[release-11.2.11] Docs: Document cell options by cell type (#108640)

IAM: Return 401 if identity type is not valid in GetUserPreferences (#107760)

fix(GetUserPreferences): Return 401 if identity type is not valid

(cherry picked from commit e4743a9092)

.bingo/Variables.mk

@@ -35,11 +35,11 @@ $(DRONE): $(BINGO_DIR)/drone.mod
 	@echo "(re)installing $(GOBIN)/drone-v1.5.0"
 	@cd $(BINGO_DIR) && GOWORK=off CGO_ENABLED=0 $(GO) build -mod=mod -modfile=drone.mod -o=$(GOBIN)/drone-v1.5.0 "github.com/drone/drone-cli/drone"
 
-GOLANGCI_LINT := $(GOBIN)/golangci-lint-v1.59.1
+GOLANGCI_LINT := $(GOBIN)/golangci-lint-v1.64.2
 $(GOLANGCI_LINT): $(BINGO_DIR)/golangci-lint.mod
 	@# Install binary/ries using Go 1.14+ build command. This is using bwplotka/bingo-controlled, separate go module with pinned dependencies.
-	@echo "(re)installing $(GOBIN)/golangci-lint-v1.59.1"
-	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=golangci-lint.mod -o=$(GOBIN)/golangci-lint-v1.59.1 "github.com/golangci/golangci-lint/cmd/golangci-lint"
+	@echo "(re)installing $(GOBIN)/golangci-lint-v1.64.2"
+	@cd $(BINGO_DIR) && GOWORK=off $(GO) build -mod=mod -modfile=golangci-lint.mod -o=$(GOBIN)/golangci-lint-v1.64.2 "github.com/golangci/golangci-lint/cmd/golangci-lint"
 
 JB := $(GOBIN)/jb-v0.5.1
 $(JB): $(BINGO_DIR)/jb.mod

.bingo/golangci-lint.mod

@@ -1,7 +1,5 @@
 module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT
 
-go 1.22
+go 1.24.3
 
-toolchain go1.22.4
-
-require github.com/golangci/golangci-lint v1.59.1 // cmd/golangci-lint
+require github.com/golangci/golangci-lint v1.64.2 // cmd/golangci-lint

