matyax)
+- **MetricsDrilldown:** Advance `exploreMetricsUseExternalAppPlugin` feature toggle stage [#102137](https://github.com/grafana/grafana/pull/102137), [@NWRichmond](https://github.com/NWRichmond)
+- **MetricsDrilldown:** Advance `exploreMetricsUseExternalAppPlugin` to GA [#103653](https://github.com/grafana/grafana/pull/103653), [@NWRichmond](https://github.com/NWRichmond)
+- **MetricsDrilldown:** Mark `exploreMetricsUseExternalAppPlugin` as not frontend-only [#102942](https://github.com/grafana/grafana/pull/102942), [@NWRichmond](https://github.com/NWRichmond)
+- **MetricsDrilldown:** Remove legacy Metrics Drilldown code paths [#103845](https://github.com/grafana/grafana/pull/103845), [@NWRichmond](https://github.com/NWRichmond)
+- **MetricsDrilldown:** Restore link to Metrics Drilldown from Explore [#104075](https://github.com/grafana/grafana/pull/104075), [@NWRichmond](https://github.com/NWRichmond)
+- **NodeGraph:** Add node graph algorithm layout option [#102760](https://github.com/grafana/grafana/pull/102760), [@joey-grafana](https://github.com/joey-grafana)
+- **Plugins:** Remove plugin dependency version (Enterprise)
+- **Plugins:** Remove sort by options from plugins catalog [#102862](https://github.com/grafana/grafana/pull/102862), [@oshirohugo](https://github.com/oshirohugo)
+- **Plugins:** Remove support for secrets manager plugins [#101467](https://github.com/grafana/grafana/pull/101467), [@wbrowne](https://github.com/wbrowne)
+- **Plugins:** Remove support for secrets manager plugins (Enterprise)
+- **Plugins:** Remove userStorageAPI feature toggle [#102915](https://github.com/grafana/grafana/pull/102915), [@oshirohugo](https://github.com/oshirohugo)
+- **Prometheus:** Add back @lezer/highlight to dev dependency [#102632](https://github.com/grafana/grafana/pull/102632), [@idastambuk](https://github.com/idastambuk)
+- **Prometheus:** Add support for cloud partners Prometheus data sources [#103482](https://github.com/grafana/grafana/pull/103482), [@kevinwcyu](https://github.com/kevinwcyu)
+- **Prometheus:** Enable Combobox metric select by default [#101045](https://github.com/grafana/grafana/pull/101045), [@joshhunt](https://github.com/joshhunt)
+- **Prometheus:** Enable prometheusRunQueriesInParallel feature toggle by default [#102127](https://github.com/grafana/grafana/pull/102127), [@itsmylife](https://github.com/itsmylife)
+- **RecordedQueries:** Deprecate recorded queries UI messaging (Enterprise)
+- **Security:** Update JWT library (CVE-2025-30204) [#102715](https://github.com/grafana/grafana/pull/102715), [@Proximyst](https://github.com/Proximyst)
+- **Tempo:** Add support for ad-hoc filters [#102448](https://github.com/grafana/grafana/pull/102448), [@ifrost](https://github.com/ifrost)
+- **Tempo:** Remove aggregate by [#98474](https://github.com/grafana/grafana/pull/98474), [@joey-grafana](https://github.com/joey-grafana)
+- **TraceView:** Add scope attributes to span details [#103173](https://github.com/grafana/grafana/pull/103173), [@joey-grafana](https://github.com/joey-grafana)
+- **TraceView:** Render all links in span details [#101881](https://github.com/grafana/grafana/pull/101881), [@ifrost](https://github.com/ifrost)
+- **Traces:** Preinstall Traces Drilldown app with Grafana [#102986](https://github.com/grafana/grafana/pull/102986), [@ifrost](https://github.com/ifrost)
+
+### Bug fixes
+
+- **Alerting:** Fix Simple condition threshold inputs with negative values. [#102976](https://github.com/grafana/grafana/pull/102976), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Alerting:** Fix display of `Normal (Updated)` in alert history [#102476](https://github.com/grafana/grafana/pull/102476), [@tomratcliffe](https://github.com/tomratcliffe)
+- **Alerting:** Fix rule instances table [#102290](https://github.com/grafana/grafana/pull/102290), [@konrad147](https://github.com/konrad147)
+- **Alerting:** Make nested folders work in Alert List Panel [#103550](https://github.com/grafana/grafana/pull/103550), [@tomratcliffe](https://github.com/tomratcliffe)
+- **Alerting:** Remove rule type switch for modified export mode [#102287](https://github.com/grafana/grafana/pull/102287), [@konrad147](https://github.com/konrad147)
+- **Alerting:** Simplified alert rule toggle bug fixes [#102119](https://github.com/grafana/grafana/pull/102119), [@gillesdemey](https://github.com/gillesdemey)
+- **Alertmanager:** Add Role-Based Access Control via reqAction Field [#101543](https://github.com/grafana/grafana/pull/101543), [@olegpixel](https://github.com/olegpixel)
+- **App Platform:** Pin bleve to fix CVE-2022-31022 [#102513](https://github.com/grafana/grafana/pull/102513), [@Proximyst](https://github.com/Proximyst)
+- **AppChrome/MegaMenu:** Fixes issue with default state being initialised to undocked [#103507](https://github.com/grafana/grafana/pull/103507), [@torkelo](https://github.com/torkelo)
+- **AppTitle:** Fix overflowing text [#103583](https://github.com/grafana/grafana/pull/103583), [@tskarhed](https://github.com/tskarhed)
+- **Azure:** Ensure basic logs queries are limited to a single resource [#103588](https://github.com/grafana/grafana/pull/103588), [@aangelisc](https://github.com/aangelisc)
+- **CloudWatch:** Import new grafana-aws-sdk with PDC fix [#103249](https://github.com/grafana/grafana/pull/103249), [@njvrzm](https://github.com/njvrzm)
+- **ColorPicker:** Fixed height when switching tabs [#103304](https://github.com/grafana/grafana/pull/103304), [@DanMPA](https://github.com/DanMPA)
+- **Dashboard:** Fix Core Panel Migrations - table panel [#102146](https://github.com/grafana/grafana/pull/102146), [@axelavargas](https://github.com/axelavargas)
+- **DashboardScenePage:** Correct slug in self referencing data links [#100048](https://github.com/grafana/grafana/pull/100048), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
+- **Dashboards:** Fix duplicate provisioning when errors occur on title-only based provisioning [#102249](https://github.com/grafana/grafana/pull/102249), [@stephaniehingtgen](https://github.com/stephaniehingtgen)
+- **Dashboards:** Fix panel link to Grafana Metrics Drilldown [#103759](https://github.com/grafana/grafana/pull/103759), [@NWRichmond](https://github.com/NWRichmond)
+- **Fix:** Change secure_json_data column data type to medium text only MYSQL [#102557](https://github.com/grafana/grafana/pull/102557), [@s4kh](https://github.com/s4kh)
+- **GrafanaUI:** Prevent ToolbarButton from submitting form [#102228](https://github.com/grafana/grafana/pull/102228), [@kozhuhds](https://github.com/kozhuhds)
+- **GrafanaUI:** Remove blurred background from overlay backdrops to improve performance [#103563](https://github.com/grafana/grafana/pull/103563), [@joshhunt](https://github.com/joshhunt)
+- **LDAP test:** Fix page crash [#102587](https://github.com/grafana/grafana/pull/102587), [@ashharrison90](https://github.com/ashharrison90)
+- **Navigation:** Fix bookmarks when Grafana is running under subpath [#102679](https://github.com/grafana/grafana/pull/102679), [@matejkubinec](https://github.com/matejkubinec)
+- **PanelEdit:** Fixes suggestions not applying options or field config [#102675](https://github.com/grafana/grafana/pull/102675), [@torkelo](https://github.com/torkelo)
+- **PluginProxy:** Fix nil pointer in OAuth forwarding [#103626](https://github.com/grafana/grafana/pull/103626), [@moustafab](https://github.com/moustafab)
+- **Plugins:** Fix better UX for disabled Angular plugins [#101333](https://github.com/grafana/grafana/pull/101333), [@hugohaggmark](https://github.com/hugohaggmark)