.bingo/golangci-lint.sum

@@ -2,6 +2,8 @@
 4d63.com/gocheckcompilerdirectives v1.2.1/go.mod h1:yjDJSxmDTtIHHCqX0ufRYZDL6vQtMG7tJdKVeWwsqvs=
 4d63.com/gochecknoglobals v0.2.1 h1:1eiorGsgHOFOuoOiJDy2psSrQbRdIHrlge0IJIkUgDc=
 4d63.com/gochecknoglobals v0.2.1/go.mod h1:KRE8wtJB3CXCsb1xy421JfTHIIbmT3U5ruxw2Qu8fSU=
+4d63.com/gochecknoglobals v0.2.2 h1:H1vdnwnMaZdQW/N+NrkT1SZMTBmcwHe9Vq8lJcYYTtU=
+4d63.com/gochecknoglobals v0.2.2/go.mod h1:lLxwTQjL5eIesRbvnzIP3jZtG140FnTdz+AlMa+ogt0=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -39,42 +41,76 @@ github.com/4meepo/tagalign v1.3.3 h1:ZsOxcwGD/jP4U/aw7qeWu58i7dwYemfy5Y+IF1ACoNw
 github.com/4meepo/tagalign v1.3.3/go.mod h1:Q9c1rYMZJc9dPRkbQPpcBNCLEmY2njbAsXhQOZFE2dE=
 github.com/4meepo/tagalign v1.3.4 h1:P51VcvBnf04YkHzjfclN6BbsopfJR5rxs1n+5zHt+w8=
 github.com/4meepo/tagalign v1.3.4/go.mod h1:M+pnkHH2vG8+qhE5bVc/zeP7HS/j910Fwa9TUSyZVI0=
+github.com/4meepo/tagalign v1.4.1 h1:GYTu2FaPGOGb/xJalcqHeD4il5BiCywyEYZOA55P6J4=
+github.com/4meepo/tagalign v1.4.1/go.mod h1:2H9Yu6sZ67hmuraFgfZkNcg5Py9Ch/Om9l2K/2W1qS4=
 github.com/Abirdcfly/dupword v0.0.14 h1:3U4ulkc8EUo+CaT105/GJ1BQwtgyj6+VaBVbAX11Ba8=
 github.com/Abirdcfly/dupword v0.0.14/go.mod h1:VKDAbxdY8YbKUByLGg8EETzYSuC4crm9WwI6Y3S0cLI=
+github.com/Abirdcfly/dupword v0.1.1 h1:Bsxe0fIw6OwBtXMIncaTxCLHYO5BB+3mcsR5E8VXloY=
+github.com/Abirdcfly/dupword v0.1.1/go.mod h1:B49AcJdTYYkpd4HjgAcutNGG9HZ2JWwKunH9Y2BA6sM=
+github.com/Abirdcfly/dupword v0.1.3 h1:9Pa1NuAsZvpFPi9Pqkd93I7LIYRURj+A//dFd5tgBeE=
+github.com/Abirdcfly/dupword v0.1.3/go.mod h1:8VbB2t7e10KRNdwTVoxdBaxla6avbhGzb8sCTygUMhw=
 github.com/Antonboom/errname v0.1.12 h1:oh9ak2zUtsLp5oaEd/erjB4GPu9w19NyoIskZClDcQY=
 github.com/Antonboom/errname v0.1.12/go.mod h1:bK7todrzvlaZoQagP1orKzWXv59X/x0W0Io2XT1Ssro=
 github.com/Antonboom/errname v0.1.13 h1:JHICqsewj/fNckzrfVSe+T33svwQxmjC+1ntDsHOVvM=
 github.com/Antonboom/errname v0.1.13/go.mod h1:uWyefRYRN54lBg6HseYCFhs6Qjcy41Y3Jl/dVhA87Ns=
+github.com/Antonboom/errname v1.0.0 h1:oJOOWR07vS1kRusl6YRSlat7HFnb3mSfMl6sDMRoTBA=
+github.com/Antonboom/errname v1.0.0/go.mod h1:gMOBFzK/vrTiXN9Oh+HFs+e6Ndl0eTFbtsRTSRdXyGI=
 github.com/Antonboom/nilnil v0.1.7 h1:ofgL+BA7vlA1K2wNQOsHzLJ2Pw5B5DpWRLdDAVvvTow=
 github.com/Antonboom/nilnil v0.1.7/go.mod h1:TP+ScQWVEq0eSIxqU8CbdT5DFWoHp0MbP+KMUO1BKYQ=
 github.com/Antonboom/nilnil v0.1.9 h1:eKFMejSxPSA9eLSensFmjW2XTgTwJMjZ8hUHtV4s/SQ=
 github.com/Antonboom/nilnil v0.1.9/go.mod h1:iGe2rYwCq5/Me1khrysB4nwI7swQvjclR8/YRPl5ihQ=
+github.com/Antonboom/nilnil v1.0.0 h1:n+v+B12dsE5tbAqRODXmEKfZv9j2KcTBrp+LkoM4HZk=
+github.com/Antonboom/nilnil v1.0.0/go.mod h1:fDJ1FSFoLN6yoG65ANb1WihItf6qt9PJVTn/s2IrcII=
+github.com/Antonboom/nilnil v1.0.1 h1:C3Tkm0KUxgfO4Duk3PM+ztPncTFlOf0b2qadmS0s4xs=
+github.com/Antonboom/nilnil v1.0.1/go.mod h1:CH7pW2JsRNFgEh8B2UaPZTEPhCMuFowP/e8Udp9Nnb0=
 github.com/Antonboom/testifylint v1.2.0 h1:015bxD8zc5iY8QwTp4+RG9I4kIbqwvGX9TrBbb7jGdM=
 github.com/Antonboom/testifylint v1.2.0/go.mod h1:rkmEqjqVnHDRNsinyN6fPSLnoajzFwsCcguJgwADBkw=
 github.com/Antonboom/testifylint v1.3.0 h1:UiqrddKs1W3YK8R0TUuWwrVKlVAnS07DTUVWWs9c+y4=
 github.com/Antonboom/testifylint v1.3.0/go.mod h1:NV0hTlteCkViPW9mSR4wEMfwp+Hs1T3dY60bkvSfhpM=
 github.com/Antonboom/testifylint v1.3.1 h1:Uam4q1Q+2b6H7gvk9RQFw6jyVDdpzIirFOOrbs14eG4=
 github.com/Antonboom/testifylint v1.3.1/go.mod h1:NV0hTlteCkViPW9mSR4wEMfwp+Hs1T3dY60bkvSfhpM=
+github.com/Antonboom/testifylint v1.4.3 h1:ohMt6AHuHgttaQ1xb6SSnxCeK4/rnK7KKzbvs7DmEck=
+github.com/Antonboom/testifylint v1.4.3/go.mod h1:+8Q9+AOLsz5ZiQiiYujJKs9mNz398+M6UgslP4qgJLA=
+github.com/Antonboom/testifylint v1.5.0 h1:dlUIsDMtCrZWUnvkaCz3quJCoIjaGi41GzjPBGkkJ8A=
+github.com/Antonboom/testifylint v1.5.0/go.mod h1:wqaJbu0Blb5Wag2wv7Z5xt+CIV+eVLxtGZrlK13z3AE=
+github.com/Antonboom/testifylint v1.5.2 h1:4s3Xhuv5AvdIgbd8wOOEeo0uZG7PbDKQyKY5lGoQazk=
+github.com/Antonboom/testifylint v1.5.2/go.mod h1:vxy8VJ0bc6NavlYqjZfmp6EfqXMtBgQ4+mhCojwC1P8=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c h1:pxW6RcqyfI9/kWtOwnv/G+AzdKuy2ZrqINhenH4HyNs=
+github.com/BurntSushi/toml v1.4.1-0.20240526193622-a339e1f7089c/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Crocmagnon/fatcontext v0.2.2 h1:OrFlsDdOj9hW/oBEJBNSuH7QWf+E9WPVHw+x52bXVbk=
 github.com/Crocmagnon/fatcontext v0.2.2/go.mod h1:WSn/c/+MMNiD8Pri0ahRj0o9jVpeowzavOQplBJw6u0=
+github.com/Crocmagnon/fatcontext v0.4.0 h1:4ykozu23YHA0JB6+thiuEv7iT6xq995qS1vcuWZq0tg=
+github.com/Crocmagnon/fatcontext v0.4.0/go.mod h1:ZtWrXkgyfsYPzS6K3O88va6t2GEglG93vnII/F94WC0=
+github.com/Crocmagnon/fatcontext v0.5.2 h1:vhSEg8Gqng8awhPju2w7MKHqMlg4/NI+gSDHtR3xgwA=
+github.com/Crocmagnon/fatcontext v0.5.2/go.mod h1:87XhRMaInHP44Q7Tlc7jkgKKB7kZAOPiDkFMdKCC+74=
+github.com/Crocmagnon/fatcontext v0.7.1 h1:SC/VIbRRZQeQWj/TcQBS6JmrXcfA+BU4OGSVUt54PjM=
+github.com/Crocmagnon/fatcontext v0.7.1/go.mod h1:1wMvv3NXEBJucFGfwOJBxSVWcoIO6emV215SMkW9MFU=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rWPdisA5ynNEsoARbiCBOyGcJM4/OzsM=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 h1:sATXp1x6/axKxz2Gjxv8MALP0bXaNRfQinEwyfMcx8c=
 github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0/go.mod h1:Nl76DrGNJTA1KJ0LePKBw/vznBX1EHbAZX8mwjR82nI=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0 h1:/fTUt5vmbkAcMBt4YQiuC23cV0kEsN1MVMNqeOW43cU=
+github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.0/go.mod h1:ONJg5sxcbsdQQ4pOW8TGdTidT2TMAUy/2Xhr8mrYaao=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA=
 github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ=
 github.com/alecthomas/go-check-sumtype v0.1.4 h1:WCvlB3l5Vq5dZQTFmodqL2g68uHiSwwlWcT5a2FGK0c=
 github.com/alecthomas/go-check-sumtype v0.1.4/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ=
+github.com/alecthomas/go-check-sumtype v0.2.0 h1:Bo+e4DFf3rs7ME9w/0SU/g6nmzJaphduP8Cjiz0gbwY=
+github.com/alecthomas/go-check-sumtype v0.2.0/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ=
+github.com/alecthomas/go-check-sumtype v0.3.1 h1:u9aUvbGINJxLVXiFvHUlPEaD7VDULsrxJb4Aq31NLkU=
+github.com/alecthomas/go-check-sumtype v0.3.1/go.mod h1:A8TSiN3UPRw3laIgWEUOHHLPa6/r9MtoigdlP5h3K/E=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -82,42 +118,66 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alexkohler/nakedret/v2 v2.0.4 h1:yZuKmjqGi0pSmjGpOC016LtPJysIL0WEUiaXW5SUnNg=
 github.com/alexkohler/nakedret/v2 v2.0.4/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
+github.com/alexkohler/nakedret/v2 v2.0.5 h1:fP5qLgtwbx9EJE8dGEERT02YwS8En4r9nnZ71RK+EVU=
+github.com/alexkohler/nakedret/v2 v2.0.5/go.mod h1:bF5i0zF2Wo2o4X4USt9ntUWve6JbFv02Ff4vlkmS/VU=
 github.com/alexkohler/prealloc v1.0.0 h1:Hbq0/3fJPQhNkN0dR95AVrr6R7tou91y0uHG5pOcUuw=
 github.com/alexkohler/prealloc v1.0.0/go.mod h1:VetnK3dIgFBBKmg0YnD9F9x6Icjd+9cvfHR56wJVlKE=
 github.com/alingse/asasalint v0.0.11 h1:SFwnQXJ49Kx/1GghOFz1XGqHYKp21Kq1nHad/0WQRnw=
 github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqrSP7t/cW5+I=
+github.com/alingse/nilnesserr v0.1.2 h1:Yf8Iwm3z2hUUrP4muWfW83DF4nE3r1xZ26fGWUKCZlo=
+github.com/alingse/nilnesserr v0.1.2/go.mod h1:1xJPrXonEtX7wyTq8Dytns5P2hNzoWymVUIaKm4HNFg=
 github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8gerOIVIY=
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
+github.com/ashanbrown/makezero v1.2.0 h1:/2Lp1bypdmK9wDIq7uWBlDF1iMUpIIS4A+pF6C9IEUU=
+github.com/ashanbrown/makezero v1.2.0/go.mod h1:dxlPhHbDMC6N6xICzFBSK+4njQDdK8euNO0qjQMtGY4=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bkielbasa/cyclop v1.2.1 h1:AeF71HZDob1P2/pRm1so9cd1alZnrpyc4q2uP2l0gJY=
 github.com/bkielbasa/cyclop v1.2.1/go.mod h1:K/dT/M0FPAiYjBgQGau7tz+3TMh4FWAEqlMhzFWCrgM=
+github.com/bkielbasa/cyclop v1.2.3 h1:faIVMIGDIANuGPWH031CZJTi2ymOQBULs9H21HSMa5w=
+github.com/bkielbasa/cyclop v1.2.3/go.mod h1:kHTwA9Q0uZqOADdupvcFJQtp/ksSnytRMe8ztxG8Fuo=
 github.com/blizzy78/varnamelen v0.8.0 h1:oqSblyuQvFsW1hbBHh1zfwrKe3kcSj0rnXkKzsQ089M=
 github.com/blizzy78/varnamelen v0.8.0/go.mod h1:V9TzQZ4fLJ1DSrjVDfl89H7aMnTvKkApdHeyESmyR7k=
 github.com/bombsimon/wsl/v4 v4.2.1 h1:Cxg6u+XDWff75SIFFmNsqnIOgob+Q9hG6y/ioKbRFiM=
 github.com/bombsimon/wsl/v4 v4.2.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo=
+github.com/bombsimon/wsl/v4 v4.4.1 h1:jfUaCkN+aUpobrMO24zwyAMwMAV5eSziCkOKEauOLdw=
+github.com/bombsimon/wsl/v4 v4.4.1/go.mod h1:Xu/kDxGZTofQcDGCtQe9KCzhHphIe0fDuyWTxER9Feo=
+github.com/bombsimon/wsl/v4 v4.5.0 h1:iZRsEvDdyhd2La0FVi5k6tYehpOR/R7qIUjmKk7N74A=
+github.com/bombsimon/wsl/v4 v4.5.0/go.mod h1:NOQ3aLF4nD7N5YPXMruR6ZXDOAqLoM0GEpLwTdvmOSc=
 github.com/breml/bidichk v0.2.7 h1:dAkKQPLl/Qrk7hnP6P+E0xOodrq8Us7+U0o4UBOAlQY=
 github.com/breml/bidichk v0.2.7/go.mod h1:YodjipAGI9fGcYM7II6wFvGhdMYsC5pHDlGzqvEW3tQ=
+github.com/breml/bidichk v0.3.2 h1:xV4flJ9V5xWTqxL+/PMFF6dtJPvZLPsyixAoPe8BGJs=
+github.com/breml/bidichk v0.3.2/go.mod h1:VzFLBxuYtT23z5+iVkamXO386OB+/sVwZOpIj6zXGos=
 github.com/breml/errchkjson v0.3.6 h1:VLhVkqSBH96AvXEyclMR37rZslRrY2kcyq+31HCsVrA=
 github.com/breml/errchkjson v0.3.6/go.mod h1:jhSDoFheAF2RSDOlCfhHO9KqhZgAYLyvHe7bRCX8f/U=
+github.com/breml/errchkjson v0.4.0 h1:gftf6uWZMtIa/Is3XJgibewBm2ksAQSY/kABDNFTAdk=
+github.com/breml/errchkjson v0.4.0/go.mod h1:AuBOSTHyLSaaAFlWsRSuRBIroCh3eh7ZHh5YeelDIk8=
 github.com/butuzov/ireturn v0.3.0 h1:hTjMqWw3y5JC3kpnC5vXmFJAWI/m31jaCYQqzkS6PL0=
 github.com/butuzov/ireturn v0.3.0/go.mod h1:A09nIiwiqzN/IoVo9ogpa0Hzi9fex1kd9PSD6edP5ZA=
+github.com/butuzov/ireturn v0.3.1 h1:mFgbEI6m+9W8oP/oDdfA34dLisRFCj2G6o/yiI1yZrY=
+github.com/butuzov/ireturn v0.3.1/go.mod h1:ZfRp+E7eJLC0NQmk1Nrm1LOrn/gQlOykv+cVPdiXH5M=
 github.com/butuzov/mirror v1.1.0 h1:ZqX54gBVMXu78QLoiqdwpl2mgmoOJTk7s4p4o+0avZI=
 github.com/butuzov/mirror v1.1.0/go.mod h1:8Q0BdQU6rC6WILDiBM60DBfvV78OLJmMmixe7GF45AE=
 github.com/butuzov/mirror v1.2.0 h1:9YVK1qIjNspaqWutSv8gsge2e/Xpq1eqEkslEUHy5cs=
 github.com/butuzov/mirror v1.2.0/go.mod h1:DqZZDtzm42wIAIyHXeN8W/qb1EPlb9Qn/if9icBOpdQ=
+github.com/butuzov/mirror v1.3.0 h1:HdWCXzmwlQHdVhwvsfBb2Au0r3HyINry3bDWLYXiKoc=
+github.com/butuzov/mirror v1.3.0/go.mod h1:AEij0Z8YMALaq4yQj9CPPVYOyJQyiexpQEQgihajRfI=
 github.com/catenacyber/perfsprint v0.7.1 h1:PGW5G/Kxn+YrN04cRAZKC+ZuvlVwolYMrIyyTJ/rMmc=
 github.com/catenacyber/perfsprint v0.7.1/go.mod h1:/wclWYompEyjUD2FuIIDVKNkqz7IgBIWXIH3V0Zol50=
+github.com/catenacyber/perfsprint v0.8.1 h1:bGOHuzHe0IkoGeY831RW4aSlt1lPRd3WRAScSWOaV7E=
+github.com/catenacyber/perfsprint v0.8.1/go.mod h1:/wclWYompEyjUD2FuIIDVKNkqz7IgBIWXIH3V0Zol50=
 github.com/ccojocar/zxcvbn-go v1.0.2 h1:na/czXU8RrhXO4EZme6eQJLR4PzcGsahsBOAwU6I3Vg=
 github.com/ccojocar/zxcvbn-go v1.0.2/go.mod h1:g1qkXtUSvHP8lhHp5GrSmTz6uWALGRMQdw6Qnz/hi60=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charithe/durationcheck v0.0.10 h1:wgw73BiocdBDQPik+zcEoBG/ob8uyBHf2iyoHGPf5w4=
 github.com/charithe/durationcheck v0.0.10/go.mod h1:bCWXb7gYRysD1CU3C+u4ceO49LoGOY1C1L6uouGNreQ=
 github.com/chavacava/garif v0.1.0 h1:2JHa3hbYf5D9dsgseMKAmc/MZ109otzgNFk5s87H9Pc=
@@ -129,15 +189,26 @@ github.com/ckaznocha/intrange v0.1.0 h1:ZiGBhvrdsKpoEfzh9CjBfDSZof6QB0ORY5tXasUt
 github.com/ckaznocha/intrange v0.1.0/go.mod h1:Vwa9Ekex2BrEQMg6zlrWwbs/FtYw7eS5838Q7UjK7TQ=
 github.com/ckaznocha/intrange v0.1.2 h1:3Y4JAxcMntgb/wABQ6e8Q8leMd26JbX2790lIss9MTI=
 github.com/ckaznocha/intrange v0.1.2/go.mod h1:RWffCw/vKBwHeOEwWdCikAtY0q4gGt8VhJZEEA5n+RE=
+github.com/ckaznocha/intrange v0.2.0 h1:FykcZuJ8BD7oX93YbO1UY9oZtkRbp+1/kJcDjkefYLs=
+github.com/ckaznocha/intrange v0.2.0/go.mod h1:r5I7nUlAAG56xmkOpw4XVr16BXhwYTUdcuRFeevn1oE=
+github.com/ckaznocha/intrange v0.2.1 h1:M07spnNEQoALOJhwrImSrJLaxwuiQK+hA2DeajBlwYk=
+github.com/ckaznocha/intrange v0.2.1/go.mod h1:7NEhVyf8fzZO5Ds7CRaqPEm52Ut83hsTiL5zbER/HYk=
+github.com/ckaznocha/intrange v0.3.0 h1:VqnxtK32pxgkhJgYQEeOArVidIPg+ahLP7WBOXZd5ZY=
+github.com/ckaznocha/intrange v0.3.0/go.mod h1:+I/o2d2A1FBHgGELbGxzIcyd3/9l9DuwjM8FsbSS3Lo=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/curioswitch/go-reassign v0.2.0 h1:G9UZyOcpk/d7Gd6mqYgd8XYWFMw/znxwGDUstnC9DIo=
 github.com/curioswitch/go-reassign v0.2.0/go.mod h1:x6OpXuWvgfQaMGks2BZybTngWjT84hqJfKoO8Tt/Roc=
+github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
+github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
 github.com/daixiang0/gci v0.12.3 h1:yOZI7VAxAGPQmkb1eqt5g/11SUlwoat1fSblGLmdiQc=
 github.com/daixiang0/gci v0.12.3/go.mod h1:xtHP9N7AHdNvtRNfcx9gwTDfw7FRJx4bZUsiEfiNNAI=
 github.com/daixiang0/gci v0.13.4 h1:61UGkmpoAcxHM2hhNkZEf5SzwQtWJXTSws7jaPyqwlw=
 github.com/daixiang0/gci v0.13.4/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
+github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c=
+github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -153,6 +224,8 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
 github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/firefart/nonamedreturns v1.0.4 h1:abzI1p7mAEPYuR4A+VLKn4eNDOycjYo2phmY9sfv40Y=
@@ -167,10 +240,16 @@ github.com/ghostiam/protogetter v0.3.5 h1:+f7UiF8XNd4w3a//4DnusQ2SZjPkUjxkMEfjbx
 github.com/ghostiam/protogetter v0.3.5/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw=
 github.com/ghostiam/protogetter v0.3.6 h1:R7qEWaSgFCsy20yYHNIJsU9ZOb8TziSRRxuAOTVKeOk=
 github.com/ghostiam/protogetter v0.3.6/go.mod h1:7lpeDnEJ1ZjL/YtyoN99ljO4z0pd3H0d18/t2dPBxHw=
+github.com/ghostiam/protogetter v0.3.8 h1:LYcXbYvybUyTIxN2Mj9h6rHrDZBDwZloPoKctWrFyJY=
+github.com/ghostiam/protogetter v0.3.8/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
+github.com/ghostiam/protogetter v0.3.9 h1:j+zlLLWzqLay22Cz/aYwTHKQ88GE2DQ6GkWSYFOI4lQ=
+github.com/ghostiam/protogetter v0.3.9/go.mod h1:WZ0nw9pfzsgxuRsPOFQomgDVSWtDLJRfQJEhsGbmQMA=
 github.com/go-critic/go-critic v0.11.2 h1:81xH/2muBphEgPtcwH1p6QD+KzXl2tMSi3hXjBSxDnM=
 github.com/go-critic/go-critic v0.11.2/go.mod h1:OePaicfjsf+KPy33yq4gzv6CO7TEQ9Rom6ns1KsJnl8=
 github.com/go-critic/go-critic v0.11.4 h1:O7kGOCx0NDIni4czrkRIXTnit0mkyKOCePh3My6OyEU=
 github.com/go-critic/go-critic v0.11.4/go.mod h1:2QAdo4iuLik5S9YG0rT4wcZ8QxwHYkrr6/2MWAiv/vc=
+github.com/go-critic/go-critic v0.11.5 h1:TkDTOn5v7EEngMxu8KbuFqFR43USaaH8XRJLz1jhVYA=
+github.com/go-critic/go-critic v0.11.5/go.mod h1:wu6U7ny9PiaHaZHcvMDmdysMqvDem162Rh3zWTrqk8M=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -202,12 +281,20 @@ github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1 h1:TQcrn6Wq+sKGkpyPvppOz99zsM
 github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.1.0 h1:gHnMa2Y/pIxElCH2GlZZ1lZSsn6XMtufpGyP1XxdC/w=
+github.com/go-viper/mapstructure/v2 v2.1.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U=
 github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
+github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
+github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -240,14 +327,28 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
+github.com/golangci/go-printf-func-name v0.1.0 h1:dVokQP+NMTO7jwO4bwsRwLWeudOVUPPyAKJuzv8pEJU=
+github.com/golangci/go-printf-func-name v0.1.0/go.mod h1:wqhWFH5mUdJQhweRnldEywnR5021wTdZSNgwYceV14s=
 github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e h1:ULcKCDV1LOZPFxGZaA6TlQbiM3J2GCPnkx/bGF6sX/g=
 github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e/go.mod h1:Pm5KhLPA8gSnQwrQ6ukebRcapGb/BG9iUkdaiCcGHJM=
+github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9 h1:/1322Qns6BtQxUZDTAT4SdcoxknUki7IAoK4SAXr8ME=
+github.com/golangci/gofmt v0.0.0-20240816233607-d8596aa466a9/go.mod h1:Oesb/0uFAyWoaw1U1qS5zyjCg5NP9C9iwjnI4tIsXEE=
+github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d h1:viFft9sS/dxoYY0aiOTsLKO2aZQAPT4nlQCsimGcSGE=
+github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d/go.mod h1:ivJ9QDg0XucIkmwhzCDsqcnxxlDStoTl89jDMIoNxKY=
 github.com/golangci/golangci-lint v1.57.1 h1:cqhpzkzjDwdN12rfMf1SUyyKyp88a1SltNqEYGS0nJw=
 github.com/golangci/golangci-lint v1.57.1/go.mod h1:zLcHhz3NHc88T5zV2j75lyc0zH3LdOPOybblYa4p0oI=
 github.com/golangci/golangci-lint v1.59.0 h1:st69YDnAH/v2QXDcgUaZ0seQajHScPALBVkyitYLXEk=
 github.com/golangci/golangci-lint v1.59.0/go.mod h1:QNA32UWdUdHXnu+Ap5/ZU4WVwyp2tL94UxEXrSErjg0=
 github.com/golangci/golangci-lint v1.59.1 h1:CRRLu1JbhK5avLABFJ/OHVSQ0Ie5c4ulsOId1h3TTks=
 github.com/golangci/golangci-lint v1.59.1/go.mod h1:jX5Oif4C7P0j9++YB2MMJmoNrb01NJ8ITqKWNLewThg=
+github.com/golangci/golangci-lint v1.60.1 h1:DRKNqNTQRLBJZ1il5u4fvgLQCjQc7QFs0DbhksJtVJE=
+github.com/golangci/golangci-lint v1.60.1/go.mod h1:jDIPN1rYaIA+ijp9OZcUmUCoQOtZ76pOlFbi15FlLJY=
+github.com/golangci/golangci-lint v1.61.0 h1:VvbOLaRVWmyxCnUIMTbf1kDsaJbTzH20FAMXTAlQGu8=
+github.com/golangci/golangci-lint v1.61.0/go.mod h1:e4lztIrJJgLPhWvFPDkhiMwEFRrWlmFbrZea3FsJyN8=
+github.com/golangci/golangci-lint v1.62.0 h1:/G0g+bi1BhmGJqLdNQkKBWjcim8HjOPc4tsKuHDOhcI=
+github.com/golangci/golangci-lint v1.62.0/go.mod h1:jtoOhQcKTz8B6dGNFyfQV3WZkQk+YvBDewDtNpiAJts=
+github.com/golangci/golangci-lint v1.64.2 h1:+os/Y7xzFKmVfYRzYayEpVItp/8eTR4VDODaCgcGOHA=
+github.com/golangci/golangci-lint v1.64.2/go.mod h1:NTiG5Pmn7rkG6TuTPLcyT18Qbfijzcwir4NRiOoVcpw=
 github.com/golangci/misspell v0.4.1 h1:+y73iSicVy2PqyX7kmUefHusENlrP9YwuHZHPLGQj/g=
 github.com/golangci/misspell v0.4.1/go.mod h1:9mAN1quEo3DlpbaIKKyEvRxK1pwqR9s/Sea1bJCtlNI=
 github.com/golangci/misspell v0.5.1 h1:/SjR1clj5uDjNLwYzCahHwIOPmQgoH04AyQIiWGbhCM=
@@ -262,6 +363,8 @@ github.com/golangci/revgrep v0.5.2 h1:EndcWoRhcnfj2NHQ+28hyuXpLMF+dQmCN+YaeeIl4F
 github.com/golangci/revgrep v0.5.2/go.mod h1:bjAMA+Sh/QUfTDcHzxfyHxr4xKvllVr/0sCv2e7jJHA=
 github.com/golangci/revgrep v0.5.3 h1:3tL7c1XBMtWHHqVpS5ChmiAAoe4PF/d5+ULzV9sLAzs=
 github.com/golangci/revgrep v0.5.3/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
+github.com/golangci/revgrep v0.8.0 h1:EZBctwbVd0aMeRnNUsFogoyayvKHyxlV3CdUA46FX2s=
+github.com/golangci/revgrep v0.8.0/go.mod h1:U4R/s9dlXZsg8uJmaR1GrloUr14D7qDl8gi2iPXJH8k=
 github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed h1:IURFTjxeTfNFP0hTEi1YKjB/ub8zkpaOqFFMApi2EAs=
 github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed/go.mod h1:XLXN8bNw4CGRPaqgl3bv/lhz7bsGPh4/xSaMTbo2vkQ=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@@ -305,6 +408,8 @@ github.com/gostaticanalysis/forcetypeassert v0.1.0/go.mod h1:qZEedyP/sY1lTGV1uJ3
 github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3Uqrmrcpk=
 github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A=
 github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M=
+github.com/hashicorp/go-immutable-radix/v2 v2.1.0 h1:CUW5RYIcysz+D3B+l1mDeXrQ7fUvGGCwJfdASSzbrfo=
+github.com/hashicorp/go-immutable-radix/v2 v2.1.0/go.mod h1:hgdqLXA4f6NIjRVisM1TJ9aOJVNRqKZj+xDGF6m7PBw=
 github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
@@ -312,6 +417,8 @@ github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKe
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -331,6 +438,10 @@ github.com/jjti/go-spancheck v0.5.3 h1:vfq4s2IB8T3HvbpiwDTYgVPj1Ze/ZSXrTtaZRTc7C
 github.com/jjti/go-spancheck v0.5.3/go.mod h1:eQdOX1k3T+nAKvZDyLC3Eby0La4dZ+I19iOl5NzSPFE=
 github.com/jjti/go-spancheck v0.6.1 h1:ZK/wE5Kyi1VX3PJpUO2oEgeoI4FWOUm7Shb2Gbv5obI=
 github.com/jjti/go-spancheck v0.6.1/go.mod h1:vF1QkOO159prdo6mHRxak2CpzDpHAfKiPUDP/NeRnX8=
+github.com/jjti/go-spancheck v0.6.2 h1:iYtoxqPMzHUPp7St+5yA8+cONdyXD3ug6KK15n7Pklk=
+github.com/jjti/go-spancheck v0.6.2/go.mod h1:+X7lvIrR5ZdUTkxFYqzJ0abr8Sb5LOo80uOhWNqIrYA=
+github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpRRc=
+github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -342,12 +453,18 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/julz/importas v0.1.0 h1:F78HnrsjY3cR7j0etXy5+TU1Zuy7Xt08X/1aJnH5xXY=
 github.com/julz/importas v0.1.0/go.mod h1:oSFU2R4XK/P7kNBrnL/FEQlDGN1/6WoxXEjSSXO0DV0=
+github.com/julz/importas v0.2.0 h1:y+MJN/UdL63QbFJHws9BVC5RpA2iq0kpjrFajTGivjQ=
+github.com/julz/importas v0.2.0/go.mod h1:pThlt589EnCYtMnmhmRYY/qn9lCf/frPOK+WMx3xiJY=
 github.com/karamaru-alpha/copyloopvar v1.0.8 h1:gieLARwuByhEMxRwM3GRS/juJqFbLraftXIKDDNJ50Q=
 github.com/karamaru-alpha/copyloopvar v1.0.8/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
 github.com/karamaru-alpha/copyloopvar v1.1.0 h1:x7gNyKcC2vRBO1H2Mks5u1VxQtYvFiym7fCjIP8RPos=
 github.com/karamaru-alpha/copyloopvar v1.1.0/go.mod h1:u7CIfztblY0jZLOQZgH3oYsJzpC2A7S6u/lfgSXHy0k=
+github.com/karamaru-alpha/copyloopvar v1.2.1 h1:wmZaZYIjnJ0b5UoKDjUHrikcV0zuPyyxI4SVplLd2CI=
+github.com/karamaru-alpha/copyloopvar v1.2.1/go.mod h1:nFmMlFNlClC2BPvNaHMdkirmTJxVCY0lhxBtlfOypMM=
 github.com/kisielk/errcheck v1.7.0 h1:+SbscKmWJ5mOK/bO1zS60F5I9WwZDWOfRsC4RwfwRV0=
 github.com/kisielk/errcheck v1.7.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
+github.com/kisielk/errcheck v1.8.0 h1:ZX/URYa7ilESY19ik/vBmCn6zdGQLxACwjAcWbHlYlg=
+github.com/kisielk/errcheck v1.8.0/go.mod h1:1kLL+jV4e+CFfueBmI1dSK2ADDyQnlrnrY/FqKluHJQ=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/kkHAIKE/contextcheck v1.1.4 h1:B6zAaLhOEEcjvUgIYEqystmnFk1Oemn8bvJhbt0GMb8=
 github.com/kkHAIKE/contextcheck v1.1.4/go.mod h1:1+i/gWqokIa+dm31mqGLZhZJ7Uh44DJGZVmr6QRBNJg=
@@ -367,12 +484,24 @@ github.com/kyoh86/exportloopref v0.1.11 h1:1Z0bcmTypkL3Q4k+IDHMWTcnCliEZcaPiIe0/
 github.com/kyoh86/exportloopref v0.1.11/go.mod h1:qkV4UF1zGl6EkF1ox8L5t9SwyeBAZ3qLMd6up458uqA=
 github.com/lasiar/canonicalheader v1.1.1 h1:wC+dY9ZfiqiPwAexUApFush/csSPXeIi4QqyxXmng8I=
 github.com/lasiar/canonicalheader v1.1.1/go.mod h1:cXkb3Dlk6XXy+8MVQnF23CYKWlyA7kfQhSw2CcZtZb0=
+github.com/lasiar/canonicalheader v1.1.2 h1:vZ5uqwvDbyJCnMhmFYimgMZnJMjwljN5VGY0VKbMXb4=
+github.com/lasiar/canonicalheader v1.1.2/go.mod h1:qJCeLFS0G/QlLQ506T+Fk/fWMa2VmBUiEI2cuMK4djI=
+github.com/ldez/exptostd v0.4.1 h1:DIollgQ3LWZMp3HJbSXsdE2giJxMfjyHj3eX4oiD6JU=
+github.com/ldez/exptostd v0.4.1/go.mod h1:iZBRYaUmcW5jwCR3KROEZ1KivQQp6PHXbDPk9hqJKCQ=
 github.com/ldez/gomoddirectives v0.2.3 h1:y7MBaisZVDYmKvt9/l1mjNCiSA1BVn34U0ObUcJwlhA=
 github.com/ldez/gomoddirectives v0.2.3/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0=
 github.com/ldez/gomoddirectives v0.2.4 h1:j3YjBIjEBbqZ0NKtBNzr8rtMHTOrLPeiwTkfUJZ3alg=
 github.com/ldez/gomoddirectives v0.2.4/go.mod h1:oWu9i62VcQDYp9EQ0ONTfqLNh+mDLWWDO+SO0qSQw5g=
+github.com/ldez/gomoddirectives v0.6.1 h1:Z+PxGAY+217f/bSGjNZr/b2KTXcyYLgiWI6geMBN2Qc=
+github.com/ldez/gomoddirectives v0.6.1/go.mod h1:cVBiu3AHR9V31em9u2kwfMKD43ayN5/XDgr+cdaFaKs=
+github.com/ldez/grignotin v0.9.0 h1:MgOEmjZIVNn6p5wPaGp/0OKWyvq42KnzAt/DAb8O4Ow=
+github.com/ldez/grignotin v0.9.0/go.mod h1:uaVTr0SoZ1KBii33c47O1M8Jp3OP3YDwhZCmzT9GHEk=
 github.com/ldez/tagliatelle v0.5.0 h1:epgfuYt9v0CG3fms0pEgIMNPuFf/LpPIfjk4kyqSioo=
 github.com/ldez/tagliatelle v0.5.0/go.mod h1:rj1HmWiL1MiKQuOONhd09iySTEkUuE/8+5jtPYz9xa4=
+github.com/ldez/tagliatelle v0.7.1 h1:bTgKjjc2sQcsgPiT902+aadvMjCeMHrY7ly2XKFORIk=
+github.com/ldez/tagliatelle v0.7.1/go.mod h1:3zjxUpsNB2aEZScWiZTHrAXOl1x25t3cRmzfK1mlo2I=
+github.com/ldez/usetesting v0.4.2 h1:J2WwbrFGk3wx4cZwSMiCQQ00kjGR0+tuuyW0Lqm4lwA=
+github.com/ldez/usetesting v0.4.2/go.mod h1:eEs46T3PpQ+9RgN9VjpY6qWdiw2/QmfiDeWmdZdrjIQ=
 github.com/leonklingele/grouper v1.1.1 h1:suWXRU57D4/Enn6pXR0QVqqWWrnJ9Osrz+5rjt8ivzU=
 github.com/leonklingele/grouper v1.1.1/go.mod h1:uk3I3uDfi9B6PeUjsCKi6ndcf63Uy7snXgR4yDYQVDY=
 github.com/leonklingele/grouper v1.1.2 h1:o1ARBDLOmmasUaNDesWqWCIFH3u7hoFlM84YrjT3mIY=
@@ -389,18 +518,30 @@ github.com/maratori/testpackage v1.1.1 h1:S58XVV5AD7HADMmD0fNnziNHqKvSdDuEKdPD1r
 github.com/maratori/testpackage v1.1.1/go.mod h1:s4gRK/ym6AMrqpOa/kEbQTV4Q4jb7WeLZzVhVVVOQMc=
 github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 h1:gWg6ZQ4JhDfJPqlo2srm/LN17lpybq15AryXIRcWYLE=
 github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26/go.mod h1:1BELzlh859Sh1c6+90blK8lbYy0kwQf1bYlBhBysy1s=
+github.com/matoous/godox v1.1.0 h1:W5mqwbyWrwZv6OQ5Z1a/DHGMOvXYCBP3+Ht7KMoJhq4=
+github.com/matoous/godox v1.1.0/go.mod h1:jgE/3fUXiTurkdHOLT5WEkThTSuE7yxHv5iWPa80afs=
 github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgechev/revive v1.3.7 h1:502QY0vQGe9KtYJ9FpxMz9rL+Fc/P13CI5POL4uHCcE=
 github.com/mgechev/revive v1.3.7/go.mod h1:RJ16jUbF0OWC3co/+XTxmFNgEpUPwnnA0BRllX2aDNA=
+github.com/mgechev/revive v1.3.9 h1:18Y3R4a2USSBF+QZKFQwVkBROUda7uoBlkEuBD+YD1A=
+github.com/mgechev/revive v1.3.9/go.mod h1:+uxEIr5UH0TjXWHTno3xh4u7eg6jDpXKzQccA9UGhHU=
+github.com/mgechev/revive v1.5.0 h1:oaSmjA7rP8+HyoRuCgC531VHwnLH1AlJdjj+1AnQceQ=
+github.com/mgechev/revive v1.5.0/go.mod h1:L6T3H8EoerRO86c7WuGpvohIUmiploGiyoYbtIWFmV8=
+github.com/mgechev/revive v1.6.0 h1:NsdaDzYcWZd3ikrWbdbFsvk+DvEAmP6A21LAdZEomZg=
+github.com/mgechev/revive v1.6.0/go.mod h1:YpafN9JKjfKxG/UDGUHU1kPJKalHx7fHIgclT04SjBs=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -412,6 +553,8 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/moricho/tparallel v0.3.1 h1:fQKD4U1wRMAYNngDonW5XupoB/ZGJHdpzrWqgyg9krA=
 github.com/moricho/tparallel v0.3.1/go.mod h1:leENX2cUv7Sv2qDgdi0D0fCftN8fRC67Bcn8pqzeYNI=
+github.com/moricho/tparallel v0.3.2 h1:odr8aZVFA3NZrNybggMkYO3rgPRcqjeQUlBBFVxKHTI=
+github.com/moricho/tparallel v0.3.2/go.mod h1:OQ+K3b4Ln3l2TZveGCywybl68glfLEwFGqvnjok8b+U=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/nakabonne/nestif v0.3.1 h1:wm28nZjhQY5HyYPx+weN3Q65k6ilSBxDb8v5S81B81U=
@@ -424,6 +567,10 @@ github.com/nunnatsa/ginkgolinter v0.16.1 h1:uDIPSxgVHZ7PgbJElRDGzymkXH+JaF7mjew+
 github.com/nunnatsa/ginkgolinter v0.16.1/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
 github.com/nunnatsa/ginkgolinter v0.16.2 h1:8iLqHIZvN4fTLDC0Ke9tbSZVcyVHoBs0HIbnVSxfHJk=
 github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5nYRAOfJDQUS9dOQ=
+github.com/nunnatsa/ginkgolinter v0.18.0 h1:ZXO1wKhPg3A6LpbN5dMuqwhfOjN5c3ous8YdKOuqk9k=
+github.com/nunnatsa/ginkgolinter v0.18.0/go.mod h1:vPrWafSULmjMGCMsfGA908if95VnHQNAahvSBOjTuWs=
+github.com/nunnatsa/ginkgolinter v0.18.4 h1:zmX4KUR+6fk/vhUFt8DOP6KwznekhkmVSzzVJve2vyM=
+github.com/nunnatsa/ginkgolinter v0.18.4/go.mod h1:AMEane4QQ6JwFz5GgjI5xLUM9S/CylO+UyM97fN2iBI=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
@@ -437,6 +584,8 @@ github.com/pelletier/go-toml/v2 v2.2.0 h1:QLgLl2yMN7N+ruc31VynXs1vhMZa7CeHHejIeB
 github.com/pelletier/go-toml/v2 v2.2.0/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
 github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -448,6 +597,10 @@ github.com/polyfloyd/go-errorlint v1.5.1 h1:5gHxDjLyyWij7fhfrjYNNlHsUNQeyx0LFQKU
 github.com/polyfloyd/go-errorlint v1.5.1/go.mod h1:sH1QC1pxxi0fFecsVIzBmxtrgd9IF/SkJpA6wqyKAJs=
 github.com/polyfloyd/go-errorlint v1.5.2 h1:SJhVik3Umsjh7mte1vE0fVZ5T1gznasQG3PV7U5xFdA=
 github.com/polyfloyd/go-errorlint v1.5.2/go.mod h1:sH1QC1pxxi0fFecsVIzBmxtrgd9IF/SkJpA6wqyKAJs=
+github.com/polyfloyd/go-errorlint v1.6.0 h1:tftWV9DE7txiFzPpztTAwyoRLKNj9gpVm2cg8/OwcYY=
+github.com/polyfloyd/go-errorlint v1.6.0/go.mod h1:HR7u8wuP1kb1NeN1zqTd1ZMlqUKPPHF+Id4vIPvDqVw=
+github.com/polyfloyd/go-errorlint v1.7.1 h1:RyLVXIbosq1gBdk/pChWA8zWYLsq9UEw7a1L5TVMCnA=
+github.com/polyfloyd/go-errorlint v1.7.1/go.mod h1:aXjNb1x2TNhoLsk26iv1yl7a+zTnXPhwEMtEXukiLR8=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
@@ -472,6 +625,8 @@ github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs=
 github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
+github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1 h1:+Wl/0aFp0hpuHM3H//KMft64WQ1yX9LdJY64Qm/gFCo=
+github.com/quasilyte/go-ruleguard v0.4.3-0.20240823090925-0fe6f58b47b1/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/quasilyte/gogrep v0.5.0 h1:eTKODPXbI8ffJMN+W2aE0+oL0z/nh8/5eNdiO34SOAo=
@@ -480,28 +635,55 @@ github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 h1:TCg2WBOl
 github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4lu7Gd+PU1fV2/qnDNfzT635KRSObncs=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ=
+github.com/raeperd/recvcheck v0.1.2 h1:SjdquRsRXJc26eSonWIo8b7IMtKD3OAT2Lb5G3ZX1+4=
+github.com/raeperd/recvcheck v0.1.2/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU=
+github.com/raeperd/recvcheck v0.2.0 h1:GnU+NsbiCqdC2XX5+vMZzP+jAJC5fht7rcVTAhX74UI=
+github.com/raeperd/recvcheck v0.2.0/go.mod h1:n04eYkwIR0JbgD73wT8wL4JjPC3wm0nFtzBnWNocnYU=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.3.1 h1:fH+fUg+ngsQO0ruZXXHnA/2aNllWA1whly4a6UvyzGE=
 github.com/ryancurrah/gomodguard v1.3.1/go.mod h1:DGFHzEhi6iJ0oIDfMuo3TgrS+L9gZvrEfmjjuelnRU0=
 github.com/ryancurrah/gomodguard v1.3.2 h1:CuG27ulzEB1Gu5Dk5gP8PFxSOZ3ptSdP5iI/3IXxM18=
 github.com/ryancurrah/gomodguard v1.3.2/go.mod h1:LqdemiFomEjcxOqirbQCb3JFvSxH2JUYMerTFd3sF2o=
+github.com/ryancurrah/gomodguard v1.3.3 h1:eiSQdJVNr9KTNxY2Niij8UReSwR8Xrte3exBrAZfqpg=
+github.com/ryancurrah/gomodguard v1.3.3/go.mod h1:rsKQjj4l3LXe8N344Ow7agAy5p9yjsWOtRzUMYmA0QY=
+github.com/ryancurrah/gomodguard v1.3.5 h1:cShyguSwUEeC0jS7ylOiG/idnd1TpJ1LfHGpV3oJmPU=
+github.com/ryancurrah/gomodguard v1.3.5/go.mod h1:MXlEPQRxgfPQa62O8wzK3Ozbkv9Rkqr+wKjSxTdsNJE=
 github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9fJfSfdyCU=
 github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
 github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
 github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
+github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
+github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/sashamelentyev/interfacebloat v1.1.0 h1:xdRdJp0irL086OyW1H/RTZTr1h/tMEOsumirXcOJqAw=
 github.com/sashamelentyev/interfacebloat v1.1.0/go.mod h1:+Y9yU5YdTkrNvoX0xHc84dxiN1iBi9+G8zZIhPVoNjQ=
 github.com/sashamelentyev/usestdlibvars v1.25.0 h1:IK8SI2QyFzy/2OD2PYnhy84dpfNo9qADrRt6LH8vSzU=
 github.com/sashamelentyev/usestdlibvars v1.25.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
 github.com/sashamelentyev/usestdlibvars v1.26.0 h1:LONR2hNVKxRmzIrZR0PhSF3mhCAzvnr+DcUiHgREfXE=
 github.com/sashamelentyev/usestdlibvars v1.26.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
+github.com/sashamelentyev/usestdlibvars v1.27.0 h1:t/3jZpSXtRPRf2xr0m63i32ZrusyurIGT9E5wAvXQnI=
+github.com/sashamelentyev/usestdlibvars v1.27.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
+github.com/sashamelentyev/usestdlibvars v1.28.0 h1:jZnudE2zKCtYlGzLVreNp5pmCdOxXUzwsMDBkR21cyQ=
+github.com/sashamelentyev/usestdlibvars v1.28.0/go.mod h1:9nl0jgOfHKWNFS43Ojw0i7aRoS4j6EBye3YBhmAIRF8=
 github.com/securego/gosec/v2 v2.19.0 h1:gl5xMkOI0/E6Hxx0XCY2XujA3V7SNSefA8sC+3f1gnk=
 github.com/securego/gosec/v2 v2.19.0/go.mod h1:hOkDcHz9J/XIgIlPDXalxjeVYsHxoWUc5zJSHxcB8YM=
 github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 h1:rnO6Zp1YMQwv8AyxzuwsVohljJgp4L0ZqiCgtACsPsc=
 github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9/go.mod h1:dg7lPlu/xK/Ut9SedURCoZbVCR4yC7fM65DtH9/CDHs=
+github.com/securego/gosec/v2 v2.21.2 h1:deZp5zmYf3TWwU7A7cR2+SolbTpZ3HQiwFqnzQyEl3M=
+github.com/securego/gosec/v2 v2.21.2/go.mod h1:au33kg78rNseF5PwPnTWhuYBFf534bvJRvOrgZ/bFzU=
+github.com/securego/gosec/v2 v2.21.4 h1:Le8MSj0PDmOnHJgUATjD96PaXRvCpKC+DGJvwyy0Mlk=
+github.com/securego/gosec/v2 v2.21.4/go.mod h1:Jtb/MwRQfRxCXyCm1rfM1BEiiiTfUOdyzzAhlr6lUTA=
+github.com/securego/gosec/v2 v2.22.0 h1:bV/Ii5YSQtbobXuIFBXrfr91l5N4qslEdFHE9E0I/10=
+github.com/securego/gosec/v2 v2.22.0/go.mod h1:sR5n3LzZ/52rn4xxRBJk38iPe/hjiA0CkVcyiAHNCrM=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqPQ0YvHYKwcMEMVWIzWC5iNQQfBTU=
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
@@ -515,26 +697,40 @@ github.com/sivchari/containedctx v1.0.3 h1:x+etemjbsh2fB5ewm5FeLNi5bUjK0V8n0RB+W
 github.com/sivchari/containedctx v1.0.3/go.mod h1:c1RDvCbnJLtH4lLcYD/GqwiBSSf4F5Qk0xld2rBqzJ4=
 github.com/sivchari/tenv v1.7.1 h1:PSpuD4bu6fSmtWMxSGWcvqUUgIn7k3yOJhOIzVWn8Ak=
 github.com/sivchari/tenv v1.7.1/go.mod h1:64yStXKSOxDfX47NlhVwND4dHwfZDdbp2Lyl018Icvg=
+github.com/sivchari/tenv v1.10.0 h1:g/hzMA+dBCKqGXgW8AV/1xIWhAvDrx0zFKNR48NFMg0=
+github.com/sivchari/tenv v1.10.0/go.mod h1:tdY24masnVoZFxYrHv/nD6Tc8FbkEtAQEEziXpyMgqY=
+github.com/sivchari/tenv v1.12.1 h1:+E0QzjktdnExv/wwsnnyk4oqZBUfuh89YMQT1cyuvSY=
+github.com/sivchari/tenv v1.12.1/go.mod h1:1LjSOUCc25snIr5n3DtGGrENhX3LuWefcplwVGC24mw=
 github.com/sonatard/noctx v0.0.2 h1:L7Dz4De2zDQhW8S0t+KUjY0MAQJd6SgVwhzNIc4ok00=
 github.com/sonatard/noctx v0.0.2/go.mod h1:kzFz+CzWSjQ2OzIm46uJZoXuBpa2+0y3T36U18dWqIo=
+github.com/sonatard/noctx v0.1.0 h1:JjqOc2WN16ISWAjAk8M5ej0RfExEXtkEyExl2hLW+OM=
+github.com/sonatard/noctx v0.1.0/go.mod h1:0RvBxqY8D4j9cTTTWE8ylt2vqj2EPI8fHmrxHdsaZ2c=
 github.com/sourcegraph/go-diff v0.7.0 h1:9uLlrd5T46OXs5qpp8L/MTltk0zikUGi0sNNyCpA8G0=
 github.com/sourcegraph/go-diff v0.7.0/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
+github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
 github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/ssgreg/nlreturn/v2 v2.2.1 h1:X4XDI7jstt3ySqGU86YGAURbxw3oTDPK9sPEi6YEwQ0=
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
 github.com/stbenjam/no-sprintf-host-port v0.1.1 h1:tYugd/yrm1O0dV+ThCbaKZh195Dfm07ysF0U6JQXczc=
 github.com/stbenjam/no-sprintf-host-port v0.1.1/go.mod h1:TLhvtIvONRzdmkFiio4O8LHsN9N74I+PhRquPsxpL0I=
+github.com/stbenjam/no-sprintf-host-port v0.2.0 h1:i8pxvGrt1+4G0czLr/WnmyH7zbZ8Bg8etvARQ1rpyl4=
+github.com/stbenjam/no-sprintf-host-port v0.2.0/go.mod h1:eL0bQ9PasS0hsyTyfTjjG+E80QIyPnBVQbYZyv20Jfk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -551,32 +747,62 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplBwWcHBo6q9xrfWdMrT9o4kltkmmvpemgIjep/8=
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tdakkota/asciicheck v0.2.0 h1:o8jvnUANo0qXtnslk2d3nMKTFNlOnJjRrNcj0j9qkHM=
 github.com/tdakkota/asciicheck v0.2.0/go.mod h1:Qb7Y9EgjCLJGup51gDHFzbI08/gbGhL/UVhYIPWG2rg=
+github.com/tdakkota/asciicheck v0.3.0 h1:LqDGgZdholxZMaJgpM6b0U9CFIjDCbFdUF00bDnBKOQ=
+github.com/tdakkota/asciicheck v0.3.0/go.mod h1:KoJKXuX/Z/lt6XzLo8WMBfQGzak0SrAKZlvRr4tg8Ac=
 github.com/tenntenn/modver v1.0.1/go.mod h1:bePIyQPb7UeioSRkw3Q0XeMhYZSMx9B8ePqg6SAMGH0=
 github.com/tenntenn/text/transform v0.0.0-20200319021203-7eef512accb3/go.mod h1:ON8b8w4BN/kE1EOhwT0o+d62W65a6aPw1nouo9LMgyY=
 github.com/tetafro/godot v1.4.16 h1:4ChfhveiNLk4NveAZ9Pu2AN8QZ2nkUGFuadM9lrr5D0=
 github.com/tetafro/godot v1.4.16/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
+github.com/tetafro/godot v1.4.17 h1:pGzu+Ye7ZUEFx7LHU0dAKmCOXWsPjl7qA6iMGndsjPs=
+github.com/tetafro/godot v1.4.17/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
+github.com/tetafro/godot v1.4.18 h1:ouX3XGiziKDypbpXqShBfnNLTSjR8r3/HVzrtJ+bHlI=
+github.com/tetafro/godot v1.4.18/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
+github.com/tetafro/godot v1.4.20 h1:z/p8Ek55UdNvzt4TFn2zx2KscpW4rWqcnUrdmvWJj7E=
+github.com/tetafro/godot v1.4.20/go.mod h1:2oVxTBSftRTh4+MVfUaUXR6bn2GDXCaMcOG4Dk3rfio=
 github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 h1:quvGphlmUVU+nhpFa4gg4yJyTRJ13reZMDHrKwYw53M=
 github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966/go.mod h1:27bSVNWSBOHm+qRp1T9qzaIpsWEP6TbUnei/43HK+PQ=
+github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3 h1:y4mJRFlM6fUyPhoXuFg/Yu02fg/nIPFMOY8tOqppoFg=
+github.com/timakin/bodyclose v0.0.0-20241017074812-ed6a65f985e3/go.mod h1:mkjARE7Yr8qU23YcGMSALbIxTQ9r9QBVahQOBRfU460=
 github.com/timonwong/loggercheck v0.9.4 h1:HKKhqrjcVj8sxL7K77beXh0adEm6DLjV/QOGeMXEVi4=
 github.com/timonwong/loggercheck v0.9.4/go.mod h1:caz4zlPcgvpEkXgVnAJGowHAMW2NwHaNlpS8xDbVhTg=
+github.com/timonwong/loggercheck v0.10.1 h1:uVZYClxQFpw55eh+PIoqM7uAOHMrhVcDoWDery9R8Lg=
+github.com/timonwong/loggercheck v0.10.1/go.mod h1:HEAWU8djynujaAVX7QI65Myb8qgfcZ1uKbdpg3ZzKl8=
 github.com/tomarrell/wrapcheck/v2 v2.8.3 h1:5ov+Cbhlgi7s/a42BprYoxsr73CbdMUTzE3bRDFASUs=
 github.com/tomarrell/wrapcheck/v2 v2.8.3/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
+github.com/tomarrell/wrapcheck/v2 v2.9.0 h1:801U2YCAjLhdN8zhZ/7tdjB3EnAoRlJHt/s+9hijLQ4=
+github.com/tomarrell/wrapcheck/v2 v2.9.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
+github.com/tomarrell/wrapcheck/v2 v2.10.0 h1:SzRCryzy4IrAH7bVGG4cK40tNUhmVmMDuJujy4XwYDg=
+github.com/tomarrell/wrapcheck/v2 v2.10.0/go.mod h1:g9vNIyhb5/9TQgumxQyOEqDHsmGYcGsVMOx/xGkqdMo=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1 h1:NowYhSdyE/1zwK9QCLeRb6USWdoif80Ie+v+yU8u1Zw=
 github.com/tommy-muehle/go-mnd/v2 v2.5.1/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
 github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI=
 github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4=
+github.com/ultraware/funlen v0.2.0 h1:gCHmCn+d2/1SemTdYMiKLAHFYxTYz7z9VIDRaTGyLkI=
+github.com/ultraware/funlen v0.2.0/go.mod h1:ZE0q4TsJ8T1SQcjmkhN/w+MceuatI6pBFSxxyteHIJA=
 github.com/ultraware/whitespace v0.1.0 h1:O1HKYoh0kIeqE8sFqZf1o0qbORXUCOQFrlaQyZsczZw=
 github.com/ultraware/whitespace v0.1.0/go.mod h1:/se4r3beMFNmewJ4Xmz0nMQ941GJt+qmSHGP9emHYe0=
 github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/Gk8VQ=
 github.com/ultraware/whitespace v0.1.1/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
+github.com/ultraware/whitespace v0.2.0 h1:TYowo2m9Nfj1baEQBjuHzvMRbp19i+RCcRYrSWoFa+g=
+github.com/ultraware/whitespace v0.2.0/go.mod h1:XcP1RLD81eV4BW8UhQlpaR+SDc2givTvyI8a586WjW8=
 github.com/uudashr/gocognit v1.1.2 h1:l6BAEKJqQH2UpKAPKdMfZf5kE4W/2xk8pfU1OVLvniI=
 github.com/uudashr/gocognit v1.1.2/go.mod h1:aAVdLURqcanke8h3vg35BC++eseDm66Z7KmchI5et4k=
+github.com/uudashr/gocognit v1.1.3 h1:l+a111VcDbKfynh+airAy/DJQKaXh2m9vkoysMPSZyM=
+github.com/uudashr/gocognit v1.1.3/go.mod h1:aKH8/e8xbTRBwjbCkwZ8qt4l2EpKXl31KMHgSS+lZ2U=
+github.com/uudashr/gocognit v1.2.0 h1:3BU9aMr1xbhPlvJLSydKwdLN3tEUUrzPSSM8S4hDYRA=
+github.com/uudashr/gocognit v1.2.0/go.mod h1:k/DdKPI6XBZO1q7HgoV2juESI2/Ofj9AcHPZhBBdrTU=
+github.com/uudashr/iface v1.2.0 h1:ECJjh5q/1Zmnv/2yFpWV6H3oMg5+Mo+vL0aqw9Gjazo=
+github.com/uudashr/iface v1.2.0/go.mod h1:Ux/7d/rAF3owK4m53cTVXL4YoVHKNqnoOeQHn2xrlp0=
+github.com/uudashr/iface v1.3.1 h1:bA51vmVx1UIhiIsQFSNq6GZ6VPTk3WNMZgRiCe9R29U=
+github.com/uudashr/iface v1.3.1/go.mod h1:4QvspiRd3JLPAEXBQ9AiZpLbJlrWWgRChOKDJEuQTdg=
 github.com/xen0n/gosmopolitan v1.2.2 h1:/p2KTnMzwRexIW8GlKawsTWOxn7UHA+jCMF/V8HHtvU=
 github.com/xen0n/gosmopolitan v1.2.2/go.mod h1:7XX7Mj61uLYrj0qmeN0zi7XDon9JRAEhYQqAPLVNTeg=
 github.com/yagipy/maintidx v1.0.0 h1:h5NvIsCz+nRDapQ0exNv4aJ0yXSI0420omVANTv3GJM=
@@ -602,12 +828,18 @@ go-simpler.org/musttag v0.9.0 h1:Dzt6/tyP9ONr5g9h9P3cnYWCxeBFRkd0uJL/w+1Mxos=
 go-simpler.org/musttag v0.9.0/go.mod h1:gA9nThnalvNSKpEoyp3Ko4/vCX2xTpqKoUtNqXOnVR4=
 go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs=
 go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM=
+go-simpler.org/musttag v0.13.0 h1:Q/YAW0AHvaoaIbsPj3bvEI5/QFP7w696IMUpnKXQfCE=
+go-simpler.org/musttag v0.13.0/go.mod h1:FTzIGeK6OkKlUDVpj0iQUXZLUO1Js9+mvykDQy9C5yM=
 go-simpler.org/sloglint v0.5.0 h1:2YCcd+YMuYpuqthCgubcF5lBSjb6berc5VMOYUHKrpY=
 go-simpler.org/sloglint v0.5.0/go.mod h1:EUknX5s8iXqf18KQxKnaBHUPVriiPnOrPjjJcsaTcSQ=
 go-simpler.org/sloglint v0.7.0 h1:rMZRxD9MbaGoRFobIOicMxZzum7AXNFDlez6xxJs5V4=
 go-simpler.org/sloglint v0.7.0/go.mod h1:g9SXiSWY0JJh4LS39/Q0GxzP/QX2cVcbTOYhDpXrJEs=
 go-simpler.org/sloglint v0.7.1 h1:qlGLiqHbN5islOxjeLXoPtUdZXb669RW+BDQ+xOSNoU=
 go-simpler.org/sloglint v0.7.1/go.mod h1:OlaVDRh/FKKd4X4sIMbsz8st97vomydceL146Fthh/c=
+go-simpler.org/sloglint v0.7.2 h1:Wc9Em/Zeuu7JYpl+oKoYOsQSy2X560aVueCW/m6IijY=
+go-simpler.org/sloglint v0.7.2/go.mod h1:US+9C80ppl7VsThQclkM7BkCHQAzuz8kHLsW3ppuluo=
+go-simpler.org/sloglint v0.9.0 h1:/40NQtjRx9txvsB/RN022KsUJU+zaaSb/9q9BSefSrE=
+go-simpler.org/sloglint v0.9.0/go.mod h1:G/OrAF6uxj48sHahCzrbarVMptL2kjWTaUeC8+fOGww=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
@@ -617,6 +849,8 @@ go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
 go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
@@ -641,10 +875,18 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc h1:ao2WRsKSzW6KuUY9IWPwWahcHCgR0s52IfwutMfEbdM=
 golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk=
+golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
+golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0 h1:bVwtbF629Xlyxk6xLQq2TDYmqP0uiWaet5LwRebuY0k=
+golang.org/x/exp/typeparams v0.0.0-20240909161429-701f63a606c0/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f h1:WTyX8eCCyfdqiPYkRGm0MqElSfYFH3yR1+rl/mct9sA=
+golang.org/x/exp/typeparams v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -679,6 +921,14 @@ golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
 golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
+golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -740,6 +990,12 @@ golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -800,6 +1056,14 @@ golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -820,6 +1084,10 @@ golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -890,6 +1158,12 @@ golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
 golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
 golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
+golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
+golang.org/x/tools v0.27.0 h1:qEKojBykQkQ4EynWy4S8Weg69NumxKdn40Fce3uc/8o=
+golang.org/x/tools v0.27.0/go.mod h1:sUi0ZgbwW9ZPAq26Ekut+weQPR5eIM6GQLQ1Yjm1H0Q=
+golang.org/x/tools v0.30.0 h1:BgcpHewrV5AUp2G9MebG4XPFI1E2W41zU1SaqVA9vJY=
+golang.org/x/tools v0.30.0/go.mod h1:c347cR/OJfw5TI+GfX7RUPNMdDRRbjvYTS0jPyvsVtY=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -971,6 +1245,10 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.36.1 h1:yBPeRvTftaleIgM3PZ/WBIZ7XM/eEYAaEyCwvyjq/gk=
+google.golang.org/protobuf v1.36.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -997,8 +1275,16 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
 honnef.co/go/tools v0.4.7/go.mod h1:+rnGS1THNh8zMwnd2oVOTL9QF6vmfyG6ZXBULae2uc0=
+honnef.co/go/tools v0.5.0 h1:29uoiIormS3Z6R+t56STz/oI4v+mB51TSmEOdJPgRnE=
+honnef.co/go/tools v0.5.0/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
+honnef.co/go/tools v0.5.1 h1:4bH5o3b5ZULQ4UrBmP+63W9r7qIkqJClEA9ko5YKx+I=
+honnef.co/go/tools v0.5.1/go.mod h1:e9irvo83WDG9/irijV44wr3tbhcFeRnfpVlRqVwpzMs=
+honnef.co/go/tools v0.6.0 h1:TAODvD3knlq75WCp2nyGJtT4LeRV/o7NN9nYPeVJXf8=
+honnef.co/go/tools v0.6.0/go.mod h1:3puzxxljPCe8RGJX7BIy1plGbxEOZni5mR2aXe3/uk4=
 mvdan.cc/gofumpt v0.6.0 h1:G3QvahNDmpD+Aek/bNOLrFR2XC6ZAdo62dZu65gmwGo=
 mvdan.cc/gofumpt v0.6.0/go.mod h1:4L0wf+kgIPZtcCWXynNS2e6bhmj73umwnuXSZarixzA=
+mvdan.cc/gofumpt v0.7.0 h1:bg91ttqXmi9y2xawvkuMXyvAA/1ZGJqYAEGjXuP0JXU=
+mvdan.cc/gofumpt v0.7.0/go.mod h1:txVFJy/Sc/mvaycET54pV8SW8gWxTlUuGHVEcncmNUo=
 mvdan.cc/unparam v0.0.0-20240104100049-c549a3470d14 h1:zCr3iRRgdk5eIikZNDphGcM6KGVTx3Yu+/Uu9Es254w=
 mvdan.cc/unparam v0.0.0-20240104100049-c549a3470d14/go.mod h1:ZzZjEpJDOmx8TdVU6umamY3Xy0UAQUI2DHbf05USVbI=
 mvdan.cc/unparam v0.0.0-20240427195214-063aff900ca1 h1:Nykk7fggxChwLK4rUPYESzeIwqsuxXXlFEAh5YhaMRo=