+- **Plugins:** Fix support for adhoc filters with raw queries in InfluxDB [#101966](https://github.com/grafana/grafana/pull/101966), [@beejeebus](https://github.com/beejeebus)
+- **Renderer:** Fix regression on callback URL in plugin mode [#103787](https://github.com/grafana/grafana/pull/103787), [@AgnesToulet](https://github.com/AgnesToulet)
+- **SQL:** Fix builder crashes when any in selected [#102871](https://github.com/grafana/grafana/pull/102871), [@zoltanbedi](https://github.com/zoltanbedi)
+- **SSE:** Fix goroutine leak in math operation expression parsing [#102380](https://github.com/grafana/grafana/pull/102380), [@kylebrandt](https://github.com/kylebrandt)
+- **Tempo:** Add fixes for broken exemplars [#103298](https://github.com/grafana/grafana/pull/103298), [@joey-grafana](https://github.com/joey-grafana)
+
+### Breaking changes
+
+- **Alerting:** Make $value return the query value in case when a single datasource is used [#102301](https://github.com/grafana/grafana/pull/102301), [@alexander-akhmetov](https://github.com/alexander-akhmetov)
+- **Alerting:** Relax permissions for access a rule [#103664](https://github.com/grafana/grafana/pull/103664), [@moustafab](https://github.com/moustafab)
+- **Alerting:** Remove feature toggles relating to Loki Alert State History [#103540](https://github.com/grafana/grafana/pull/103540), [@rwwiv](https://github.com/rwwiv)
+- **Alerting:** Remove the POST endpoint for the internal Grafana Alertmanager config [#103819](https://github.com/grafana/grafana/pull/103819), [@rwwiv](https://github.com/rwwiv)
+- **Anonymous:** Enforce org role Viewer setting [#102070](https://github.com/grafana/grafana/pull/102070), [@eleijonmarck](https://github.com/eleijonmarck)
+- **Chore:** Enable Grafana version check when installing plugins [#103176](https://github.com/grafana/grafana/pull/103176), [@andresmgot](https://github.com/andresmgot)
+- **Chore:** Enabling failWrongDSUID by default in Grafana 12 [#102192](https://github.com/grafana/grafana/pull/102192), [@tolzhabayev](https://github.com/tolzhabayev)
+- **Config:** Removes setting `viewers_can_edit` [#101767](https://github.com/grafana/grafana/pull/101767), [@eleijonmarck](https://github.com/eleijonmarck)
+- **Frontend:** Remove Angular (Enterprise)
+- **Plugin Extensions:** Clean up the deprecated APIs [#102102](https://github.com/grafana/grafana/pull/102102), [@leventebalogh](https://github.com/leventebalogh)
+- **Plugins:** Remove plugin dependency version [#103728](https://github.com/grafana/grafana/pull/103728), [@wbrowne](https://github.com/wbrowne)
+- **Tempo:** Remove traceQLStreaming feature toggle [#103619](https://github.com/grafana/grafana/pull/103619), [@adrapereira](https://github.com/adrapereira)
+
+### Plugin development fixes & changes
+
+- **Combobox:** add grouping functionality [#100603](https://github.com/grafana/grafana/pull/100603), [@eledobleefe](https://github.com/eledobleefe)
+- **Grafana UI:** Add `columnGap` + `rowGap` to `Stack`/`Grid` [#102883](https://github.com/grafana/grafana/pull/102883), [@ashharrison90](https://github.com/ashharrison90)
+- **Grafana UI:** Clearly separate multiple warnings by using HTML tags [#97979](https://github.com/grafana/grafana/pull/97979), [@zenador](https://github.com/zenador)
+
+<!-- 12.0.0 END -->
+<!-- 11.6.1 START -->
+
+# 11.6.1 (2025-04-23)
+
+### Features and enhancements
+
+- **Chore:** Update JWT library (CVE-2025-30204) [#102727](https://github.com/grafana/grafana/pull/102727), [@grambbledook](https://github.com/grambbledook)
+- **DashboardScenePage:** Correct slug in self referencing data links [#103854](https://github.com/grafana/grafana/pull/103854), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
+- **Dependencies:** Bump github.com/redis/go-redis/v9 to 9.7.3 to address CVE-2025-29923 [#102863](https://github.com/grafana/grafana/pull/102863), [@macabu](https://github.com/macabu)
+- **Go:** Bump to 1.24.2 [#103523](https://github.com/grafana/grafana/pull/103523), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+- **GrafanaUI:** Use safePolygon close handler for interactive tooltips instead of a delay [#102869](https://github.com/grafana/grafana/pull/102869), [@mthorning](https://github.com/mthorning)
+- **Prometheus:** Add support for cloud partners Prometheus data sources [#103941](https://github.com/grafana/grafana/pull/103941), [@kevinwcyu](https://github.com/kevinwcyu)
+
+### Bug fixes
+
+- **Alertmanager:** Add Role-Based Access Control via reqAction Field [#103479](https://github.com/grafana/grafana/pull/103479), [@olegpixel](https://github.com/olegpixel)
+- **GrafanaUI:** Remove blurred background from overlay backdrops to improve performance [#103647](https://github.com/grafana/grafana/pull/103647), [@joshhunt](https://github.com/joshhunt)
+- **InfluxDB:** Fix nested variable interpolation [#104096](https://github.com/grafana/grafana/pull/104096), [@aangelisc](https://github.com/aangelisc)
+- **LDAP test:** Fix page crash [#102684](https://github.com/grafana/grafana/pull/102684), [@ashharrison90](https://github.com/ashharrison90)
+- **Org redirection:** Fix linking between orgs [#102870](https://github.com/grafana/grafana/pull/102870), [@ashharrison90](https://github.com/ashharrison90)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+- **Security:** Fix CVE-2025-3260
+
+<!-- 11.6.1 END -->
+<!-- 11.5.4 START -->
+
+# 11.5.4 (2025-04-23)
+
+### Features and enhancements
+
+- **Azure Monitor:** Filter namespaces by resource group [#103654](https://github.com/grafana/grafana/pull/103654), [@alyssabull](https://github.com/alyssabull)
+- **Azure:** Add support for custom namespace and custom metrics variable queries [#103650](https://github.com/grafana/grafana/pull/103650), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Resource picker improvements [#103638](https://github.com/grafana/grafana/pull/103638), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Support more complex variable interpolation [#103651](https://github.com/grafana/grafana/pull/103651), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Variable editor and resource picker improvements [#103657](https://github.com/grafana/grafana/pull/103657), [@aangelisc](https://github.com/aangelisc)
+- **Chore:** Update CVE-affected dependencies [#102709](https://github.com/grafana/grafana/pull/102709), [@grambbledook](https://github.com/grambbledook)
+- **DashboardScenePage:** Correct slug in self referencing data links [#103853](https://github.com/grafana/grafana/pull/103853), [@Sergej-Vlasov](https://github.com/Sergej-Vlasov)
+- **Dependencies:** Bump github.com/redis/go-redis/v9 to 9.6.3 to address CVE-2025-29923 [#102865](https://github.com/grafana/grafana/pull/102865), [@macabu](https://github.com/macabu)
+- **Go:** Bump to 1.24.2 [#103525](https://github.com/grafana/grafana/pull/103525), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+- **Prometheus:** Add support for cloud partners Prometheus data sources [#103942](https://github.com/grafana/grafana/pull/103942), [@kevinwcyu](https://github.com/kevinwcyu)
+
+### Bug fixes
+
+- **InfluxDB:** Fix nested variable interpolation [#104095](https://github.com/grafana/grafana/pull/104095), [@aangelisc](https://github.com/aangelisc)
+- **LDAP test:** Fix page crash [#102683](https://github.com/grafana/grafana/pull/102683), [@ashharrison90](https://github.com/ashharrison90)
 - **Security:** Fix CVE-2025-3454
 - **Security:** Fix CVE-2025-2703