.bingo/variables.env

@@ -14,7 +14,7 @@ CUE="${GOBIN}/cue-v0.5.0"
 
 DRONE="${GOBIN}/drone-v1.5.0"
 
-GOLANGCI_LINT="${GOBIN}/golangci-lint-v1.59.1"
+GOLANGCI_LINT="${GOBIN}/golangci-lint-v1.64.2"
 
 JB="${GOBIN}/jb-v0.5.1"
 

.drone.star

@@ -18,18 +18,10 @@ load(
     "publish_packages_pipeline",
 )
 load("scripts/drone/events/rrc-patch.star", "rrc_patch_pipelines")
-load(
-    "scripts/drone/pipelines/ci_images.star",
-    "publish_ci_windows_test_image_pipeline",
-)
 load(
     "scripts/drone/pipelines/publish_images.star",
     "publish_image_pipelines_public",
 )
-load(
-    "scripts/drone/pipelines/windows.star",
-    "windows_test_backend",
-)
 load(
     "scripts/drone/rgm.star",
     "rgm",
@@ -46,12 +38,7 @@ def main(_ctx):
         publish_npm_pipelines() +
         publish_packages_pipeline() +
         rgm() +
-        [windows_test_backend({
-            "event": ["promote"],
-            "target": ["test-windows"],
-        }, "oss", "testing")] +
         integration_test_pipelines() +
-        publish_ci_windows_test_image_pipeline() +
         cronjobs() +
         secrets()
     )

.github/CODEOWNERS

@@ -12,8 +12,8 @@
 # This should make it easy to add new rules without breaking existing ones.
 
 # Documentation
-/.changelog-archive @grafana/grafana-release-guild
-/CHANGELOG.md @grafana/grafana-release-guild
+/.changelog-archive @grafana/grafana-developer-enablement-squad
+/CHANGELOG.md @grafana/grafana-developer-enablement-squad
 /CODE_OF_CONDUCT.md @grafana/grafana-community-support
 /CONTRIBUTING.md @grafana/grafana-community-support
 /GOVERNANCE.md @RichiH
@@ -32,23 +32,17 @@
 /devenv/README.md @grafana/docs-grafana
 
 # START Technical documentation
+/.vale.ini @grafana/docs-tooling
 # `make docs` procedure and related workflows are owned @grafana/docs-tooling. Slack #docs.
 /docs/                                                                            @grafana/docs-tooling
 
-/docs/.codespellignore                                                            @grafana/docs-tooling
-/docs/sources/                                                                    @Eve832
+/docs/sources/                                                                    @irenerl24
 
-/docs/sources/administration/                                                     @jdbaldry
-/docs/sources/alerting/                                                           @brendamuir
+/docs/sources/alerting/                                                           @JohnnyK-Grafana
 /docs/sources/dashboards/                                                         @imatwawana
-/docs/sources/datasources/                                                        @jdbaldry
-/docs/sources/explore/                                                            @grafana/explore-squad @lwandz13
-/docs/sources/fundamentals                                                        @irenerl24
-/docs/sources/getting-started/                                                    @irenerl24
-/docs/sources/introduction/                                                       @irenerl24
+/docs/sources/datasources/                                                        @lwandz13
 /docs/sources/panels-visualizations/                                              @imatwawana
-/docs/sources/release-notes/                                                      @Eve832 @GrafanaWriter
-/docs/sources/setup-grafana/                                                      @irenerl24
+/docs/sources/release-notes/                                                      @irenerl24 @GrafanaWriter
 /docs/sources/upgrade-guide/                                                      @imatwawana
 /docs/sources/whatsnew/                                                           @imatwawana
 
@@ -63,22 +57,43 @@
 /go.work @grafana/grafana-app-platform-squad
 /go.work.sum @grafana/grafana-app-platform-squad
 /.bingo/ @grafana/grafana-backend-group
+/.citools @grafana/grafana-developer-enablement-squad
 /pkg/README.md @grafana/grafana-backend-group
 /pkg/ruleguard.rules.go @grafana/grafana-backend-group
 /.bra.toml @grafana/grafana-backend-group
-/.golangci.toml @grafana/grafana-backend-group
+/.golangci.yml @grafana/grafana-backend-group
 /build.go @grafana/grafana-backend-services-squad
 /scripts/modowners/ @grafana/grafana-backend-services-squad
 /scripts/go-workspace @grafana/grafana-app-platform-squad
 /hack/ @grafana/grafana-app-platform-squad
 
+/pkg/apis/provisioning @grafana/grafana-git-ui-sync-team
+/public/app/features/provisioning @grafana/grafana-git-ui-sync-team
+/pkg/registry/apis/provisioning @grafana/grafana-git-ui-sync-team
+
 /apps/alerting/ @grafana/alerting-backend
+/apps/dashboard/ @grafana/grafana-app-platform-squad @grafana/dashboards-squad
+/apps/folder/ @grafana/grafana-app-platform-squad
+/apps/playlist/ @grafana/grafana-app-platform-squad
+/apps/investigations/ @fcjack @matryer @svennergr
+/apps/advisor/ @grafana/plugins-platform-backend
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
-/pkg/apis/alerting_notifications @grafana/grafana-app-platform-squad @grafana/alerting-backend @grafana/alerting-frontend
+/pkg/apis/query @grafana/grafana-datasources-core-services
+/pkg/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
+/pkg/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/bus/ @grafana/grafana-search-and-storage
 /pkg/cmd/ @grafana/grafana-backend-group
-/pkg/cmd/grafana/apiserver @grafana/grafana-app-platform-squad
+/pkg/cmd/grafana-cli/commands/install_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/install_command_test.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/listremote_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/listversions_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/ls_command_test.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/ls_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/remove_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/upgrade_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/upgrade_all_command.go @grafana/plugins-platform-backend
+/pkg/cmd/grafana-cli/commands/upgrade_all_command_test.go @grafana/plugins-platform-backend
 /pkg/components/apikeygen/ @grafana/identity-squad
 /pkg/components/satokengen/ @grafana/identity-squad
 /pkg/components/dashdiffs/ @grafana/grafana-app-platform-squad
@@ -106,21 +121,24 @@
 /pkg/semconv/ @grafana/grafana-backend-group
 /pkg/server/ @grafana/grafana-backend-group
 /pkg/apiserver @grafana/grafana-app-platform-squad
+/pkg/aggregator @grafana/grafana-app-platform-squad
 /pkg/apimachinery @grafana/grafana-app-platform-squad
 /pkg/apimachinery/identity/ @grafana/identity-squad
 /pkg/apimachinery/errutil/ @grafana/grafana-backend-group
-/pkg/promlib @grafana/observability-metrics
+/pkg/promlib @grafana/oss-big-tent
 /pkg/storage/ @grafana/grafana-search-and-storage
+/pkg/storage/secret/ @grafana/grafana-operator-experience-squad
 /pkg/services/annotations/ @grafana/grafana-search-and-storage
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
-/pkg/services/contexthandler/ @grafana/grafana-backend-group
-/pkg/services/correlations/ @grafana/explore-squad
+/pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
+/pkg/services/correlations/ @grafana/dataviz-squad
 /pkg/services/dashboardimport/ @grafana/grafana-backend-group
 /pkg/services/dashboards/ @grafana/grafana-app-platform-squad
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
 /pkg/services/encryption/ @grafana/grafana-operator-experience-squad
 /pkg/services/folder/ @grafana/grafana-search-and-storage
+/pkg/services/frontend/ @grafana/grafana-frontend-platform
 /pkg/services/apiserver @grafana/grafana-app-platform-squad
 /pkg/services/hooks/ @grafana/grafana-backend-group
 /pkg/services/kmsproviders/ @grafana/grafana-operator-experience-squad
@@ -131,8 +149,9 @@
 /pkg/services/playlist/ @grafana/grafana-app-platform-squad
 /pkg/services/preference/ @grafana/grafana-backend-group
 /pkg/services/provisioning/ @grafana/grafana-search-and-storage
+/pkg/services/provisioning/alerting/ @grafana/alerting-backend
 /pkg/services/query/ @grafana/grafana-app-platform-squad
-/pkg/services/queryhistory/ @grafana/explore-squad
+/pkg/services/queryhistory/ @grafana/observability-traces-and-profiling
 /pkg/services/quota/ @grafana/grafana-search-and-storage
 /pkg/services/screenshot/ @grafana/grafana-backend-group
 /pkg/services/search/ @grafana/grafana-search-and-storage
@@ -152,8 +171,9 @@
 /pkg/setting/ @grafana/grafana-backend-services-squad
 /pkg/tests/ @grafana/grafana-backend-services-squad
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
+/pkg/tests/apis/query @grafana/grafana-datasources-core-services
 /pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
-/pkg/tests/api/correlations/ @grafana/explore-squad
+/pkg/tests/api/correlations/ @grafana/dataviz-squad
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
 /pkg/util/ @grafana/grafana-backend-group
@@ -169,7 +189,7 @@
 # Logs code, developers environment
 /devenv/docker/blocks/loki* @grafana/observability-logs
 /devenv/docker/blocks/elastic* @grafana/aws-datasources
-/devenv/docker/blocks/self-instrumentation* @grafana/observability-metrics
+/devenv/docker/blocks/self-instrumentation* @grafana/oss-big-tent
 
 /devenv/bulk-dashboards/ @grafana/dashboards-squad
 /devenv/bulk-folders/ @grafana/grafana-frontend-platform
@@ -179,8 +199,57 @@
 /devenv/datasources.yaml @grafana/grafana-backend-group
 /devenv/datasources_docker.yaml @grafana/grafana-backend-group
 /devenv/dev-dashboards-without-uid/ @grafana/dashboards-squad
-/devenv/dev-dashboards/ @grafana/dashboards-squad
+
+/devenv/dev-dashboards/annotations @grafana/dataviz-squad
+/devenv/dev-dashboards/migrations @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-barchart @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-bargauge @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-candlestick @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-canvas @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-datagrid @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-gauge @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-geomap @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-graph @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-heatmap @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-histogram @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-library @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-piechart @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-stat @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-table @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-timeline @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-timeseries @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-trend @grafana/dataviz-squad
+/devenv/dev-dashboards/panel-xychart @grafana/dataviz-squad
+/devenv/dev-dashboards/transforms @grafana/dataviz-squad
+/devenv/dev-dashboards/all-panels.json @grafana/dataviz-squad
+/devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
+/devenv/dev-dashboards/home.json @grafana/dataviz-squad
+
+/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/aws-datasources
+/devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-loki/ @grafana/plugins-platform-frontend
+/devenv/dev-dashboards/datasource-testdata/ @grafana/plugins-platform-frontend
+/devenv/dev-dashboards/datasource-mysql/ @grafana/oss-big-tent
+/devenv/dev-dashboards/datasource-postgres/ @grafana/oss-big-tent
+
+/devenv/dev-dashboards/e2e-repeats/ @grafana/grafana-frontend-platform
+/devenv/dev-dashboards/panel-text @grafana/grafana-frontend-platform
+/devenv/dev-dashboards/scenarios @grafana/grafana-frontend-platform
+
+/devenv/dev-dashboards/feature-templating/ @grafana/dashboards-squad
+/devenv/dev-dashboards/panel-common @grafana/dashboards-squad
+/devenv/dev-dashboards/panel-dashlist @grafana/dashboards-squad
+/devenv/dev-dashboards/live @grafana/dashboards-squad
+
+/devenv/dev-dashboards/panel-flamegraph/ @grafana/observability-traces-and-profiling
+/devenv/dev-dashboards/panel-polystat @grafana/plugins-platform-frontend
+/devenv/dev-dashboards/extensions/ @grafana/plugins-platform-frontend
+
 /devenv/docker/blocks/alert_webhook_listener/ @grafana/alerting-backend
+/devenv/docker/blocks/stateful_webhook/ @grafana/alerting-backend
+/devenv/docker/blocks/caddy_tls/ @grafana/alerting-backend
 /devenv/docker/blocks/clickhouse/ @grafana/partner-datasources
 /devenv/docker/blocks/collectd/ @grafana/observability-metrics
 /devenv/docker/blocks/etcd @grafana/grafana-app-platform-squad
@@ -195,6 +264,7 @@
 /devenv/docker/blocks/mariadb/ @grafana/oss-big-tent
 /devenv/docker/blocks/memcached/ @grafana/grafana-backend-group
 /devenv/docker/blocks/mimir_backend/ @grafana/alerting-backend
+/devenv/docker/blocks/mqtt/ @grafana/alerting-backend
 /devenv/docker/blocks/mssql/ @grafana/partner-datasources
 /devenv/docker/blocks/mssql_arm64/ @grafana/partner-datasources
 /devenv/docker/blocks/mssql_tests/ @grafana/partner-datasources
@@ -206,8 +276,10 @@
 /devenv/docker/blocks/opentsdb/ @grafana/partner-datasources
 /devenv/docker/blocks/postgres/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres_tests/ @grafana/oss-big-tent
-/devenv/docker/blocks/prometheus/ @grafana/observability-metrics
-/devenv/docker/blocks/prometheus_random_data/ @grafana/observability-metrics
+/devenv/docker/blocks/prometheus/ @grafana/oss-big-tent
+/devenv/docker/blocks/prometheus_random_data/ @grafana/oss-big-tent
+/devenv/docker/blocks/prometheus_high_card/ @grafana/oss-big-tent
+/devenv/docker/blocks/prometheus_utf8/ @grafana/oss-big-tent
 /devenv/docker/blocks/pyroscope/ @grafana/observability-traces-and-profiling
 /devenv/docker/blocks/redis/ @bergquist
 /devenv/docker/blocks/sensugo/ @grafana/grafana-backend-group
@@ -225,8 +297,8 @@
 /devenv/docker/loadtest/ @grafana/grafana-backend-services-squad
 /devenv/docker/rpmtest/ @grafana/grafana-backend-services-squad
 /devenv/jsonnet/ @grafana/dataviz-squad
+/devenv/local_cdn/ @grafana/frontend-ops
 /devenv/local-npm/ @grafana/frontend-ops
-/devenv/vscode/ @grafana/frontend-ops
 /devenv/setup.sh @grafana/grafana-backend-services-squad
 /devenv/plugins.yaml @grafana/plugins-platform-frontend
 
@@ -238,15 +310,16 @@
 
 
 # Continuous Integration
-.drone.yml @grafana/grafana-release-guild
-.drone.star @grafana/grafana-release-guild
-/scripts/drone/ @grafana/grafana-release-guild
-/pkg/build/ @grafana/grafana-release-guild
-/.dockerignore @grafana/grafana-release-guild
-/Dockerfile @grafana/grafana-release-guild
-/Makefile @grafana/grafana-release-guild
-/scripts/build/ @grafana/grafana-release-guild
-/scripts/list-release-artifacts.sh @grafana/grafana-release-guild
+.drone.yml @grafana/grafana-developer-enablement-squad
+.drone.star @grafana/grafana-developer-enablement-squad
+/scripts/drone/ @grafana/grafana-developer-enablement-squad
+/pkg/build/ @grafana/grafana-developer-enablement-squad
+/.dockerignore @grafana/grafana-developer-enablement-squad
+/Dockerfile @grafana/grafana-developer-enablement-squad
+/Makefile @grafana/grafana-developer-enablement-squad
+/scripts/build/ @grafana/grafana-developer-enablement-squad
+/scripts/list-release-artifacts.sh @grafana/grafana-developer-enablement-squad
+/scripts/releasefinder.sh @baldm0mma
 /.trivyignore @grafana/grafana-backend-services-squad
 
 # OSS Plugin Partnerships backend code
@@ -255,7 +328,7 @@
 /pkg/tsdb/cloud-monitoring/ @grafana/partner-datasources
 
 # Observability backend code
-/pkg/tsdb/prometheus/ @grafana/observability-metrics
+/pkg/tsdb/prometheus/ @grafana/oss-big-tent
 /pkg/tsdb/elasticsearch/ @grafana/aws-datasources
 /pkg/tsdb/loki/ @grafana/observability-logs
 /pkg/tsdb/tempo/ @grafana/observability-traces-and-profiling
@@ -265,6 +338,8 @@
 # OSS Big Tent backend code
 /pkg/tsdb/mysql/ @grafana/oss-big-tent
 /pkg/tsdb/grafana-postgresql-datasource/ @grafana/oss-big-tent
+/pkg/tsdb/zipkin/ @grafana/oss-big-tent
+/pkg/tsdb/jaeger/ @grafana/oss-big-tent
 
 # Partner Datasources backend code
 /pkg/tsdb/mssql/ @grafana/partner-datasources
@@ -302,7 +377,7 @@
 /pkg/services/datasourceproxy/ @grafana/plugins-platform-backend
 /pkg/services/datasources/ @grafana/plugins-platform-backend
 /pkg/services/pluginsintegration/ @grafana/plugins-platform-backend
-/pkg/plugins/pfs/ @grafana/plugins-platform-backend @grafana/grafana-as-code
+/pkg/plugins/codegen/pfs/ @grafana/plugins-platform-backend @grafana/grafana-as-code
 /pkg/tsdb/grafana-testdata-datasource/ @grafana/plugins-platform-backend
 /pkg/tsdb/Magefile.go @grafana/plugins-platform-backend
 /pkg/services/pluginsintegration/pluginsettings/ @grafana/plugins-platform-backend
@@ -313,11 +388,14 @@
 
 
 /crowdin.yml @grafana/grafana-frontend-platform
-/public/locales/ @grafana/grafana-frontend-platform
+/public/locales/ @grafanabot
+/public/locales/i18next-parser.config.cjs @grafana/grafana-frontend-platform
+/public/locales/i18next-parser-enterprise.config.cjs @grafana/grafana-frontend-platform
 /public/app/core/internationalization/ @grafana/grafana-frontend-platform
 /e2e/ @grafana/grafana-frontend-platform
 /e2e/cloud-plugins-suite/ @grafana/partner-datasources
 /e2e/plugin-e2e/plugin-e2e-api-tests/ @grafana/plugins-platform-frontend
+/e2e/test-plugins/grafana-extensionstest-app/ @grafana/plugins-platform-frontend
 
 # Packages
 /packages/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
@@ -334,19 +412,20 @@
 /packages/grafana-o11y-ds-frontend/src/TraceToMetrics/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/TraceToProfiles/ @grafana/observability-traces-and-profiling
 /packages/grafana-plugin-configs/ @grafana/plugins-platform-frontend
-/packages/grafana-prometheus/ @grafana/observability-metrics
+/packages/grafana-prometheus/ @grafana/oss-big-tent
 /packages/grafana-schema/src/**/*canvas* @grafana/dataviz-squad
 /packages/grafana-schema/src/**/*tempo* @grafana/observability-traces-and-profiling
 /packages/grafana-sql/ @grafana/partner-datasources @grafana/oss-big-tent
-/packages/grafana-ui/.storybook/ @grafana/plugins-platform-frontend
+/packages/grafana-ui/.storybook/ @grafana/grafana-frontend-platform
 /packages/grafana-ui/src/components/ @grafana/grafana-frontend-platform
 /packages/grafana-ui/src/components/BarGauge/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/DataLinks/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/DateTimePickers/ @grafana/grafana-frontend-platform
 /packages/grafana-ui/src/components/Gauge/ @grafana/dataviz-squad
+/packages/grafana-ui/src/components/PluginSignatureBadge/ @grafana/plugins-platform-frontend
 /packages/grafana-ui/src/components/Sparkline/ @grafana/grafana-frontend-platform @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/Table/ @grafana/dataviz-squad
-/packages/grafana-ui/src/components/Table/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
+/packages/grafana-ui/src/components/Table/Cells/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/uPlot/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/ValuePicker/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/VizLayout/ @grafana/dataviz-squad
@@ -356,20 +435,22 @@
 /packages/grafana-ui/src/graveyard/Graph/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/GraphNG/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
-/packages/grafana-ui/src/utils/storybook/ @grafana/plugins-platform-frontend
-
-/plugins-bundled/ @grafana/plugins-platform-frontend
+/packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
+/packages/grafana-alerting/ @grafana/alerting-frontend
 
 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
 /package.json @grafana/frontend-ops
 /nx.json @grafana/frontend-ops
 /project.json @grafana/frontend-ops
+/.nxignore @grafana/frontend-ops
 /tsconfig.json @grafana/frontend-ops
 /.editorconfig @grafana/frontend-ops
-/.eslintignore @grafana/frontend-ops
+/eslint.config.js @grafana/frontend-ops
+/.betterer.eslint.config.js @grafana/frontend-ops
 /.gitattributes @grafana/frontend-ops
 /.gitignore @grafana/frontend-ops
+/.ignore @grafana/frontend-ops
 /.nvmrc @grafana/frontend-ops
 /.prettierignore @grafana/frontend-ops
 /.yarn @grafana/frontend-ops
@@ -377,20 +458,19 @@
 /yarn.lock @grafana/frontend-ops
 /lerna.json @grafana/frontend-ops
 /.prettierrc.js @grafana/frontend-ops
-/.eslintrc @grafana/frontend-ops
 /.vim @zoltanbedi
 /jest.config.js @grafana/frontend-ops
 /latest.json @grafana/frontend-ops
 /stylelint.config.js @grafana/frontend-ops
 /tools/ @grafana/frontend-ops
 /lefthook.yml @grafana/frontend-ops
-/lefthook.rc @grafana/frontend-ops
 /.husky/pre-commit @grafana/frontend-ops
 /cypress.config.js @grafana/grafana-frontend-platform
 /.levignore.js @grafana/plugins-platform-frontend
 playwright.config.ts @grafana/plugins-platform-frontend
 
 # public folder
+/public/app/api/ @grafana/grafana-frontend-platform
 /public/app/core/ @grafana/grafana-frontend-platform
 /public/app/core/components/TimePicker/ @grafana/grafana-frontend-platform
 /public/app/core/components/Layers/ @grafana/dataviz-squad
@@ -398,13 +478,16 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/core/components/TimeSeries/ @grafana/dataviz-squad
 /public/app/core/components/TimelineChart/ @grafana/dataviz-squad
 /public/app/core/components/Form/ @grafana/grafana-frontend-platform
-/public/app/core/history/ @grafana/explore-squad
-/public/app/features/all.ts @grafana/grafana-frontend-platform
+/public/app/core/components/OptionsUI/ @grafana/dashboards-squad @grafana/dataviz-squad
+
+
+/public/app/core/history/ @grafana/observability-traces-and-profiling
 /public/app/features/admin/ @grafana/identity-access-team
 
 # Temp owners until Enterprise team takes over
 /public/app/features/migrate-to-cloud @grafana/grafana-frontend-platform
 
+/public/app/features/actions/ @grafana/dataviz-squad
 /public/app/features/auth-config/ @grafana/identity-squad
 /public/app/features/annotations/ @grafana/dashboards-squad
 /public/app/features/api-keys/ @grafana/identity-squad
@@ -413,21 +496,22 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/visualization/data-hover/ @grafana/dataviz-squad
 /public/app/features/commandPalette/ @grafana/grafana-frontend-platform
 /public/app/features/connections/ @grafana/plugins-platform-frontend
-/public/app/features/correlations/ @grafana/explore-squad
+/public/app/features/correlations/ @grafana/dataviz-squad
 /public/app/features/dashboard/ @grafana/dashboards-squad
 /public/app/features/dashboard/components/TransformationsEditor/ @grafana/dataviz-squad
 /public/app/features/dashboard-scene/ @grafana/dashboards-squad
+/public/app/features/scopes/ @grafana/dashboards-squad
 /public/app/features/datasources/ @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
-/public/app/features/explore/ @grafana/explore-squad
-/public/app/features/expressions/ @grafana/observability-metrics
+/public/app/features/explore/ @grafana/observability-traces-and-profiling
+/public/app/features/expressions/ @grafana/grafana-datasources-core-services
 /public/app/features/folders/ @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
 /public/app/features/invites/ @grafana/grafana-frontend-platform
 /public/app/features/library-panels/ @grafana/dashboards-squad
 /public/app/features/logs/ @grafana/observability-logs
-/public/app/features/live/ @grafana/grafana-app-platform-squad
+/public/app/features/live/ @grafana/dashboards-squad
 /public/app/features/apiserver/ @grafana/grafana-app-platform-squad
 /public/app/features/manage-dashboards/ @grafana/dashboards-squad
 /public/app/features/notifications/ @grafana/grafana-frontend-platform
@@ -436,14 +520,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
 /public/app/features/profile/ @grafana/grafana-frontend-platform
-/public/app/features/query-library/ @grafana/explore-squad
 /public/app/features/runtime/ @ryantxu
 /public/app/features/query/ @grafana/dashboards-squad
 /public/app/features/sandbox/ @grafana/grafana-frontend-platform
 /public/app/features/browse-dashboards/ @grafana/grafana-frontend-platform
 /public/app/features/search/ @grafana/grafana-frontend-platform
 /public/app/features/serviceaccounts/ @grafana/identity-squad
-/public/app/features/storage/ @grafana/grafana-app-platform-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
 /public/app/features/trails/ @grafana/observability-metrics
@@ -452,6 +534,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
 /public/app/features/preferences/ @grafana/grafana-frontend-platform
+/public/app/features/bookmarks/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
 /public/app/plugins/panel/annolist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
@@ -461,10 +544,10 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
 /public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
-/public/app/plugins/panel/graph/ @grafana/dataviz-squad
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
+/public/app/plugins/panel/logs-new/ @grafana/observability-logs
 /public/app/plugins/panel/nodeGraph/ @grafana/observability-traces-and-profiling @grafana/app-o11y-visualizations
 /public/app/plugins/panel/traces/ @grafana/observability-traces-and-profiling
 /public/app/plugins/panel/flamegraph/ @grafana/observability-traces-and-profiling
@@ -473,24 +556,23 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/status-history/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/cells/SparklineCellOptionsEditor.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
-/public/app/plugins/panel/table-old/ @grafana/dataviz-squad
 /public/app/plugins/panel/timeseries/ @grafana/dataviz-squad
 /public/app/plugins/panel/trend/ @grafana/dataviz-squad
 /public/app/plugins/panel/geomap/ @grafana/dataviz-squad
 /public/app/plugins/panel/canvas/ @grafana/dataviz-squad
 /public/app/plugins/panel/candlestick/ @grafana/dataviz-squad
-/public/app/plugins/panel/live/ @grafana/grafana-app-platform-squad
+/public/app/plugins/panel/live/ @grafana/dashboards-squad
 /public/app/plugins/panel/news/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/stat/ @grafana/dataviz-squad
 /public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
-/public/app/plugins/sdk.ts @grafana/plugins-platform-frontend
 /public/app/routes/ @grafana/grafana-frontend-platform
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
 /public/app/types/unified-alerting-dto.ts @grafana/alerting-frontend
+/public/app/types/unified-alerting.ts @grafana/alerting-frontend
 /public/dashboards/ @grafana/dashboards-squad
 /public/gazetteer/ @ryantxu
 /public/img/ @grafana/grafana-frontend-platform
@@ -503,20 +585,21 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/test/ @grafana/grafana-frontend-platform
 /public/test/helpers/alertingRuleEditor.tsx @grafana/alerting-frontend
 /public/views/ @grafana/grafana-frontend-platform
-/public/views/swagger.html @grafana/grafana-backend-group
+/public/views/swagger.html @grafana/grafana-app-platform-squad
+/public/swagger/ @grafana/grafana-app-platform-squad
 
 /public/app/features/explore/Logs/ @grafana/observability-logs
 
-/public/app/features/explore/RawPrometheus/ @grafana/observability-metrics
+/public/app/features/explore/RawPrometheus/ @grafana/oss-big-tent
 
 /public/app/features/explore/NodeGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/FlameGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/TraceView/ @grafana/observability-traces-and-profiling
+/public/app/features/explore/QueryLibrary/ @grafana/grafana-frontend-platform
 
 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
 /public/openapi3.json @grafana/grafana-backend-group
-/public/app/angular/ @torkelo
 /public/app/app.ts @grafana/frontend-ops
 /public/app/dev.ts @grafana/frontend-ops
 /public/app/core/utils/metrics.ts @grafana/plugins-platform-frontend
@@ -524,34 +607,31 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/AppWrapper.tsx @grafana/frontend-ops
 /public/app/partials/ @grafana/grafana-frontend-platform
 
-
-
-
 /scripts/benchmark-access-control.sh @grafana/access-squad
 /scripts/check-breaking-changes.sh @grafana/plugins-platform-frontend
-/scripts/ci-* @grafana/grafana-release-guild
-/scripts/circle-* @grafana/grafana-release-guild
-/scripts/publish-npm-packages.sh @grafana/grafana-release-guild @grafana/plugins-platform-frontend
-/scripts/validate-npm-packages.sh @grafana/grafana-release-guild @grafana/plugins-platform-frontend
+/scripts/ci-* @grafana/grafana-developer-enablement-squad
+/scripts/circle-* @grafana/grafana-developer-enablement-squad
+/scripts/publish-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
+/scripts/validate-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
 /scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad
 /scripts/cli/ @grafana/grafana-frontend-platform
 /scripts/clean-git-or-error.sh @grafana/grafana-as-code
 /scripts/grafana-server/ @grafana/grafana-frontend-platform
-/scripts/helpers/ @grafana/grafana-release-guild
+/scripts/helpers/ @grafana/grafana-developer-enablement-squad
 /scripts/import_many_dashboards.sh @torkelo
 /scripts/mixin-check.sh @bergquist
 /scripts/openapi3/ @grafana/grafana-operator-experience-squad
-/scripts/prepare-packagejson.js @grafana/frontend-ops
+/scripts/prepare-npm-package.js @grafana/frontend-ops
 /scripts/protobuf-check.sh @grafana/plugins-platform-backend
 /scripts/stripnulls.sh @grafana/grafana-as-code
-/scripts/tag_release.sh @grafana/grafana-release-guild
-/scripts/trigger_docker_build.sh @grafana/grafana-release-guild
-/scripts/trigger_grafana_packer.sh @grafana/grafana-release-guild
-/scripts/trigger_windows_build.sh @grafana/grafana-release-guild
+/scripts/tag_release.sh @grafana/grafana-developer-enablement-squad
+/scripts/trigger_docker_build.sh @grafana/grafana-developer-enablement-squad
+/scripts/trigger_grafana_packer.sh @grafana/grafana-developer-enablement-squad
+/scripts/trigger_windows_build.sh @grafana/grafana-developer-enablement-squad
 /scripts/cleanup-husky.sh @grafana/frontend-ops
-/scripts/verify-repo-update/ @grafana/grafana-release-guild
-/scripts/generate-icon-bundle.js @grafana/plugins-platform-frontend @grafana/grafana-frontend-platform
+/scripts/verify-repo-update/ @grafana/grafana-developer-enablement-squad
 /scripts/generate-rtk-apis.ts @grafana/grafana-frontend-platform
+/scripts/process-specs.ts @grafana/grafana-frontend-platform
 /scripts/generate-alerting-rtk-apis.ts @grafana/alerting-frontend
 /scripts/levitate-parse-json-report.js @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
@@ -563,12 +643,8 @@ playwright.config.ts @grafana/plugins-platform-frontend
 .pa11yci.conf.js @grafana/grafana-frontend-platform
 .pa11yci-pr.conf.js @grafana/grafana-frontend-platform
 .betterer.results @grafanabot
-.betterer.results.json @grafanabot
 .betterer.ts @grafana/grafana-frontend-platform
 
-# @grafana/ui component documentation
-*.mdx @grafana/plugins-platform-frontend
-
 # Design system
 /public/img/icons/unicons/ @grafana/design-system
 
@@ -588,7 +664,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
 /public/app/plugins/datasource/opentsdb/ @grafana/partner-datasources
 /public/app/plugins/datasource/grafana-postgresql-datasource/ @grafana/oss-big-tent
-/public/app/plugins/datasource/prometheus/ @grafana/observability-metrics
+/public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources
 /public/app/plugins/datasource/zipkin/ @grafana/oss-big-tent
 /public/app/plugins/datasource/tempo/ @grafana/observability-traces-and-profiling
@@ -608,7 +684,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/rendering/ @grafana/sharing-squad
 
 # SSE - Server Side Expressions
-/pkg/expr/ @grafana/observability-metrics
+/pkg/expr/ @grafana/grafana-datasources-core-services
 
 # Cloud middleware
 /grafana-mixin/ @grafana/grafana-backend-services-squad
@@ -640,6 +716,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/caching/ @grafana/grafana-operator-experience-squad
 /pkg/services/cloudmigration/ @grafana/grafana-operator-experience-squad
 /pkg/services/gcom/ @grafana/grafana-operator-experience-squad
+/pkg/services/authapi/ @grafana/grafana-operator-experience-squad
 
 # Feature toggles
 /pkg/services/featuremgmt/ @grafana/grafana-backend-services-squad
@@ -648,6 +725,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Kind definitions
 /kinds/dashboard @grafana/dashboards-squad
 /kinds/ @grafana/grafana-as-code
+kindsv2/ @grafana/dashboards-squad
 
 # Kind system and code generation
 embed.go @grafana/grafana-as-code
@@ -655,6 +733,10 @@ embed.go @grafana/grafana-as-code
 /pkg/registry/ @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
 /pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
+/pkg/registry/apis/query @grafana/grafana-datasources-core-services
+/pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
+/pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
+/pkg/registry/apps/advisor @grafana/plugins-platform-backend
 /pkg/codegen/ @grafana/grafana-as-code
 /pkg/codegen/generators @grafana/grafana-as-code
 /pkg/kinds/*/*_gen.go @grafana/grafana-as-code
@@ -664,68 +746,88 @@ embed.go @grafana/grafana-as-code
 
 # GitHub Workflows and Templates
 /.github/CODEOWNERS @tolzhabayev
-/.github/ISSUE_TEMPLATE/ @torkelo
+/.github/ISSUE_TEMPLATE/ @torkelo @sympatheticmoose
 /.github/PULL_REQUEST_TEMPLATE.md @torkelo
 /.github/bot.md @torkelo
 /.github/commands.json @torkelo
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
 /.github/metrics-collector.json @torkelo
-/.github/pr-checks.json @marefr
-/.github/pr-commands.json @marefr
+/.github/pr-checks.json @tolzhabayev
+/.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
-/.github/teams.yml @armandgrillet
+/.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
+/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
+/.github/actions/setup-grafana-bench/ @Proximyst
+/.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
+/.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
-/.github/workflows/auto-milestone.yml @grafana/grafana-release-guild
-/.github/workflows/backport.yml @grafana/grafana-release-guild
-/.github/workflows/bump-version.yml @grafana/grafana-release-guild
-/.github/workflows/close-milestone.yml @grafana/grafana-release-guild
-/.github/workflows/release-pr.yml @grafana/grafana-release-guild
-/.github/workflows/release-comms.yml @grafana/grafana-release-guild
+/.github/workflows/alerting-update-module.yml @grafana/alerting-backend
+/.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
+/.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
+/.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/create-next-release-branch.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/codeowners-validator.yml @tolzhabayev
 /.github/workflows/codeql-analysis.yml @DanCech
 /.github/workflows/commands.yml @torkelo
-/.github/workflows/community-release.yml @grafana/grafana-release-guild
+/.github/workflows/community-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/detect-breaking-changes-* @grafana/plugins-platform-frontend
-/.github/workflows/doc-validator.yml @grafana/docs-tooling
-/.github/workflows/epic-add-to-platform-ux-parent-project.yml @meanmina
-/.github/workflows/github-release.yml @grafana/grafana-release-guild
-/.github/workflows/issue-labeled.yml @armandgrillet
+/.github/workflows/documentation-ci.yml @grafana/docs-tooling
+/.github/workflows/deploy-pr-preview.yml @grafana/docs-tooling
+/.github/workflows/feature-toggles-ci.yml @grafana/docs-tooling
+/.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
+/.github/workflows/lint-build-docs.yml @grafana/docs-tooling
 /.github/workflows/metrics-collector.yml @torkelo
-/.github/workflows/milestone.yml @marefr
-/.github/workflows/pr-checks.yml @marefr
-/.github/workflows/pr-codeql-analysis-go.yml @DanCech
+/.github/workflows/pr-checks.yml @tolzhabayev
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
-/.github/workflows/pr-commands.yml @marefr
-/.github/workflows/pr-patch-check.yml @grafana/grafana-release-guild
-/.github/workflows/sync-mirror.yml @grafana/grafana-release-guild
+/.github/workflows/pr-commands.yml @tolzhabayev
+/.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
+/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
+/.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
-/.github/workflows/remove-milestone.yml @grafana/grafana-release-guild
-/.github/workflows/sbom-report.yml @grafana/security-team
 /.github/workflows/scripts/json-file-to-job-output.js @grafana/plugins-platform-frontend
-/.github/workflows/scripts/pr-get-job-link.js @grafana/plugins-platform-frontend
-/.github/workflows/stale.yml @grafana/grafana-release-guild
-/.github/workflows/update-changelog.yml @grafana/grafana-release-guild
+/.github/workflows/stale.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
-/.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-cat
-/.github/workflows/publish-kinds-next.yml @grafana/platform-cat
-/.github/workflows/publish-kinds-release.yml @grafana/platform-cat
-/.github/workflows/verify-kinds.yml @grafana/platform-cat
+/.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
+/.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
+/.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring
+/.github/workflows/verify-kinds.yml @grafana/platform-monitoring
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
+/.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
+/.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
+/.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
-/.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-release-guild
+/.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
+/.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
+/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
-/.github/workflows/run-scenes-e2e.yml @grafana/dashboards-squad
-/.github/workflows/go_lint.yml @grafana/grafana-backend-services-squad
+/.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
+/.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
+/.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
 /.github/workflows/changelog.yml @zserge
-/.github/workflows/actions/changelog @zserge
+/.github/actions/changelog @zserge
+/.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
+/.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
+/.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
+/.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
+/.github/workflows/zizmor.yml @grafana/grafana-developer-enablement-squad
+/.github/zizmor.yml @grafana/grafana-developer-enablement-squad
 
 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot
@@ -744,3 +846,4 @@ embed.go @grafana/grafana-as-code
 /conf/provisioning/dashboards/ @grafana/dashboards-squad
 /conf/provisioning/datasources/ @grafana/plugins-platform-backend
 /conf/provisioning/plugins/ @grafana/plugins-platform-backend
+/conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team

.github/actions/changelog/index.js

@@ -69,8 +69,17 @@ const graphql = async (ghtoken, query, variables) => {
     },
     body: JSON.stringify({ query, variables }),
   });
-  const { data } = await results.json();
-  return data;
+
+  const res = await results.json();
+
+  LOG(
+    JSON.stringify({
+      status: results.status,
+      text: results.statusText,
+    })
+  );
+
+  return res.data;
 };
 
 // Using Github GraphQL API find the timestamp for the given tag/commit hash.
@@ -99,20 +108,20 @@ const getCommitishDate = async (name, owner, target) => {
 // Using Github GraphQL API get a list of PRs between the two "commitish" items.
 // This resoves the "since" item's timestamp first and iterates over all PRs
 // till "target" using naïve pagination.
-const getHistory = async (name, owner, target, sinceDate) => {
-  LOG(`Fetching ${owner}/${name} PRs since ${sinceDate} till ${target}`);
+const getHistory = async (name, owner, from, to) => {
+  LOG(`Fetching ${owner}/${name} PRs between ${from} and ${to}`);
   const query = `
   query findCommitsWithAssociatedPullRequests(
     $name: String!
     $owner: String!
-    $target: String!
-    $sinceDate: GitTimestamp
+    $from: String!
+    $to: String!
     $cursor: String
   ) {
     repository(name: $name, owner: $owner) {
-      object(expression: $target) {
-        ... on Commit {
-          history(first: 50, since: $sinceDate, after: $cursor) {
+      ref(qualifiedName: $from) {
+        compare(headRef: $to) {
+          commits(first: 25, after: $cursor) {
             totalCount
             pageInfo {
               hasNextPage
@@ -155,13 +164,13 @@ const getHistory = async (name, owner, target, sinceDate) => {
     const result = await graphql(ghtoken, query, {
       name,
       owner,
-      target,
-      sinceDate,
+      from,
+      to,
       cursor,
     });
     LOG(`GraphQL: ${JSON.stringify(result)}`);
-    nodes = [...nodes, ...result.repository.object.history.nodes];
-    const { hasNextPage, endCursor } = result.repository.object.history.pageInfo;
+    nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
+    const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
     if (!hasNextPage) {
       break;
     }
@@ -175,11 +184,11 @@ const getHistory = async (name, owner, target, sinceDate) => {
 // feature, deprecation, breaking change and plugin fixes/enhancements).
 //
 // PR grouping relies on Github labels only, not on the PR contents.
-const getChangeLogItems = async (name, owner, sinceDate, to) => {
+const getChangeLogItems = async (name, owner, from, to) => {
   // check if a node contains a certain label
   const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
   // get all the PRs between the two "commitish" items
-  const history = await getHistory(name, owner, to, sinceDate);
+  const history = await getHistory(name, owner, from, to);
 
   const items = history.flatMap((node) => {
     // discard PRs without a "changelog" label
@@ -199,7 +208,7 @@ const getChangeLogItems = async (name, owner, sinceDate, to) => {
       hasLabel({ labels }, 'area/grafana/ui') ||
       hasLabel({ labels }, 'area/grafana/toolkit') ||
       hasLabel({ labels }, 'area/grafana/runtime');
-    const author = item.commits.nodes[0].commit.author.user.login;
+    const author = item.commits.nodes[0].commit.author.user?.login;
     return {
       repo: name,
       number,
@@ -231,13 +240,10 @@ const previous = process.argv[3] || process.env.INPUT_PREVIOUS || (await getPrev
 
 LOG(`Previous tag/commit: ${previous}`);
 
-const sinceDate = await getCommitishDate('grafana', 'grafana', previous);
-LOG(`Previous tag/commit timestamp: ${sinceDate}`);
-
 // Get all changelog items from Grafana OSS
-const oss = await getChangeLogItems('grafana', 'grafana', sinceDate, target);
+const oss = await getChangeLogItems('grafana', 'grafana', previous, target);
 // Get all changelog items from Grafana Enterprise
-const entr = await getChangeLogItems('grafana-enterprise', 'grafana', sinceDate, target);
+const entr = await getChangeLogItems('grafana-enterprise', 'grafana', previous, target);
 
 LOG(`Found OSS PRs: ${oss.length}`);
 LOG(`Found Enterprise PRs: ${entr.length}`);
@@ -285,7 +291,7 @@ ${items
       `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
         item.repo === 'grafana-enterprise'
           ? '(Enterprise)'
-          : `${pullRequestLink(item.number)}, ${userLink(item.author)}`
+          : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
       }`
   )
   .join('\n')}

.github/actions/setup-enterprise/action.yml

@@ -0,0 +1,48 @@
+name: 'Setup Grafana Enterprise'
+description: 'Clones and sets up Grafana Enterprise repository for testing'
+
+inputs:
+  github-app-name:
+    description: 'Name of the GitHub App in Vault'
+    required: false
+    default: 'grafana-ci-bot'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=${{ inputs.github-app-name }}:app-id
+          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
+          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+        repositories: "grafana-enterprise"
+        owner: "grafana"
+
+    - name: Setup Enterprise
+      shell: bash
+      env:
+        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+      run: |
+        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
+        
+        cd ../grafana-enterprise
+        
+        if git checkout ${GITHUB_HEAD_REF}; then
+          echo "checked out ${GITHUB_HEAD_REF}"
+        elif git checkout ${GITHUB_BASE_REF}; then
+          echo "checked out ${GITHUB_BASE_REF}"
+        else
+          git checkout main
+        fi
+        
+        ./build.sh

.github/actions/setup-grafana-bench/action.yml

@@ -0,0 +1,45 @@
+name: 'Setup Grafana Bench'
+description: 'Sets up and installs Grafana Bench'
+
+inputs:
+  github-app-name:
+    description: 'Name of the GitHub App in Vault'
+    required: false
+    default: 'grafana-ci-bot'
+  branch:
+    description: 'The branch to install from'
+    required: false
+    default: 'main'
+
+runs:
+  using: "composite"
+  steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=${{ inputs.github-app-name }}:app-id
+          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
+          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+        repositories: "grafana-bench"
+        owner: "grafana"
+
+    - name: Setup Bench
+      shell: bash
+      env:
+        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+        BRANCH: ${{ inputs.branch }}
+      run: |
+        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-bench.git ../grafana-bench
+
+        cd ../grafana-bench
+        git switch "$BRANCH"
+        go install .