-<!-- 12.0.1 END -->
+<!-- 11.5.4 END -->
+<!-- 11.4.4 START -->
+
+# 11.4.4 (2025-04-23)
+
+### Features and enhancements
+
+- **Go:** Bump to 1.24.2 (Enterprise)
+
+### Bug Fixes
+
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.4.4 END -->
+<!-- 11.3.6 START -->
+
+# 11.3.6 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Update libs with CVE in dependencies [#102710](https://github.com/grafana/grafana/pull/102710), [@grambbledook](https://github.com/grambbledook)
+- **Go:** Bump to 1.24.2 [#103528](https://github.com/grafana/grafana/pull/103528), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+
+### Bug fixes
+
+- **Auth:** Fix SAML user IsExternallySynced not being set correctly [#103101](https://github.com/grafana/grafana/pull/103101), [@volcanonoodle](https://github.com/volcanonoodle)
+- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#102983](https://github.com/grafana/grafana/pull/102983), [@kalleep](https://github.com/kalleep)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.3.6 END -->
+<!-- 11.2.9 START -->
+
+# 11.2.9 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Update libs with CVE in dependencies [#102712](https://github.com/grafana/grafana/pull/102712), [@grambbledook](https://github.com/grambbledook)
+- **Go:** Bump to 1.24.2 [#103529](https://github.com/grafana/grafana/pull/103529), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+
+### Bug fixes
+
+- **Auth:** Fix SAML user IsExternallySynced not being set correctly [#103102](https://github.com/grafana/grafana/pull/103102), [@volcanonoodle](https://github.com/volcanonoodle)
+- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#102982](https://github.com/grafana/grafana/pull/102982), [@kalleep](https://github.com/kalleep)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.2.9 END -->
+<!-- 10.4.18 START -->
+
+# 10.4.18 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump golang-jwt/jwt/v4 and golang-jwt/jwt/v5 to address security issues [#102762](https://github.com/grafana/grafana/pull/102762), [@macabu](https://github.com/macabu)
+- **Go:** Bump to 1.24.2 [#103531](https://github.com/grafana/grafana/pull/103531), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+
+### Bug fixes
+
+- **Auth:** Fix SAML user IsExternallySynced not being set correctly (#98487) [#103177](https://github.com/grafana/grafana/pull/103177), [@volcanonoodle](https://github.com/volcanonoodle)
+- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#102981](https://github.com/grafana/grafana/pull/102981), [@kalleep](https://github.com/kalleep)
+- **Security:** Fix CVE-2025-3454
+
+<!-- 10.4.18 END -->
+<!-- 11.6.0+security-01 START -->
+
+# 11.6.0+security-01 (2025-04-22)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+- **Security:** Fix CVE-2025-3260
+
+<!-- 11.6.0+security-01 END -->
+<!-- 11.5.3+security-01 START -->
+
+# 11.5.3+security-01 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go to 1.23.7 [#101581](https://github.com/grafana/grafana/pull/101581), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go to 1.23.7 (Enterprise)
+- **Chore:** Update CVE-affected dependencies [#102709](https://github.com/grafana/grafana/pull/102709), [@grambbledook](https://github.com/grambbledook)
+
+### Bug fixes
+
+- **Alerting:** Fix token-based Slack image upload to work with channel names [#101078](https://github.com/grafana/grafana/pull/101078), [@JacobsonMT](https://github.com/JacobsonMT)
+- **Auth:** Fix AzureAD config UI's ClientAuthentication dropdown [#100869](https://github.com/grafana/grafana/pull/100869), [@mgyongyosi](https://github.com/mgyongyosi)
+- **Dashboard:** Fix the unintentional time range and variables updates on saving [#101671](https://github.com/grafana/grafana/pull/101671), [@harisrozajac](https://github.com/harisrozajac)
+- **Dashboards:** Fix missing `v/e/i` keybindings to return back to dashboard [#102365](https://github.com/grafana/grafana/pull/102365), [@mdvictor](https://github.com/mdvictor)
+- **InfluxDB:** Improve handling of template variables contained in regular expressions (InfluxQL) [#100977](https://github.com/grafana/grafana/pull/100977), [@aangelisc](https://github.com/aangelisc)
+- **LDAP test:** Fix page crash [#102683](https://github.com/grafana/grafana/pull/102683), [@ashharrison90](https://github.com/ashharrison90)
+- **Org redirection:** Fix linking between orgs [#102089](https://github.com/grafana/grafana/pull/102089), [@ashharrison90](https://github.com/ashharrison90)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.5.3+security-01 END -->
+<!-- 11.4.3+security-01 START -->
+
+# 11.4.3+security-01 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go to 1.23.7 [#101582](https://github.com/grafana/grafana/pull/101582), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go to 1.23.7 (Enterprise)
+- **Chore:** Update CVE-affected golang-gwt dependencies [#102704](https://github.com/grafana/grafana/pull/102704), [@grambbledook](https://github.com/grambbledook)
+
+### Bug fixes
+
+- **Alerting:** Fix token-based Slack image upload to work with channel names [#101072](https://github.com/grafana/grafana/pull/101072), [@JacobsonMT](https://github.com/JacobsonMT)
+- **InfluxDB:** Improve handling of template variables contained in regular expressions (InfluxQL) [#100987](https://github.com/grafana/grafana/pull/100987), [@aangelisc](https://github.com/aangelisc)
+- **Service Accounts:** Do not show error pop-ups for Service Account and Renderer UI flows [#101790](https://github.com/grafana/grafana/pull/101790), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.4.3+security-01 END -->
+<!-- 11.3.5+security-01 START -->
+
+# 11.3.5+security-01 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go to 1.23.7 [#101583](https://github.com/grafana/grafana/pull/101583), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go to 1.23.7 (Enterprise)
+- **Chore:** Update libs with CVE in dependencies [#102710](https://github.com/grafana/grafana/pull/102710), [@grambbledook](https://github.com/grambbledook)
+
+### Bug fixes
+
+- **Alerting:** Fix token-based Slack image upload to work with channel names [#101488](https://github.com/grafana/grafana/pull/101488), [@moustafab](https://github.com/moustafab)
+- **Service Accounts:** Do not show error pop-ups for Service Account and Renderer UI flows [#101791](https://github.com/grafana/grafana/pull/101791), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.3.5+security-01 END -->
+<!-- 11.2.8+security-01 START -->
+
+# 11.2.8+security-01 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.23.7 [#101294](https://github.com/grafana/grafana/pull/101294), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go version to 1.23.7 (Enterprise)
+
+### Bug fixes
+
+- **Alerting:** Update slack image upload to use new API [#101487](https://github.com/grafana/grafana/pull/101487), [@moustafab](https://github.com/moustafab)
+- **CloudMigrations:** Fix OrderBy clause in GetSnapshotList sql handler [#102351](https://github.com/grafana/grafana/pull/102351), [@mmandrus](https://github.com/mmandrus)
+- **Service Accounts:** Do not show error pop-ups for Service Account and Renderer UI flows [#101795](https://github.com/grafana/grafana/pull/101795), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.2.8+security-01 END -->
+<!-- 10.4.17+security-01 START -->
+
+# 10.4.17+security-01 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.23.7 [#101565](https://github.com/grafana/grafana/pull/101565), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go version to 1.23.7 (Enterprise)
+- **Chore:** Bump golang-jwt/jwt/v4 and golang-jwt/jwt/v5 to address security issues [#102762](https://github.com/grafana/grafana/pull/102762), [@macabu](https://github.com/macabu)
+
+### Bug fixes
+
+- **Alerting:** Update slack image upload to use new API [#101483](https://github.com/grafana/grafana/pull/101483), [@moustafab](https://github.com/moustafab)
+- **Service Accounts:** Do not show error pop-ups for Service Account and Renderer UI flows [#101804](https://github.com/grafana/grafana/pull/101804), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **Security:** Fix CVE-2025-3454
+
+<!-- 10.4.17+security-01 END -->
 <!-- 11.6.0 START -->