.github/actions/test-coverage-processor/action.yml

@@ -0,0 +1,50 @@
+name: 'Go Coverage Processor'
+description: 'Process Go test coverage files and generate reports'
+
+inputs:
+  test-type:
+    description: 'Type of test (e.g., be-unit, be-integration)'
+    required: true
+    type: string
+  coverage-file:
+    description: 'Path to the Go coverage file (.cov)'
+    required: true
+    type: string
+  codecov-token:
+    description: 'Token for CodeCov (required for CodeCov reporting)'
+    required: false
+    default: ''
+  codecov-flag:
+    description: 'Flag to categorize the upload to CodeCov'
+    required: false
+    default: ''
+  codecov-name:
+    description: 'Custom name for the upload to CodeCov'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Process Go coverage output
+      shell: bash
+      env:
+        COVERAGE_FILE: ${{ inputs.coverage-file }}
+      run: |
+        # Ensure valid coverage file even if empty
+        if [ ! -s "$COVERAGE_FILE" ]; then
+          echo "Coverage file is empty, creating a minimal valid file"
+          echo "mode: set" > "$COVERAGE_FILE"
+        fi
+
+    - name: Report coverage to CodeCov
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
+      if: inputs.codecov-token != ''
+      with:
+        files: ${{ inputs.coverage-file }}
+        flags: ${{ inputs.codecov-flag || inputs.test-type }}
+        name: ${{ inputs.codecov-name || inputs.test-type }}
+        slug: grafana/grafana
+        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
+        url: https://codecov-webhook.grafana-dev.net
+        token: ${{ inputs.codecov-token }}

.github/pr-commands.json

@@ -436,5 +436,71 @@
     ],
     "action": "updateLabel",
     "addLabel": "area/panel/table"
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/azuremonitor/**/*",
+      "pkg/tsdb/azuremonitor/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/graphite/**/*",
+      "pkg/tsdb/graphite/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/influxdb/**/*",
+      "pkg/tsdb/influx/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/elasticsearch/**/*",
+      "pkg/tsdb/elasticsearch/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/cloud-monitoring/**/*",
+      "pkg/tsdb/cloud-monitoring/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
+  },
+  {
+    "type": "changedfiles",
+    "matches": [
+      "public/app/plugins/datasource/opentsdb/**/*",
+      "pkg/tsdb/opentsdb/**/*"
+    ],
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/190"
+    }
   }
 ]

.github/workflows/add-to-whats-new.yml

@@ -0,0 +1,16 @@
+name: Add comment about adding a What's new note
+on:
+  pull_request:
+    types: [labeled]
+
+jobs:
+  add-comment:
+    if: ${{ ! github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'add to what''s new') }}
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        with:
+          message: |
+            Since you've added the `Add to what's new` label, consider drafting a [What's new note](https://admin.grafana.com/content-admin/#/collections/whats-new/new) for this feature.

.github/workflows/alerting-swagger-gen.yml

@@ -13,15 +13,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Set go version
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
         with:
           go-version-file: go.mod
       - name: Build swagger
         run: |
           make -C pkg/services/ngalert/api/tooling post.json api.json
       - name: Open Pull Request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "chore: update alerting swagger spec"
@@ -34,4 +35,3 @@ jobs:
           labels: 'area/alerting,type/docs,no-changelog'
           team-reviewers: 'grafana/alerting-backend'
           draft: false
-

.github/workflows/alerting-update-module.yml

@@ -0,0 +1,137 @@
+name: Update Alerting Module
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  update-grafana:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4 # 4.2.2
+        with:
+          persist-credentials: false
+      - name: Check if update branch exists
+        run: |
+          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
+            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
+            echo "Please review and merge/close the existing PR before running this workflow again."
+            exit 1
+          fi
+
+      - name: Setup Go
+        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0
+        with:
+          "go-version-file": "go.mod"
+
+      - name: Extract current commit hash of alerting module
+        id: current-commit
+        run: |
+          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
+          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Get current branch name
+        id: current-branch-name
+        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
+
+      - name: Get latest commit
+        id: latest-commit
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BRANCH="${{ steps.current-branch-name.outputs.name }}"
+          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
+           if [ -z "$TO_COMMIT" ]; then
+            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
+            exit 1
+          fi
+          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Compare commit hashes
+        run: |
+          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
+          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
+          
+          # Compare just the length of the shorter hash
+          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
+          
+          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
+            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
+            exit 0
+          fi
+          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
+
+      - name: Check for commit history
+        id: check-commits
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # get all commits that contains 'Alerting:' in the message          
+          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
+            --jq '.commits[].commit.message | split("\n")[0]') || true
+          
+          # Use printf instead of echo -e for better multiline handling
+          printf "%s\n" "$ALERTING_COMMITS"
+          
+          # make the list for markdown and replace PR numbers with links
+          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
+          
+          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
+          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Update alerting module
+        env:
+          GOSUMDB: off
+        run: |
+          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
+          make update-workspace
+
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=alerting-team:app-id
+            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
+
+      - name: "Generate token"
+        id: generate_token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
+        with:
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
+        id: create-pr
+        with:
+          token: '${{ steps.generate_token.outputs.token }}'
+          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
+          branch: alerting/update-alerting-module
+          delete-branch: true
+          body: |
+            Updates Grafana Alerting module to latest version.
+
+            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
+            <details>
+            <summary>Commits</summary>
+            
+            ${{ steps.check-commits.outputs.alerting_commits }}
+
+            </details>
+
+            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
+      - name: Add PR URL to Summary
+        if: steps.create-pr.outputs.pull-request-url != ''
+        run: |
+          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
+          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY

.github/workflows/analytics-events-report.yml

@@ -0,0 +1,25 @@
+name: Analytics Events Report
+
+on:
+  workflow_dispatch:
+
+jobs:
+  generate-report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Generate analytics report
+        run: yarn analytics-report

.github/workflows/auto-milestone.yml

@@ -21,7 +21,7 @@ jobs:
       # Note: Github will not trigger other actions from this because it uses
       # the GITHUB_TOKEN token
       - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main
+        uses: grafana/grafana-github-actions-go/auto-milestone@d4c452f92ed826d515dccf1f62923e537953acd8 # main
         with:
           pr: ${{ github.event.pull_request.number }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/auto-triager/labels.txt

@@ -0,0 +1,124 @@
+area/admin/user
+area/alerting
+area/annotations
+area/auth
+area/auth/ldap
+area/auth/oauth
+area/auth/rbac
+area/auth/serviceaccount
+area/backend
+area/backend/api
+area/backend/db
+area/backend/db/migration
+area/backend/db/mysql
+area/backend/db/postgres
+area/backend/db/sql
+area/backend/db/sqlite
+area/configuration
+area/dashboard/annotations
+area/dashboard/data-links
+area/dashboard/edit
+area/dashboard/folders
+area/dashboard/import
+area/dashboard/kiosk
+area/dashboard/links
+area/dashboard/rows
+area/dashboard/scenes
+area/dashboard/settings
+area/dashboard/snapshot
+area/dashboard/templating
+area/dashboard/timerange
+area/dashboard/tv
+area/dashboard/variable
+area/dashboards/panel
+area/data/export
+area/explore
+area/expressions
+area/field/overrides
+area/frontend/library-panels
+area/frontend/login
+area/image-rendering
+area/internationalization
+area/legend
+area/library-panel
+area/metricsdrilldown
+area/navigation
+area/panel/annotation-list
+area/panel/barchart
+area/panel/bargauge
+area/panel/candlestick
+area/panel/canvas
+area/panel/dashboard-list
+area/panel/edit
+area/panel/edit
+area/panel/field-override
+area/panel/flame-graph
+area/panel/gauge
+area/panel/geomap
+area/panel/heatmap
+area/panel/histogram
+area/panel/logs
+area/panel/node-graph
+area/panel/node-graph
+area/panel/piechart
+area/panel/repeat
+area/panel/singlestat
+area/panel/stat
+area/panel/state-timeline
+area/panel/status-history
+area/panel/table
+area/panel/timeseries
+area/panel/traceview
+area/panel/trend
+area/panel/xychart
+area/permissions
+area/playlist
+area/plugins
+area/plugins-catalog
+area/provisioning
+area/provisioning/datasources
+area/public-dashboards
+area/query-library
+area/recorded-queries
+area/scenes
+area/search
+area/security
+area/streaming
+area/templating/repeating
+area/tooltip
+area/transformations
+datagrid
+datasource/Alertmanager
+datasource/Azure
+datasource/azure-cosmosdb
+datasource/BigQuery
+datasource/CloudWatch
+datasource/CloudWatch Logs
+datasource/CSV
+datasource/Elasticsearch
+datasource/GitHub
+datasource/GoogleCloudMonitoring
+datasource/GoogleSheets
+datasource/grafana-pyroscope
+datasource/Graphite
+datasource/InfluxDB
+datasource/Jaeger
+datasource/JSON
+datasource/Loki
+datasource/MSSQL
+datasource/MySQL
+datasource/OpenSearch
+datasource/OpenTSDB
+datasource/Parca
+datasource/Phlare
+datasource/Postgres
+datasource/Prometheus
+datasource/SiteWIse
+datasource/Splunk
+datasource/Tempo
+datasource/TestDataDB
+datasource/Timestream
+datasource/X-Ray
+datasource/Zabbix
+datasource/Zipkin
+team/grafana-aws-datasources

.github/workflows/auto-triager/prompt.txt

@@ -0,0 +1,25 @@
+You are an expert Grafana issues categorizer.
+
+You are provided with a Grafana issue. Your task is to categorize the issue by analyzing the issue title and description to determine the most relevant category and type from the provided lists. Focus on precision and clarity, selecting only the most pertinent labels based on the issue details. Ensure that your selections reflect the core problem or functionality affected.
+
+The output should be a valid JSON object with the following fields:
+* id (string): The ID of the current issue.
+* categoryLabel (array of strings): The category labels for the current issue, emphasizing key terms and context.
+* typeLabel (array of strings): The type of the current issue, emphasizing clarity and relevance.
+
+**Instructions**:
+1. **Contextual Analysis**: Understand the context and intent behind the issue description. Analyze the overall narrative and relationships between different components within Grafana. Consider dependencies and related components to inform your decision.
+2. **Category and Type Differentiation**: Use language cues and patterns to differentiate between similar categories and types. Provide examples and counterexamples to clarify distinctions. Prioritize primary components over secondary ones unless they are critical to the issue.
+3. **Historical Data Utilization**: Compare current issues with past resolved issues by analyzing similarities in problem descriptions, leveraging patterns to inform categorization. Use historical data to recognize patterns and inform your decision-making.
+4. **Confidence Scoring**: Implement a confidence scoring mechanism to flag issues for review if the confidence is below a predefined threshold. Clearly indicate thresholds for high and low confidence predictions. Provide clarifying questions if data is ambiguous.
+5. **Feedback Loop Integration**: Integrate feedback from incorrect predictions to refine understanding and improve future predictions. Conduct error analysis to identify patterns in misclassifications and adapt your approach accordingly.
+6. **Semantic Analysis**: Evaluate the underlying intent of the issue using semantic analysis, considering broader implications and context. Leverage metadata or historical patterns to improve accuracy.
+7. **Avoid Over-Specification**: Maintain precision and conciseness, avoiding unnecessary details. Prioritize clarity and flag for further review if uncertain.
+8. **Consistent JSON Formatting**: Ensure the output maintains a consistent JSON structure with uniform formatting for readability and scalability.
+
+**Next Steps and Insights**:
+- Suggest potential next steps or resources that could help address the issue, providing actionable insights to enhance user engagement.
+- Regularly test responses against edge cases to ensure robustness and adaptability.
+- Stay updated with changes in category and type lists to remain current.
+
+Provide a brief explanation of the categorization decision, highlighting key terms or context that influenced the choice. Use user-centric language and technical details to ensure the explanation is comprehensive and insightful.

.github/workflows/auto-triager/types.txt

@@ -0,0 +1,30 @@
+type/accessibility
+type/angular-2-react
+type/browser-compatibility
+type/bug
+type/build-packaging
+type/chore
+type/ci
+type/cleanup
+type/codegen
+type/community
+type/debt
+type/design
+type/discussion
+type/docs
+type/duplicate
+type/e2e
+type/epic
+type/feature-request
+type/feature-toggle-enable
+type/feature-toggle-removal
+type/performance
+type/poc
+type/project
+type/proposal
+type/question
+type/refactor
+type/regression
+type/roadmap
+type/tech
+type/ux

.github/workflows/backend-code-checks.yml

@@ -0,0 +1,73 @@
+name: Backend Code Checks
+
+on:
+  pull_request:
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '*.md'
+      - 'docs/**'
+      - 'latest.json'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  validate-configs:
+    name: Validate Backend Configs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
+          # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
+          # This ensures the GHAs environment matches what we use in the Drone pipeline
+          go-version: 1.24.1
+          cache: true
+
+      - name: Verify code generation
+        run: |
+          CODEGEN_VERIFY=1 make gen-cue
+          CODEGEN_VERIFY=1 make gen-jsonnet
+      
+      - name: Validate go.mod
+        run: go run scripts/modowners/modowners.go check go.mod
+
+      # Enterprise setup is needed for complete OpenAPI spec generation
+      # We only do this for internal PRs
+      - name: Setup Grafana Enterprise
+        if: github.event.pull_request.head.repo.fork == false
+        uses: ./.github/actions/setup-enterprise
+        
+      - name: Generate and Validate OpenAPI Specs
+        run: |
+          # For PRs from forks, we'll just run the basic swagger-gen without validation
+          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
+            echo "PR is from a fork, skipping enterprise-based validation"
+            make swagger-gen
+            exit 0
+          fi
+          
+          # Clean and regenerate OpenAPI specs
+          make swagger-clean && make openapi3-gen
+          
+          # Check if the generated specs differ from what's in the repository
+          for f in public/api-merged.json public/openapi3.json; do git add $f; done
+          if [ -z "$(git diff --name-only --cached)" ]; then
+            echo "OpenAPI specs are up to date!"
+          else
+            echo "OpenAPI specs are OUT OF DATE!"
+            git diff --cached
+            echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
+            exit 1
+          fi

.github/workflows/backend-unit-tests.yml

@@ -0,0 +1,71 @@
+name: Backend Unit Tests
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+  push:
+    branches:
+      - main
+      - release-*.*.*
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+permissions: {}
+
+jobs:
+  grafana:
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
+    # the `pr-backend-unit-tests-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Grafana
+    runs-on: ubuntu-latest-8-cores
+    continue-on-error: true
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: make test-go-unit
+
+  grafana-enterprise:
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Grafana Enterprise
+    runs-on: ubuntu-latest-8-cores
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+      - name: Setup Enterprise
+        uses: ./.github/actions/setup-enterprise
+        with:
+          github-app-name: 'grafana-ci-bot'
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: make test-go-unit

.github/workflows/backport.yml

@@ -5,29 +5,28 @@ on:
       - closed
       - labeled
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   main:
     if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4 # 4.2.2
         with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          persist-credentials: false
+      - run: git config --local user.name "github-actions[bot]"
+      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
+      - run: git config --local --add --bool push.autoSetupRemote true
+      - name: Set remote URL
+        env:
+          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
       - name: Run backport
-        uses: ./actions/backport
+        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
         with:
-          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{ steps.generate_token.outputs.token }}
-          labelsToAdd: "backport"
-          title: "[{{base}}] {{originalTitle}}"
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/bump-version.yml

@@ -11,33 +11,37 @@ on:
       dry_run:
         default: false
         required: false
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  main:
+  bump-version:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Grafana
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Update package.json versions
         uses: ./pkg/build/actions/bump-version
         with:
           version: ${{ inputs.version }}
-      - if: ${{ inputs.push }}
-        name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - if: ${{ inputs.push }}
         name: Push & Create PR
+        env:
+          VERSION: ${{ inputs.version }}
+          DRY_RUN: ${{ inputs.dry_run }}
+          REF_NAME: ${{ github.ref_name }}
+          RUN_ID: ${{ github.run_id }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config --local user.name "github-actions[bot]"
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
-          git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}"
+          git checkout -b "bump-version/${RUN_ID}/${VERSION}"
           git add .
-          git commit -m "bump version ${{ inputs.version }}"
+          git commit -m "bump version ${VERSION}"
           git push
-          gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}"
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"

.github/workflows/changelog.yml

@@ -2,6 +2,10 @@ name: Generate changelog
 on:
   workflow_call:
     inputs:
+      previous_version:
+        type: string
+        required: false
+        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
       version:
         type: string
         required: true
@@ -26,6 +30,10 @@ on:
 
   workflow_dispatch:
     inputs:
+      previous_version:
+        type: string
+        required: false
+        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
       version:
         type: string
         required: true
@@ -43,15 +51,21 @@ on:
         default: false
         type: boolean
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   main:
+    env:
+      RUN_ID: ${{ github.run_id }}
+      VERSION: ${{ inputs.version }}
+      PREVIOUS_VERISON: ${{ inputs.previous_version }}
+      TARGET: ${{ inputs.target }}
+      DRY_RUN: ${{ inputs.dry_run }}
     runs-on: ubuntu-latest
     permissions:
+      id-token: write
       contents: write
+      pull-requests: write
     steps:
       - name: "Generate token"
         id: generate_token
@@ -71,6 +85,7 @@ jobs:
             .prettierrc.js
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -81,11 +96,12 @@ jobs:
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
           git config --local --add --bool push.autoSetupRemote true
       - name: "Create branch"
-        run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}"
+        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
       - name: "Generate changelog"
         id: changelog
-        uses: ./.github/workflows/actions/changelog
+        uses: ./.github/actions/changelog
         with:
+          previous: ${{ inputs.previous_version }}
           github_token: ${{ steps.generate_token.outputs.token }}
           target: v${{ inputs.version }}
           output_file: changelog_items.md
@@ -94,24 +110,24 @@ jobs:
           # Prepare CHANGELOG.md content with version delimiters
           (
             echo
-            echo "# ${{ inputs.version}} ($(date '+%F'))"
+            echo "# ${VERSION} ($(date '+%F'))"
             echo
             cat changelog_items.md
           ) > CHANGELOG.part
 
           # Check if a version exists in the changelog
-          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
+          if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
             # Replace the content between START and END delimiters
-            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
+            echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
+            sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
+                   -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
           else
             # Prepend changelog part to the main changelog file
-            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
+            echo "Version $VERSION not found in the CHANGELOG.md"
             (
-              echo "<!-- ${{ inputs.version }} START -->"
+              echo "<!-- ${VERSION} START -->"
               cat CHANGELOG.part
-              echo "<!-- ${{ inputs.version }} END -->"
+              echo "<!-- ${VERSION} END -->"
               cat CHANGELOG.md
             ) > CHANGELOG.tmp
             mv CHANGELOG.tmp CHANGELOG.md
@@ -129,11 +145,11 @@ jobs:
       - name: "Create changelog PR"
         run: >
           gh pr create \
-            --dry-run=${{ inputs.dry_run }} \
+            --dry-run=${DRY_RUN} \
             --label "no-backport" \
             --label "no-changelog" \
-            -B "${{ inputs.target }}" \
-            --title "Release: update changelog for ${{ inputs.version }}" \
-            --body "Changelog changes for release ${{ inputs.version }}"
+            -B "${TARGET}" \
+            --title "Release: update changelog for ${VERSION}" \
+            --body "Changelog changes for release ${VERSION}"
         env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/close-milestone.yml

@@ -1,44 +0,0 @@
-name: Close milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: Needs to match, exactly, the name of a milestone
-  workflow_call:
-    inputs:
-      version_call:
-        description: Needs to match, exactly, the name of a milestone
-        required: true
-        type: string
-
-jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Close milestone (manually invoked)
-        if: ${{ github.event.inputs.version != '' }}
-        uses: ./actions/close-milestone
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Close milestone (workflow invoked)
-        if: ${{ inputs.version_call != '' }}
-        uses: ./actions/close-milestone
-        with:
-          version_call: ${{ inputs.version_call }}
-          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/codeowners-validator.yml

@@ -10,8 +10,10 @@ jobs:
     steps:
       # Checks-out your repository, which is validated in the next step
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: GitHub CODEOWNERS Validator
-        uses: mszostok/codeowners-validator@v0.7.4
+        uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
         # input parameters
         with:
           # ==== GitHub Auth ====

.github/workflows/codeql-analysis.yml

@@ -3,18 +3,19 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL"
+name: "CodeQL checks"
 
 on:
   workflow_dispatch:
   push:
-    branches: [main, v1.8.x, v2.0.x, v2.1.x, v2.6.x, v3.0.x, v3.1.x, v4.0.x, v4.1.x, v4.2.x, v4.3.x, v4.4.x, v4.5.x, v4.6.x, v4.7.x, v5.0.x, v5.1.x, v5.2.x, v5.3.x, v5.4.x, v6.0.x, v6.1.x, v6.2.x, v6.3.x, v6.4.x, v6.5.x, v6.6.x, v6.7.x, v7.0.x, v7.1.x, v7.2.x]
+    branches: ['**'] # run on all branches
     paths-ignore:
       - '**/*.cue'
       - '**/*.json'
       - '**/*.md'
       - '**/*.txt'
       - '**/*.yml'
+      - pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
   schedule:
     - cron: '0 4 * * 6'
 
@@ -25,6 +26,7 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    continue-on-error: true # doesn't block PRs from being merged if this fails
     if: github.repository == 'grafana/grafana'
 
     strategy:
@@ -43,16 +45,17 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     - if: matrix.language == 'go'
       name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
         go-version-file: go.mod
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -67,4 +70,4 @@ jobs:
         make build-go
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/commands.yml

@@ -1,11 +1,19 @@
 name: Run commands when issues are labeled or comments added
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
   issues:
     types: [labeled, unlabeled]
   issue_comment:
     types: [created]
+
 concurrency:
   group: issue-commands-${{ github.event.issue.number }}
+
+permissions: {}
+
 jobs:
   config:
     runs-on: "ubuntu-latest"
@@ -16,7 +24,7 @@ jobs:
         id: check
         shell: bash
         run: |
-          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '' && secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
             echo "has-secrets=1" >> "$GITHUB_OUTPUT"
           fi
 
@@ -24,18 +32,39 @@ jobs:
     needs: config
     if: needs.config.outputs.has-secrets
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
+
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run Commands
         uses: ./actions/commands
         with:
           metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${{ steps.generate_token.outputs.token }}
           configPath: commands

.github/workflows/community-release.yml

@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main
+        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}

.github/workflows/core-plugins-build-and-release.yml

@@ -33,6 +33,8 @@ permissions:
 
 jobs:
   build-and-publish:
+    env:
+      PLUGIN_ID: ${{ inputs.plugin_id }}
     name: Build and publish ${{ inputs.plugin_id }}
     runs-on: ubuntu-latest
     outputs:
@@ -42,11 +44,13 @@ jobs:
     steps:
       - name: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Verify inputs
         run: |
-          if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
       - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
         with:
           # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
           repo_secrets: |
@@ -54,11 +58,11 @@ jobs:
             PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
             PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
       - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
         with:
           credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -70,7 +74,7 @@ jobs:
         run: |
           dir=$(dirname \
             $(egrep -lir --include=plugin.json --exclude-dir=dist \
-              '"id": "${{ inputs.plugin_id }}"' \
+              '"id": "${PLUGIN_ID}"' \
               public/app/plugins \
             ) \
           )
@@ -85,19 +89,19 @@ jobs:
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
           [ ! -d ./bin ] && mkdir -pv ./bin || true
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
           chmod 0755 ./bin/grabpl
       - name: Check backend
         id: check_backend
         shell: bash
         run: |
-          if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then
+          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
             echo "has_backend=true" >> $GITHUB_OUTPUT
           else
             echo "has_backend=false" >> $GITHUB_OUTPUT
           fi
       - name: Setup golang environment
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
         if: steps.check_backend.outputs.has_backend == 'true'
         with:
           go-version-file: go.mod
@@ -151,7 +155,7 @@ jobs:
             # Release branch, do not add commit hash to version
             command="plugin:build"
           fi
-          yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}"
+          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
           version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
           echo "version=${version}" >> $GITHUB_OUTPUT
       - name: build:backend
@@ -160,7 +164,7 @@ jobs:
         env:
           VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
-          make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }}
+          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
       - name: package
         working-directory: ${{ steps.get_dir.outputs.dir }}
         run: |
@@ -175,7 +179,7 @@ jobs:
           VERSION: ${{ steps.build_frontend.outputs.version }}  
         run: |
           api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            '${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \
+            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
             -H 'accept: application/json')
           api_res_code=$(echo $api_res | jq -r .code)
           if [ "$api_res_code" = "NotFound" ]; then
@@ -197,10 +201,10 @@ jobs:
         run: |
           echo "Publish release to Google Cloud Storage:"
           touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows
-          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux 
-          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin
-          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any
+          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
+          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
+          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
+          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
       - name: Publish new plugin version on grafana.com
         if: steps.check_backend.outputs.has_backend == 'true'
         working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -214,27 +218,27 @@ jobs:
             \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
             \"download\": {
               \"linux-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
               },
               \"linux-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
               },
               \"linux-arm\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
                 \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
               },
               \"windows-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
               },
               \"darwin-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
                 \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
               },
               \"darwin-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
                 \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
               }
             }
@@ -257,7 +261,7 @@ jobs:
             \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
             \"download\": {
               \"any\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
                 \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
               }
             }

.github/workflows/create-next-release-branch.yml

@@ -0,0 +1,53 @@
+name: Create next release branch
+on:
+  workflow_call:
+    inputs:
+      ownerRepo:
+        type: string
+        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
+        required: true
+      source:
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
+        type: string
+        required: true
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
+    outputs:
+      branch:
+        description: The new branch that was created
+        value: ${{ jobs.main.outputs.branch }}
+  workflow_dispatch:
+    inputs:
+      ownerRepo:
+        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
+      source:
+        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
+        type: string
+        required: true
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    outputs:
+      branch: ${{ steps.branch.outputs.branch }}
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Create release branch
+        id: branch
+        uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
+        with:
+          ownerRepo: ${{ inputs.ownerRepo }}
+          source: ${{ inputs.source }}
+          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/create-security-patch-from-security-mirror.yml

@@ -11,12 +11,13 @@ on:
     branches:
       - "main"
       - "v*.*.*"
+      - "release-*.*.*"
 
 # This is run before the pull request has been merged, so we'll run against the src branch
 jobs:
   trigger_downstream_create_security_patch:
     concurrency: create-patch-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
+    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
     if: github.repository == 'grafana/grafana-security-mirror'
     with:
       repo: "${{ github.repository }}"
@@ -24,5 +25,4 @@ jobs:
       patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
       patch_repo: "grafana/grafana-security-patches"
       patch_prefix: "${{ github.event.pull_request.number }}"
-    secrets: inherit
-
+    secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/dashboards-issue-add-label.yml

@@ -3,8 +3,11 @@ on:
   issues:
     types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
 
+permissions:
+  contents: read
+  id-token: write
+
 env:
-  GITHUB_TOKEN: ${{ secrets.ISSUE_COMMANDS_TOKEN }}
   ORGANIZATION: ${{ github.repository_owner }}
   REPO: ${{ github.event.repository.name }}
   TARGET_PROJECT: 202
@@ -13,32 +16,35 @@ env:
 concurrency:
   group: issue-label-when-in-project-${{ github.event.number }}
 jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
   main:
-    needs: config
-    if: needs.config.outputs.has-secrets
+    if: github.repository == 'grafana/grafana'
     runs-on: ubuntu-latest
     steps:
-      - name: log in
-        run: gh api user -q .login
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
       - name: Check if issue is in target project
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
         run: |
           gh api graphql -f query='
             query($org: String!, $repo: String!) {
               repository(name: $repo, owner: $org) {
-                issue (number: ${{ github.event.issue.number }}) {
+                issue (number: $ISSUE_NUMBER) {
                   id
                   projectItems(first:20) {
                     nodes {
@@ -51,17 +57,22 @@ jobs:
               }
             }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
 
-            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.TARGET_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
             echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
       - name: Set up label array
         if: env.IN_TARGET_PROJ
+        env:
+          LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
-          IFS=',' read -ra LABEL_IDs <<< "${{ env.LABEL_IDs }}"
+          IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
           for item in "${LABEL_IDs[@]}"; do
             echo "Item: $item"
           done
       - name: Add label to issue
         if: env.IN_TARGET_PROJ
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          LABEL_IDS: ${{ env.LABEL_IDS }}
         run: |
           gh api graphql -f query='
             mutation ($labelableId: ID!, $labelIds: [ID!]!) {
@@ -70,4 +81,4 @@ jobs:
               ) {
                   clientMutationId
               }
-            }' -f labelableId=$ITEM_ID -f labelIds=${{ env.LABEL_IDs }}
+            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS

.github/workflows/deploy-pr-preview.yml

@@ -0,0 +1,31 @@
+name: Deploy pr preview
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - closed
+    paths:
+      - "docs/sources/**"
+
+jobs:
+  deploy-pr-preview:
+    if: "!github.event.pull_request.head.repo.fork"
+    uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
+    with:
+      branch: ${{ github.head_ref }}
+      event_number: ${{ github.event.number }}
+      repo: grafana
+      sha: ${{ github.event.pull_request.head.sha }}
+      sources: |
+        [
+          {
+            "index_file": "content/docs/grafana/_index.md",
+            "relative_prefix": "/docs/grafana/latest/",
+            "repo": "grafana",
+            "source_directory": "docs/sources",
+            "website_directory": "content/docs/grafana/latest"
+          }
+        ]
+      title: ${{ github.event.pull_request.title }}

.github/workflows/detect-breaking-changes-levitate.yml

@@ -2,6 +2,12 @@
 ---
 name: Levitate / Detect breaking changes in PR
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 on:
   pull_request:
     paths:
@@ -11,23 +17,27 @@ on:
 
 jobs:
   buildPR:
-    name: Build PR
+    name: Build PR packages artifacts
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: './pr'
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
         with:
           path: './pr'
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.9.0
+          node-version: 22.11.0
 
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
 
       - name: Restore yarn cache
         uses: actions/cache@v4
@@ -57,8 +67,11 @@ jobs:
           path: './pr/pr_built_packages.zip'
 
   buildBase:
-    name: Build Base
+    name: Build Base packages artifacts
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     defaults:
       run:
         working-directory: './base'
@@ -71,11 +84,11 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.9.0
+          node-version: 22.11.0
 
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
-        run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
+        run: echo "dir=$(yarn config get cacheFolder)" >> "$GITHUB_OUTPUT"
 
       - name: Restore yarn cache
         uses: actions/cache@v4
@@ -105,7 +118,7 @@ jobs:
           path: './base/base_built_packages.zip'
 
   Detect:
-    name: Detect breaking changes
+    name: Detect breaking changes between PR and base
     runs-on: ubuntu-latest
     needs: ['buildPR', 'buildBase']
     env:
@@ -118,7 +131,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.9.0
+          node-version: 22.11.0
 
       - name: Get built packages from pr
         uses: actions/download-artifact@v4
@@ -137,48 +150,29 @@ jobs:
         run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip
 
       - id: 'auth'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
         with:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.LEVITATE_SA }}
+          project_id: 'grafanalabs-global'
 
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
         with:
           version: '>= 363.0.0'
           project_id: 'grafanalabs-global'
           install_components: 'bq'
 
-        # This step is needed to generate a detailed levitate report
-      - name: Set up gcloud project
-        run: |
-          unset CLOUDSDK_CORE_PROJECT
-          unset GCLOUD_PROJECT
-          unset GCP_PROJECT
-          unset GOOGLE_CLOUD_PROJECT
-
-          gcloud config set project grafanalabs-global
-
-      - name: Get link for the Github Action job
-        id: job
-        uses: actions/github-script@v6
-        with:
-          script: |
-              const name = 'Detect breaking changes';
-              const script = require('./.github/workflows/scripts/pr-get-job-link.js')
-              await script({name, github, context, core})
-
       - name: Detect breaking changes
         id: breaking-changes
         run: ./scripts/check-breaking-changes.sh
         env:
           FORCE_COLOR: 3
-          GITHUB_JOB_LINK: ${{ steps.job.outputs.link }}
 
       - name: Persisting the check output
         run: |
             mkdir -p ./levitate
-            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"job_link\": \"${{ steps.job.outputs.link }}#step:${GITHUB_STEP_NUMBER}:1\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json
+            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json
 
       - name: Upload check output as artifact
         uses: actions/upload-artifact@v4
@@ -188,9 +182,12 @@ jobs:
 
 
   Report:
-    name: Report breaking changes in PR
+    name: Report breaking changes in PR comment
     runs-on: ubuntu-latest
     needs: ['Detect']
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - name: "Generate token"
@@ -224,15 +221,12 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
         with:
           script: |
-            const { data } = await github.rest.issues.listLabelsOnIssue({
-              issue_number: process.env.PR_NUMBER,
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
             });
-            const labels = data.map(({ name }) => name);
-            const doesExist = labels.includes('levitate breaking change');
-
-            return doesExist ? 1 : 0;
+            return labels.some(label => label.name === 'levitate breaking change') ? 1 : 0
 
       # put the markdown into a variable
       - name: Levitate Markdown
@@ -243,16 +237,16 @@ jobs:
               echo 'levitate_markdown<<EOF'
               cat levitate.md
               echo EOF
-            } >> $GITHUB_OUTPUT
+            } >> "$GITHUB_OUTPUT"
             else
-              echo "levitate_markdown=No breaking changes detected" >> $GITHUB_OUTPUT
+              echo "levitate_markdown=No breaking changes detected" >> "$GITHUB_OUTPUT"
             fi
 
 
       # Comment on the PR
       - name: Comment on PR
         if: steps.levitate-run.outputs.exit_code == 1
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
         with:
           header: levitate-breaking-change-comment
           number: ${{ github.event.pull_request.number }}
@@ -262,36 +256,55 @@ jobs:
             ${{ steps.levitate-markdown.outputs.levitate_markdown }}
 
             [Read our guideline](https://github.com/grafana/grafana/blob/main/contribute/breaking-changes-guide/breaking-changes-guide.md)
-            [Console output](${{ steps.levitate-run.outputs.job_link }})
+
+            * Your pull request merge won't be blocked.
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       # Remove comment from the PR (no more breaking changes)
       - name: Remove comment from PR
         if: steps.levitate-run.outputs.exit_code == 0
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
         with:
           header: levitate-breaking-change-comment
           number: ${{ github.event.pull_request.number }}
           delete: true
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
-      # Posts a notification to Slack if a PR has a breaking change and it did not have a breaking change before
-      - name: Post to Slack
+      - name: Send Slack Message via Payload
         id: slack
-        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && env.HAS_SECRETS
-        uses: slackapi/slack-github-action@v1.26.0
+        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && github.repository == 'grafana/grafana'
+        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
         with:
-          payload: |
+          channel-id: "C031SLFH6G0"
+          payload:  |
             {
-              "pr_link": "https://github.com/grafana/grafana/pull/${{ steps.levitate-run.outputs.pr_number }}",
-              "pr_number": "${{ steps.levitate-run.outputs.pr_number }}",
-              "job_link": "${{ steps.levitate-run.outputs.job_link }}",
-              "reporting_job_link": "${{ github.event.workflow_run.html_url }}",
-              "message": "${{ steps.levitate-run.outputs.message }}"
+              "channel": "C031SLFH6G0",
+              "text": ":warning: Possible breaking changes detected in *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :warning:",
+              "icon_emoji": ":grot:",
+              "username": "Levitate Bot",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "*grafana/grafana* repository has possible breaking changes"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>"
+                    }
+                  ]
+                }
+              ]
             }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_LEVITATE_WEBHOOK_URL }}
-          HAS_SECRETS: ${{ (github.repository == 'grafana/grafana' || secrets.SLACK_LEVITATE_WEBHOOK_URL != '') || '' }}
 
       # Add the label
       - name: Add "levitate breaking change" label
@@ -362,5 +375,10 @@ jobs:
             });
 
       - name: Exit
-        run: exit ${{ steps.levitate-run.outputs.exit_code }}
+        run: |
+          if [ "${{ steps.levitate-run.outputs.exit_code }}" -ne 0 ]; then
+            echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
+          fi
+
+          exit ${{ steps.levitate-run.outputs.exit_code }}
         shell: bash

.github/workflows/doc-validator.yml

@@ -1,29 +0,0 @@
-name: "doc-validator"
-on:
-  pull_request:
-    paths: ["docs/sources/**"]
-  workflow_dispatch:
-jobs:
-  doc-validator:
-    runs-on: "ubuntu-latest"
-    container:
-      image: "grafana/doc-validator:v5.0.0"
-    steps:
-      - name: "Checkout code"
-        uses: "actions/checkout@v4"
-      - name: "Run doc-validator tool"
-        # Only run doc-validator on specific directories.
-        run: >
-          doc-validator
-          '--include=^docs/sources/(?:alerting|fundamentals|getting-started|introduction|setup-grafana|upgrade-guide|whatsnew/whats-new-in-v(?:9|10))/.+\.md$'
-          '--skip-checks=^(?:image.+|canonical-does-not-match-pretty-URL)$'
-          ./docs/sources
-          /docs/grafana/latest
-          | reviewdog
-          -f=rdjsonl
-          --fail-on-error
-          --filter-mode=nofilter
-          --name=doc-validator
-          --reporter=github-pr-review
-        env:
-          REVIEWDOG_GITHUB_API_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/documentation-ci.yml

@@ -0,0 +1,19 @@
+name: Documentation CI
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["docs/sources/**"]
+  workflow_dispatch:
+jobs:
+  vale:
+    runs-on: ubuntu-latest
+    container:
+      image: grafana/vale:latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
+        with:
+          filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ephemeral-instances-pr-comment.yml

@@ -47,6 +47,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
           ref: main
           path: ephemeral
+          persist-credentials: false
 
       - name: build and deploy ephemeral instance
         uses: ./ephemeral

.github/workflows/epic-add-to-platform-ux-parent-project.yml

@@ -1,149 +0,0 @@
-name: When epic issues changed in Platform UX squad projects, check if epic is part of specified child projects and update on Platform UX parent project
-
-on:
-  issues:
-    types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
-    labels:
-      - 'type/epic'
-
-env:
-  GH_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
-  ORGANIZATION: ${{ github.repository_owner }}
-  REPO: ${{ github.event.repository.name }}
-  PARENT_PROJECT: 304
-  CHILD_PROJECT_1: 78
-  CHILD_PROJECT_2: 111
-  CHILD_PROJECT_3: 202
-
-concurrency:
-  group: issue-add-to-parent-project-${{ github.event.number }}
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GH_BOT_PROJECTS_ACCESS_TOKEN != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets && contains(github.event.issue.labels.*.name, 'type/epic')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check if issue is in child or parent projects
-        run: |
-          gh api graphql -f query='
-            query($org: String!, $repo: String!) {
-              repository(name: $repo, owner: $org) {
-                issue (number: ${{ github.event.issue.number }}) {
-                  projectItems(first:20) {
-                    nodes {
-                      id,
-                      project {
-                        number,
-                        title
-                      },
-                      fieldValueByName(name:"Status") {
-                        ... on ProjectV2ItemFieldSingleSelectValue {
-                          optionId
-                          name
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
-
-            echo 'IN_PARENT_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
-            echo 'PARENT_PROJ_STATUS_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | select(.fieldValueByName != null) | .fieldValueByName.optionId' projects_data.json) >> $GITHUB_ENV
-            echo 'ITEM_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .id' projects_data.json) >> $GITHUB_ENV
-            echo 'IN_CHILD_PROJ='$(jq 'first(.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | .project != null)' projects_data.json) >> $GITHUB_ENV
-            echo 'CHILD_PROJ_STATUS='$(jq -r '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | select(.fieldValueByName != null) | .fieldValueByName.name' projects_data.json) >> $GITHUB_ENV
-      - name: Get parent project project data
-        if: env.IN_CHILD_PROJ
-        run: |
-          gh api graphql -f query='
-            query($org: String!, $number: Int!) {
-              organization(login: $org){
-                projectV2(number: $number) {
-                  id
-                  fields(first:20) {
-                    nodes {
-                      ... on ProjectV2Field {
-                        id
-                        name
-                      }
-                      ... on ProjectV2SingleSelectField {
-                        id
-                        name
-                        options {
-                          id
-                          name
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }' -f org=$ORGANIZATION -F number=$PARENT_PROJECT > project_data.json
-
-          echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
-          echo 'STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' project_data.json) >> $GITHUB_ENV
-          echo 'TODO_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Todo") |.id' project_data.json) >> $GITHUB_ENV
-          echo 'PROGRESS_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="In Progress") |.id' project_data.json) >> $GITHUB_ENV
-          echo 'DONE_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Done") |.id' project_data.json) >> $GITHUB_ENV
-      - name: Add issue to parent project
-        if: env.IN_CHILD_PROJ && !env.IN_PARENT_PROJ
-        run: |
-          item_id="$( gh api graphql -f query='
-            mutation($project:ID!, $issue:ID!) {
-              addProjectV2ItemById(input: {projectId: $project, contentId: $issue}) {
-                item {
-                  id
-                }
-              }
-            }' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
-
-            echo 'ITEM_ID='$item_id >> $GITHUB_ENV
-      - name: Set parent project status Done
-        if: contains(env.CHILD_PROJ_STATUS, 'Done')
-        run: |
-          echo 'OPTION_ID='$DONE_OPTION_ID >> $GITHUB_ENV
-      - name: Set parent project status In Progress
-        if: contains(env.CHILD_PROJ_STATUS, 'In ') || contains(env.CHILD_PROJ_STATUS, 'Blocked')
-        run: |
-          echo 'OPTION_ID='$PROGRESS_OPTION_ID >> $GITHUB_ENV
-      - name: Set parent project status To do
-        if: env.CHILD_PROJ_STATUS && !contains(env.CHILD_PROJ_STATUS, 'In ') && !contains(env.CHILD_PROJ_STATUS, 'Blocked') && ! contains(env.CHILD_PROJ_STATUS, 'Done')
-        run: |
-          echo 'OPTION_ID='$TODO_OPTION_ID >> $GITHUB_ENV
-      - name: Set issue status in parent project
-        if: env.OPTION_ID && (env.OPTION_ID != env.PARENT_PROJ_STATUS_ID)
-        run: |
-          gh api graphql -f query='
-            mutation (
-              $project: ID!
-              $item: ID!
-              $status_field: ID!
-              $status_value: String!
-            ) {
-              set_status: updateProjectV2ItemFieldValue(input: {
-                projectId: $project
-                itemId: $item
-                fieldId: $status_field
-                value: {
-                  singleSelectOptionId: $status_value
-                  }
-              }) {
-                projectV2Item {
-                  id
-                  }
-              }
-            }' -f project=$PROJECT_ID -f item=$ITEM_ID -f status_field=$STATUS_FIELD_ID -f status_value=${{ env.OPTION_ID }} --silent