 # 11.6.0 (2025-03-25)
@@ -1,24 +0,0 @@
-TableNG: Fix interpolation for actions (#104577)
-
-(cherry picked from commit 6c0250dde285affbdc56edcd069473f33d48b3be)
-
-# Conflicts:
-#	packages/grafana-ui/src/components/Table/TableNG/Cells/TableCellNG.tsx
-#
-# It looks like you may be committing a cherry-pick.
-# If this is not correct, please run
-#	git update-ref -d CHERRY_PICK_HEAD
-# and try again.
-
-
-# Please enter the commit message for your changes. Lines starting
-# with '#' will be ignored, and an empty message aborts the commit.
-#
-# Author:    Adela Almasan <88068998+adela-almasan@users.noreply.github.com>
-# Date:      Wed Apr 30 09:42:15 2025 -0500
-#
-# On branch backport-104577-to-release-12.0.1
-# Your branch is up to date with 'origin/backport-104577-to-release-12.0.1'.
-#
-# You are currently cherry-picking commit 6c0250dde28.
-#
@@ -60,17 +60,10 @@ WORKDIR /tmp/grafana

 COPY go.* ./
 COPY .bingo .bingo
-COPY .citools/bra .citools/bra
-COPY .citools/cue .citools/cue
-COPY .citools/cog .citools/cog
-COPY .citools/lefthook .citools/lefthook
-COPY .citools/jb .citools/jb
-COPY .citools/golangci-lint .citools/golangci-lint
-COPY .citools/swagger .citools/swagger
+COPY .citools .citools

 # Include vendored dependencies
 COPY pkg/util/xorm pkg/util/xorm
-COPY pkg/apis/folder pkg/apis/folder
 COPY pkg/apis/secret pkg/apis/secret
 COPY pkg/apiserver pkg/apiserver
 COPY pkg/apimachinery pkg/apimachinery
@@ -78,6 +71,7 @@ COPY pkg/build pkg/build
 COPY pkg/build/wire pkg/build/wire
 COPY pkg/promlib pkg/promlib
 COPY pkg/storage/unified/resource pkg/storage/unified/resource
+COPY pkg/storage/unified/resourcepb pkg/storage/unified/resourcepb
 COPY pkg/storage/unified/apistore pkg/storage/unified/apistore
 COPY pkg/semconv pkg/semconv
 COPY pkg/aggregator pkg/aggregator
@@ -86,6 +80,7 @@ COPY apps/investigations apps/investigations
 COPY apps/advisor apps/advisor
 COPY apps/dashboard apps/dashboard
 COPY apps/folder apps/folder
+COPY apps/iam apps/iam
 COPY apps apps
 COPY kindsv2 kindsv2
 COPY apps/alerting/notifications apps/alerting/notifications
@@ -30,3 +30,13 @@ The following directories and their subdirectories are licensed under their orig
 ```
 public/vendor/
 ```
+
+## MIT license
+
+The following files are licensed under MIT License:
+
+```
+.github/workflows/actionlint-format.txt
+  -> Vendored: https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
+  -> The workflow that uses it is AGPL-3.0-only.
+```
@@ -6,6 +6,7 @@ WIRE_TAGS = "oss"

 -include local/Makefile
 include .bingo/Variables.mk
+include .citools/Variables.mk

 GO = go
 GO_VERSION = 1.24.4
@@ -60,13 +61,13 @@ $(NGALERT_SPEC_TARGET):

 $(MERGED_SPEC_TARGET): swagger-oss-gen swagger-enterprise-gen $(NGALERT_SPEC_TARGET)  ## Merge generated and ngalert API specs
 	# known conflicts DsPermissionType, AddApiKeyCommand, Json, Duration (identical models referenced by both specs)
-	GODEBUG=gotypesalias=0 $(GO) tool swagger mixin -q $(SPEC_TARGET) $(ENTERPRISE_SPEC_TARGET) $(NGALERT_SPEC_TARGET) --ignore-conflicts -o $(MERGED_SPEC_TARGET)
+	GODEBUG=gotypesalias=0 $(swagger) mixin -q $(SPEC_TARGET) $(ENTERPRISE_SPEC_TARGET) $(NGALERT_SPEC_TARGET) --ignore-conflicts -o $(MERGED_SPEC_TARGET)

 .PHONY: swagger-oss-gen
 swagger-oss-gen: ## Generate API Swagger specification
 	@echo "re-generating swagger for OSS"
 	rm -f $(SPEC_TARGET)
-	SWAGGER_GENERATE_EXTENSION=false GODEBUG=gotypesalias=0 $(GO) tool swagger generate spec -q -m -w pkg/server -o $(SPEC_TARGET) \
+	SWAGGER_GENERATE_EXTENSION=false GODEBUG=gotypesalias=0 $(swagger) generate spec -q -m -w pkg/server -o $(SPEC_TARGET) \
 	-x "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions" \
 	-x "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options" \
 	-x "github.com/prometheus/alertmanager" \
@@ -84,7 +85,7 @@ else
 swagger-enterprise-gen: ## Generate API Swagger specification
 	@echo "re-generating swagger for enterprise"
 	rm -f $(ENTERPRISE_SPEC_TARGET)
-	SWAGGER_GENERATE_EXTENSION=false GODEBUG=gotypesalias=0 $(GO) tool swagger generate spec -q -m -w pkg/server -o $(ENTERPRISE_SPEC_TARGET) \
+	SWAGGER_GENERATE_EXTENSION=false GODEBUG=gotypesalias=0 $(swagger) generate spec -q -m -w pkg/server -o $(ENTERPRISE_SPEC_TARGET) \
 	-x "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions" \
 	-x "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2/options" \
 	-x "github.com/prometheus/alertmanager" \
@@ -98,7 +99,7 @@ swagger-gen: gen-go $(MERGED_SPEC_TARGET) swagger-validate

 .PHONY: swagger-validate
 swagger-validate: $(MERGED_SPEC_TARGET) # Validate API spec
-	GODEBUG=gotypesalias=0 $(GO) tool swagger validate --skip-warnings $(<)
+	GODEBUG=gotypesalias=0 $(swagger) validate --skip-warnings $(<)

 .PHONY: swagger-clean
 swagger-clean:
@@ -110,11 +111,11 @@ cleanup-old-git-hooks:

 .PHONY: lefthook-install
 lefthook-install: cleanup-old-git-hooks # install lefthook for pre-commit hooks
-	$(GO) tool lefthook install -f
+	$(lefthook) install -f

 .PHONY: lefthook-uninstall
 lefthook-uninstall:
-	$(GO) tool lefthook uninstall
+	$(lefthook) uninstall

 ##@ OpenAPI 3
 OAPI_SPEC_TARGET = public/openapi3.json
@@ -139,6 +140,8 @@ endif
 i18n-extract: i18n-extract-enterprise
 	@echo "Extracting i18n strings for OSS"
 	yarn run i18next --config public/locales/i18next-parser.config.cjs
+	@echo "Extracting i18n strings for plugins"
+	yarn run plugin:i18n-extract

 ##@ Building
 .PHONY: gen-cue
@@ -163,7 +166,7 @@ gen-cuev2: ## Do all CUE code generation
 # For now, we want to use an explicit list of apps to generate code for.
 #
 # APPS_DIRS=$(shell find ./apps -mindepth 1 -maxdepth 1 -type d | sort)
-APPS_DIRS := ./apps/dashboard ./apps/folder
+APPS_DIRS := ./apps/dashboard ./apps/folder ./apps/alerting/notifications

 .PHONY: gen-apps
 gen-apps: ## Generate code for Grafana App SDK apps
@@ -192,8 +195,8 @@ gen-go:
 .PHONY: fix-cue
 fix-cue:
 	@echo "formatting cue files"
-	$(GO) tool cue fix kinds/**/*.cue
-	$(GO) tool cue fix public/app/plugins/**/**/*.cue
+	$(cue) fix kinds/**/*.cue
+	$(cue) fix public/app/plugins/**/**/*.cue

 .PHONY: gen-jsonnet
 gen-jsonnet:
@@ -250,7 +253,7 @@ build: build-go build-js ## Build backend and frontend.

 .PHONY: run
 run: ## Build and run web server on filesystem changes. See /.bra.toml for configuration.
-	$(GO) tool bra run
+	$(bra) run

 .PHONY: run-go
 run-go: ## Build and run web server immediately.
@@ -342,7 +345,7 @@ test: test-go test-js ## Run all tests.
 .PHONY: golangci-lint
 golangci-lint:
 	@echo "lint via golangci-lint"
-	$(GO) tool golangci-lint run \
+	$(golangci-lint) run \
 		--config .golangci.yml \
 		$(if $(GO_BUILD_TAGS),--build-tags $(GO_BUILD_TAGS)) \
 		$(GO_LINT_FILES)
@@ -357,7 +360,7 @@ lint-go-diff:
 		$(XARGSR) dirname | \
 		sort -u | \
 		sed 's,^,./,' | \
-		$(XARGSR) $(GO) tool golangci-lint run --config .golangci.yml
+		$(XARGSR) $(golangci-lint) run --config .golangci.yml

 # with disabled SC1071 we are ignored some TCL,Expect `/usr/bin/env expect` scripts
 .PHONY: shellcheck
@@ -450,11 +453,11 @@ devenv-mysql:
 .PHONY: protobuf
 protobuf: ## Compile protobuf definitions
 	bash scripts/protobuf-check.sh
-	go install google.golang.org/protobuf/cmd/protoc-gen-go
+	go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.36.5
 	go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.4.0
 	buf generate pkg/plugins/backendplugin/pluginextensionv2 --template pkg/plugins/backendplugin/pluginextensionv2/buf.gen.yaml
 	buf generate pkg/apis/secret/v0alpha1/decrypt --template pkg/apis/secret/v0alpha1/decrypt/buf.gen.yaml
-	buf generate pkg/storage/unified/resource --template pkg/storage/unified/resource/buf.gen.yaml
+	buf generate pkg/storage/unified/proto --template pkg/storage/unified/proto/buf.gen.yaml
 	buf generate pkg/services/authz/proto/v1 --template pkg/services/authz/proto/v1/buf.gen.yaml
 	buf generate pkg/services/ngalert/store/proto/v1 --template pkg/services/ngalert/store/proto/v1/buf.gen.yaml

@@ -511,3 +514,9 @@ check-tparse:
 .PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+# check licenses of used dependencies (can be run using build image using
+# container/check-licenses target)
+check-licenses:
+	license_finder --decisions-file .github/license_finder.yaml
+
@@ -1,10 +1,16 @@
 # Reporting security issues

-This product is in scope for our Bug Bounty Program. To submit a vulnerability report, please visit [Grafana Labs Bug Bounty Policy page](https://github.com/grafana/bugbounty) and follow the instructions provided. Our security team will review your submission and get back to you as soon as possible.
+If you think you have found a security vulnerability, we have two routes for reporting security issues.
+
+Important: Whichever route you choose, we ask you to not disclose the vulnerability before it has been fixed and announced, unless you received a response from the Grafana Labs security team that you can do so.
+
+[Full guidance on reporting a security issue can be found here](https://grafana.com/legal/report-a-security-issue/).
+
+This product is in scope for our Bug Bounty Program. To submit a vulnerability report, please visit [Grafana Labs Bug Bounty page](https://app.intigriti.com/programs/grafanalabs/grafanaossbbp/detail) and follow the instructions provided. Our security team will review your submission and get back to you as soon as possible.

 ---

-For any other security issues, please send an email to security@grafana.com
+For products and services outside the scope of our bug bounty program, or if you do not wish to receive a bounty, you can report issues directly to us via email at security@grafana.com. This address can be used for all of Grafana Labs’ open source and commercial products (including but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com).

 Please encrypt your message to us; please use our PGP key. The key fingerprint is:

@@ -0,0 +1,155 @@
+# Grafana Advisor - Implementing New Checks
+
+This guide explains how to implement new checks in the Grafana Advisor system. The Advisor system allows you to create custom checks that can validate various aspects of your Grafana instance.
+
+## Check Structure
+
+A check in Grafana Advisor consists of two main components:
+
+1. A main check struct that implements the [`checks.Check`](https://github.com/grafana/grafana/blob/269226cb50b970ad9f692f1fdd220e9822e90db8/apps/advisor/pkg/app/checks/ifaces.go#L11-L25) interface
+2. One or more step structs that implement the [`checks.Step`](https://github.com/grafana/grafana/blob/269226cb50b970ad9f692f1fdd220e9822e90db8/apps/advisor/pkg/app/checks/ifaces.go#L28-L39) interface
+
+## Implementing a New Check
+
+### 1. Create the Check Package
+
+Create a new package in `pkg/app/checks/` for your check. For example, if you're creating a check for validating configuration fields, you might create `pkg/app/checks/configchecks/`. Add a `check.go` file to the package, there we will implement the check interface. Let's start by implementing the `Check` interface but without any steps yet:
+
+```go
+package configchecks
+
+var _ checks.Check = (*check)(nil)
+
+type check struct{}
+
+func New() checks.Check {
+	return &check{}
+}
+
+func (c *check) ID() string {
+	return "config"
+}
+
+func (c *check) Name() string {
+	return "config setting"
+}
+
+func (c *check) Items(ctx context.Context) ([]any, error) {
+	return nil, nil
+}
+
+func (c *check) Item(ctx context.Context, id string) (any, error) {
+	return nil, nil
+}
+
+func (c *check) Init(ctx context.Context) error {
+	return nil
+}
+
+func (c *check) Steps() []checks.Step {
+	return []checks.Step{}
+}
+
+```
+
+### 2. Define Dependencies and Register the Check
+
+In order to be able to implement a check, it will likely need some dependencies in the form of `wire` services. This is the internal dependency injection system used in Grafana and it allows you to access the services you need.
+
+For our example, we will need access to the grafana settings, which are exposed by wire as `*setting.Cfg` (in this case is a pointer to a struct, not an interface but the idea is the same). So let's add it to our check as a parameter for our `New` function:
+
+```go
+type check struct {
+	cfg *setting.Cfg
+}
+
+func New(cfg *setting.Cfg) checks.Check {
+	return &check{
+		cfg: cfg,
+	}
+}
+```
+
+Now, to register our check in the `checkregistry` package, we need to add it to the `ProvideService` function. First, we need to verify that the services we need are available in the `ProvideService` function, and if not, add them. Then, we need to add our check to the `Checks` slice.
+
+```go
+func ProvideService(..., cfg *setting.Cfg,
+) *Service {
+    return &Service{
+        ...
+        cfg: cfg,
+    }
+}
+
+func (s *Service) Checks() []checks.Check {
+	return []checks.Check{
+        ...
+        configchecks.New(s.cfg),
+    }
+}
+```
+
+### 3. Complete the Check Implementation
+
+Now that we have our check registered, we can implement the rest of the check logic.
+
+#### 3.1. Implement the `Items` and `Item` methods
+
+The `Items` method is used to return a list of items that the check will be run on (e.g. all data sources, all plugins, etc). The `Item` method is used to return a single item by its ID.
+
+These functions can return `any` type, we will convert them to the expected type in the step `Run` method.
+
+In our case, we will implement the `Items` method to return a list of config sections that we want to check. The `Item` method will return a single config section by its name.
+
+```go
+func (c *check) Items(ctx context.Context) ([]any, error) {
+	return []any{"security.secret_key"}, nil
+}
+
+func (c *check) Item(ctx context.Context, id string) (any, error) {
+	return id, nil
+}
+```
+
+Check other checks for examples of how to implement these methods in more interesting ways.
+
+#### 3.2. Implement the `Init` method
+
+The `Init` method is used to initialize the check. It is called when the check is first created. It should be used to gather any information that is needed to run the check and for the steps to have some shared context.
+
+In our case, we don't need to do anything special so we can just return `nil`.
+
+```go
+func (c *check) Init(ctx context.Context) error {
+	return nil
+}
+```
+
+One more interesting example is the `plugincheck`, where we gather all the plugin information from GCOM and store it in the check struct.
+
+### 4. Implement Steps
+
+Like the `Check` interface, each `Step` needs to return some information (metadata) about the step, which will be used to populate the UI, and the logic to `Run` the step.
+
+In our example, we will implement a step that will check if the `security.secret_key` is set correctly. In case it's not correct, we recommend the user to follow the documentation.
+
+Check [`security_config_step.go`](./pkg/app/checks/configchecks/security_config_step.go) for the full implementation.
+
+## Best Practices
+
+1. **Error Handling**: In general, avoid returning errors for known issues, these will mark the check report as failed and the UI will render an error page. Only unexpected errors should be returned.
+
+2. **Type Safety**: Use type assertions to ensure you're working with the correct type of item.
+
+3. **Severity Levels**: Use appropriate severity levels:
+
+   - `CheckReportFailureSeverityHigh`: For critical issues that need immediate attention
+   - `CheckReportFailureSeverityLow`: For non-critical issues that can be addressed later
+
+4. **Resolution Links**: Provide helpful links in the `CheckErrorLink` slice to help users resolve issues.
+
+5. **Logging**: Use the provided logger to log important information and errors.
+
+## Testing
+
+Create tests for your check and its steps to ensure they work as expected. Test both successful and failure scenarios.
--- a/Show More
+++ b/Show More