.github/workflows/feature-toggles-ci.yml

@@ -0,0 +1,25 @@
+name: Feature toggles CI
+
+on:
+  pull_request:
+    paths:
+      - 'pkg/services/featuremgmt/toggles_gen_test.go'
+      - 'pkg/services/featuremgmt/registry.go'
+      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Run feature toggle tests
+        run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/

.github/workflows/frontend-lint.yml

@@ -0,0 +1,133 @@
+name: Lint Frontend
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+permissions: {}
+
+jobs:
+  lint-frontend-verify-i18n:
+    name: Verify i18n
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: |
+        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
+        make i18n-extract || (echo "${extract_error_message}" && false)
+    - run: |
+        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
+        file_diff=$(git diff --dirstat public/locales)
+        if [ -n "$file_diff" ]; then
+            echo $file_diff
+            echo "${uncommited_error_message}"
+            exit 1
+        fi
+  lint-frontend-prettier:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-prettier-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-prettier-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-typecheck:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-typecheck-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-typecheck-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Typecheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run typecheck
+  lint-frontend-betterer:
+    permissions:
+      contents: read
+      id-token: write
+    name: Betterer
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run betterer:ci

.github/workflows/github-release.yml

@@ -8,7 +8,7 @@ on:
         type: string
       latest:
         required: false
-        default: false
+        default: "0"
         description: Mark this release as latest (`1`) or not (`0`, default)
         type: string
       dry_run:
@@ -23,6 +23,7 @@ on:
         type: string
       latest:
         required: false
+        default: "0"
         description: Mark this release as latest (`1`) or not (`0`, default)
         type: string
       dry_run:
@@ -39,7 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Create GitHub release (manually invoked)
-        uses: grafana/grafana-github-actions-go/github-release@main
+        uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           version: ${{ inputs.version }}

.github/workflows/go-lint.yml

@@ -3,7 +3,7 @@ on:
   push:
     paths:
       - pkg/**
-      - .github/workflows/go_lint.yml
+      - .github/workflows/go-lint.yml
       - go.*
     branches:
       - main
@@ -17,16 +17,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@v5
         with:
           go-version-file: ./go.mod
-      - run: CODEGEN_VERIFY=1 make gen-cue
       - run: make gen-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
         with:
-          version: v1.59.1
+          version: v2.0.2
           args: |
-            --config .golangci.toml --max-same-issues=0 --max-issues-per-linter=0 --verbose $(./scripts/go-workspace/golangci-lint-includes.sh) 
-          skip-cache: true
+            --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
           install-mode: binary

.github/workflows/i18n-crowdin-create-tasks.yml

@@ -0,0 +1,27 @@
+name: Crowdin Create Tasks
+
+on:
+  workflow_dispatch:
+  # schedule:
+  #   - cron: "0 0 * * *"
+
+jobs:
+  create-tasks-in-crowdin:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Create tasks
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+        run: node ./.github/workflows/scripts/crowdin/create-tasks.js

.github/workflows/i18n-crowdin-download.yml

@@ -3,7 +3,7 @@ name: Crowdin Download Action
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 * * * *"
+    - cron: "0 0 * * *"
 
 jobs:
   download-sources-from-crowdin:
@@ -12,12 +12,9 @@ jobs:
     permissions:
       contents: write # needed to commit changes into the PR
       pull-requests: write # needed to update PR description, labels, etc
+      id-token: write # needed to get vault secrets
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.head_ref }}
-
       - name: Generate token
         id: generate_token
         uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
@@ -25,9 +22,15 @@ jobs:
           app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
           private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
 
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+
       - name: Download sources
         id: crowdin-download
-        uses: crowdin/github-action@v1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
         with:
           upload_sources: false
           upload_translations: false
@@ -40,17 +43,11 @@ jobs:
           pull_request_body:  |
             :robot: Automatic download of translations from Crowdin.
 
-            Steps for merging:
-              1. A quick sanity check of the changes and approve. Things to look out for:
-                - No changes in the English file. The source of truth is in the main branch, NOT in Crowdin.
-                - Translations maybe be removed if the English phrase was removed, but there should not be many of these
-                - Anything else that looks 'funky'. Ask if you're not sure.
-              2. Approve & (Auto-)merge. :tada:
+            This runs once per day and will merge automatically if all the required checks pass.
 
-            If there's a conflict, close the pull request and **delete the branch**. A GH action will recreate the pull request.
-            Remember, the longer this pull request is open, the more likely it is that it'll get conflicts.
+            If there's a conflict, close the pull request and **delete the branch**.
+            You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
           pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
-          pull_request_reviewers: 'grafana-frontend-platform'
           pull_request_base_branch_name: 'main'
           base_url: 'https://grafana.api.crowdin.com'
           config: 'crowdin.yml'
@@ -76,7 +73,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Get project board ID
-        uses: octokit/graphql-action@v2.x
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
         id: get-project-id
         if: steps.crowdin-download.outputs.pull_request_url
         with:
@@ -96,7 +93,7 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Add to project board
-        uses: octokit/graphql-action@v2.x
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
         if: steps.crowdin-download.outputs.pull_request_url
         with:
           projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@@ -113,8 +110,50 @@ jobs:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
 
       - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main
+        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
         if: steps.crowdin-download.outputs.pull_request_url
         with:
           pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
           token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Get vault secrets
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
+          repo_secrets: |
+            GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
+            GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
+
+      - name: Generate approver token
+        if: steps.crowdin-download.outputs.pull_request_url
+        id: generate_approver_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
+          private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
+
+      - name: Approve and automerge PR
+        if: steps.crowdin-download.outputs.pull_request_url
+        shell: bash
+        # Only approve if:
+        # - the PR does not modify files other than json files under the public/locales/ directory
+        # - the PR does not modify the en-US locale
+        run: |
+          filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
+
+          if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
+            echo "Non-i18n changes detected, not approving"
+            exit 1
+          fi
+
+          if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
+            echo "public/locales/en-US changes detected, not approving"
+            exit 1
+          fi
+
+          echo "Approving and enabling automerge"
+          gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
+          gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}

.github/workflows/i18n-crowdin-upload.yml

@@ -15,9 +15,11 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Upload sources
-        uses: crowdin/github-action@v1
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
         with:
           upload_sources: true
           upload_sources_args: '--dest=public/locales/en-US/grafana.json'

.github/workflows/issue-labeled.yml

@@ -1,99 +0,0 @@
-name: Notify Slack channel based on new issue label
-
-on:
-  issues:
-    types: [labeled]
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.SLACK_WEBHOOK_URL != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  notify:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Download teams.yml to know which label is for which team"
-        run: wget https://raw.githubusercontent.com/grafana/grafana/main/.github/teams.yml
-
-      - name: "Determine which team to notify"
-        run: |
-          # Default to null values.
-          CHANNEL="null"
-          TEAM="null"
-
-          echo "${{ github.event.label.name }} label added"
-          export CURRENT_LABEL="${{ github.event.label.name }}" # Enable the use of the label in yq evaluations
-          # yq is installed by default in ubuntu-latest
-          if [[ $(yq e 'keys | .[] | select(. == env(CURRENT_LABEL))' teams.yml ) ]]; then
-            # Check if we have a channel set to notify on comments.
-            if [[ $(yq '.[env(CURRENT_LABEL)] | has("channel-label")' teams.yml ) == true ]]; then
-              CHANNEL=$(yq '.[env(CURRENT_LABEL)].channel-label' teams.yml)
-              echo "Ready to send issue to channel ID ${CHANNEL}"
-            fi
-
-            if [[ $(yq '.[env(CURRENT_LABEL)] | has("exclude-github-team")' teams.yml ) == true ]]; then
-              TEAM=$(yq '.[env(CURRENT_LABEL)].exclude-github-team' teams.yml)
-              echo "Will not send issue to channel if issue author is part of the team ${TEAM}"
-            fi
-          fi
-
-          # set environment for next steps
-          echo "CHANNEL=${CHANNEL}" >> $GITHUB_ENV
-          echo "TEAM=${TEAM}" >> $GITHUB_ENV
-
-      - name: "Prepare payload"
-        uses: frabert/replace-string-action@v2.5
-        id: preparePayload
-        with:
-          # replace double quotes with single quotes to avoid breaking the JSON payload sent to Slack
-          string: ${{ github.event.issue.title }}
-          pattern: '"'
-          replace-with: "'"
-          flags: 'g'
-
-      - name: Get Token
-        id: get_workflow_token
-        uses: peter-murray/workflow-application-token-action@v3
-        with:
-          application_id: ${{ secrets.APP_GRAFANA_TEAM_CHECKER_ID }}
-          application_private_key: ${{ secrets.APP_GRAFANA_TEAM_CHECKER_KEY }}
-
-      - name: "Check that issue author is not part of the team"
-        if: ${{ env.TEAM != 'null' }}
-        run: |
-          response=$(gh api /orgs/grafana/teams/${{ env.TEAM }}/memberships/${{ github.event.issue.user.login }} -i -H "Accept: application/vnd.github.v3+json")
-          STATUS_CODE=$(echo "$response" | head -n 1 | cut -d' ' -f2)
-          if [ "$status_code" -eq 404 ]; then
-            echo "The user was not found in the team."
-            echo "USER_FOUND=false" >> $GITHUB_ENV
-          else
-            echo "The user was potentially found in the team"
-            echo "USER_FOUND=maybe" >> $GITHUB_ENV
-          fi
-        env:
-          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
-
-      - name: "Send Slack notification"
-        if: ${{ (env.CHANNEL != 'null') && ((env.USER_FOUND == 'false') || (env.TEAM != 'null')) }}
-        uses: slackapi/slack-github-action@v1.26.0
-        with:
-          payload: >
-            {
-              "icon_emoji": ":grafana:",
-              "username": "Grafana issue labeled",
-              "text": "Issue \"${{ steps.preparePayload.outputs.replaced }}\" labeled \"${{ github.event.label.name }}\": ${{ github.event.issue.html_url }}, please triage.",
-              "channel": "${{ env.CHANNEL }}"
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/issue-opened.yml

@@ -1,28 +1,118 @@
 name: Run commands when issues are opened
+
+# important: this workflow uses a github app that is strictly limited
+# to issues. If you want to change the triggers for this workflow,
+# please review if the permissions are still sufficient.
 on:
   issues:
     types: [opened]
+
 concurrency:
   group: issue-opened-${{ github.event.issue.number }}
+
+permissions: {}
+
 jobs:
   main:
     runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
+    permissions:
+      contents: read
+      id-token: write
     steps:
+
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
+
       - name: Install Actions
         run: npm install --production --prefix ./actions
+
       # give issue-openers a chance to add labels after submit
       - name: Sleep for 2 minutes
         run: sleep 2m
         shell: bash
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
+          repo_secrets: |
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
       - name: Run Commands
         uses: ./actions/commands
         with:
           metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
-          token: ${{secrets.ISSUE_COMMANDS_TOKEN}}
+          token: ${{ steps.generate_token.outputs.token }}
           configPath: "issue-opened"
+
+  auto-triage:
+    needs: [main]
+    permissions:
+      contents: read
+      id-token: write
+    if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
+          repo_secrets: |
+            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
+            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
+      - name: Checkout
+        uses: actions/checkout@v4 # v4.2.2
+
+      - name: Send issue to the auto triager action
+        id: auto_triage
+        uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          issue_number: ${{ github.event.issue.number }}
+          openai_api_key: ${{ env.AUTOTRIAGER_OPENAI_API_KEY }}
+          add_labels: true
+          labels_file: ${{ github.workspace }}/.github/workflows/auto-triager/labels.txt
+          types_file: ${{ github.workspace }}/.github/workflows/auto-triager/types.txt
+          prompt_file: ${{ github.workspace }}/.github/workflows/auto-triager/prompt.txt
+
+      - name: "Send Slack notification"
+        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
+        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        with:
+          payload: >
+            {
+              "icon_emoji": ":robocto:",
+              "username": "Auto Triager",
+              "type": "mrkdwn",
+              "text": "Auto triager found the following labels: ${{ steps.auto_triage.outputs.triage_labels }} for issue ${{ github.event.issue.html_url }}",
+              "channel": "#triage-automation-ci"
+            }
+        env:
+          SLACK_WEBHOOK_URL:  ${{ env.AUTOTRIAGER_SLACK_WEBHOOK_URL }}

.github/workflows/lint-build-docs.yml

@@ -0,0 +1,62 @@
+name: Documentation
+
+on:
+  pull_request:
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+  push:
+    branches:
+      - main
+    paths:
+      - '*.md'
+      - 'docs/**'
+      - 'packages/**/*.md'
+      - 'latest.json'
+
+jobs:
+  docs:
+    name: Build & Verify Docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22.11.0'
+          cache: 'yarn'
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Lint docs
+        run: yarn run prettier:checkDocs
+        env:
+          # Increase memory for prettier due to large number of files
+          NODE_OPTIONS: --max_old_space_size=8192
+
+      - name: Build docs website
+        run: |
+          # Create and start a container from the docs-base image in detached mode
+          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
+          
+          # Create the directory structure inside the container
+          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
+          
+          # Create the _index.md file
+          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
+          
+          # Copy the docs sources from the host to the container
+          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
+          
+          # Run the make prod command inside the container
+          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
+          
+          # Clean up the container
+          docker rm -f docs-builder

.github/workflows/metrics-collector.yml

@@ -15,6 +15,9 @@ on:
   issues:
     types: [opened, closed]
 
+permissions:
+  contents: read
+
 jobs:
   config:
     runs-on: "ubuntu-latest"
@@ -35,11 +38,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run metrics collector

.github/workflows/migrate-prs.yml

@@ -0,0 +1,60 @@
+name: Migrate open PRs
+# Migrate open PRs from a superseded release branch to the current release branch and notify authors
+on: 
+  workflow_call:
+    inputs:
+      from:
+        description: 'The base branch to check for open PRs'
+        required: true
+        type: string
+      to:
+        description: 'The base branch to migrate open PRs to'
+        required: true
+        type: string
+      ownerRepo:
+        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
+        required: true
+        type: string
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
+  workflow_dispatch:
+    inputs:
+      from:
+        description: 'The base branch to check for open PRs'
+        required: true
+        type: string
+      to:
+        description: 'The base branch to migrate open PRs to'
+        required: true
+        type: string
+      ownerRepo:
+        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
+        required: true
+        type: string
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Migrate PRs
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          ownerRepo: ${{ inputs.ownerRepo }}
+          from: ${{ inputs.from }}
+          to: ${{ inputs.to }}
+          binary_release_tag: 'dev'

.github/workflows/milestone.yml

@@ -1,19 +0,0 @@
-name: Close Milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version_input:
-        description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
-        required: true
-jobs:
-  call-remove-milestone:
-    uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
-    with:
-      version_call: ${{ github.event.inputs.version_input }}
-    secrets: inherit
-  call-close-milestone:
-    uses: grafana/grafana/.github/workflows/close-milestone.yml@main
-    with:
-      version_call: ${{ github.event.inputs.version_input }}
-    secrets: inherit
-    needs: call-remove-milestone

.github/workflows/pr-backend-coverage.yml

@@ -0,0 +1,71 @@
+name: Coverage
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  EDITION: 'oss'
+  WIRE_TAGS: 'oss'
+
+jobs:
+  main:
+    name: Backend Unit Tests
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential shared-mime-info
+          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
+      - name: Process and upload coverage
+        uses: ./.github/actions/test-coverage-processor
+        with:
+          test-type: 'be-unit'
+          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
+          coverage-file: 'unit.cov'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          codecov-flag: 'be-unit'
+          codecov-name: 'be-unit'
+
+      - name: Install Grafana Bench
+        # We can't allow forks here, as we need secret access.
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: ./.github/actions/setup-grafana-bench
+
+      - name: Process output for Bench
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          grafana-bench report \
+            --trigger pr-backend-unit-tests-oss \
+            --report-input go \
+            --report-output log \
+            --grafana-version "$(git rev-parse HEAD)" \
+            --suite-name grafana-oss-unit-tests \
+            /tmp/unit.log || true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false

.github/workflows/pr-checks.yml

@@ -31,11 +31,12 @@ jobs:
     if: github.event.pull_request.draft == false
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: Run PR Checks

.github/workflows/pr-codeql-analysis-go.yml

@@ -1,53 +0,0 @@
-name: "CodeQL for PR / go"
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [main]
-    paths:
-      - '**/*.go'
-
-permissions:
-  security-events: write
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    if: github.repository == 'grafana/grafana'
-
-    steps:
-    - name: "Generate token"
-      id: generate_token
-      continue-on-error: true
-      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-      with:
-        app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-        private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-        token: ${{ steps.generate_token.outputs.token }}
-
-    - name: Set go version
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: "go"
-
-    - name: Build go files
-      run: |
-        go mod verify
-        make build-go
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/pr-codeql-analysis-javascript.yml

@@ -25,12 +25,13 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: "javascript"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-codeql-analysis-python.yml

@@ -23,12 +23,13 @@ jobs:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: "python"
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/pr-commands.yml

@@ -30,11 +30,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Actions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # v4.2.2
         with:
           repository: "grafana/grafana-github-actions"
           path: ./actions
           ref: main
+          persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
       - name: "Generate token"

.github/workflows/pr-dependabot-update-go-workspace.yml

@@ -0,0 +1,69 @@
+name: "Update Go Workspace for Dependabot PRs"
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - .github/workflows/pr-dependabot-update-go-workspace.yml
+      - go.mod
+      - go.sum
+      - go.work
+      - go.work.sum
+      - '**/go.mod'
+      - '**/go.sum'
+      - '**.go'
+permissions:
+  contents: write
+  id-token: write
+jobs:
+  update:
+    runs-on: "ubuntu-latest"
+    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
+    continue-on-error: true
+    steps:
+    - name: Retrieve GitHub App secrets
+      id: get-secrets
+      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
+      with:
+        repo_secrets: |
+          APP_ID=grafana-go-workspace-bot:app-id
+          APP_INSTALLATION_ID=grafana-go-workspace-bot:app-installation-id
+          PRIVATE_KEY=grafana-go-workspace-bot:private-key
+
+    - name: Generate GitHub App token
+      id: generate_token
+      uses: actions/create-github-app-token@v1
+      with:
+        app-id: ${{ env.APP_ID }}
+        private-key: ${{ env.PRIVATE_KEY }}
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+        ref: ${{ github.event.pull_request.head.ref }}
+        token: ${{ steps.generate_token.outputs.token }}
+        persist-credentials: false
+
+    - name: Set go version
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+      with:
+        go-version-file: go.mod
+
+    - name: Configure Git
+      run: |
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local --add --bool push.autoSetupRemote true
+
+    - name: Update workspace
+      run: make update-workspace
+
+    - name: Commit and push workspace changes
+      env:
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+      run: |
+        if ! git diff --exit-code --quiet; then
+          echo "Committing and pushing workspace changes"
+          git commit -a -m "update workspace"
+          git push origin $BRANCH_NAME
+        fi

.github/workflows/pr-e2e-tests.yml

@@ -0,0 +1,72 @@
+name: End-to-end tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  build-grafana:
+    name: Build & Package Grafana
+    runs-on: ubuntu-latest-16-cores
+    outputs:
+      artifact: ${{ steps.artifact.outputs.artifact }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: 'grafana/grafana-build'
+          ref: 'main'
+          persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          path: ./grafana
+      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
+      - run: mv $(cat out.txt) grafana.tar.gz
+      - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
+        id: artifact
+      - uses: actions/upload-artifact@v4
+        id: upload
+        with:
+          retention-days: 1
+          name: ${{ steps.artifact.outputs.artifact }}
+          path: grafana.tar.gz
+  e2e-matrix:
+    name: ${{ matrix.suite }}
+    strategy:
+      matrix:
+        suite:
+          - various-suite
+          - dashboards-suite
+          - smoke-tests-suite
+          - panels-suite
+    needs:
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}
+  e2e-matrix-old-arch:
+    name: ${{ matrix.suite }} (old arch)
+    strategy:
+      matrix:
+        suite:
+          - old-arch/various-suite
+          - old-arch/dashboards-suite
+          - old-arch/smoke-tests-suite
+          - old-arch/panels-suite
+    needs:
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}

.github/workflows/pr-frontend-unit-tests.yml

@@ -0,0 +1,69 @@
+name: Frontend tests
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+
+permissions: {}
+
+jobs:
+  frontend-unit-tests:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `frontend-unit-tests-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
+    runs-on: ubuntu-latest-8-cores
+    name: "Unit tests (${{ matrix.chunk }} / 8)"
+    strategy:
+      fail-fast: false
+      matrix:
+        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run test:ci
+      env:
+        TEST_MAX_WORKERS: 2
+        TEST_SHARD: ${{ matrix.chunk }}
+        TEST_SHARD_TOTAL: 8
+
+  frontend-unit-tests-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    runs-on: ubuntu-latest-8-cores
+    name: "Unit tests (${{ matrix.chunk }} / 8)"
+    strategy:
+      fail-fast: false
+      matrix:
+        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - name: Setup Enterprise
+      uses: ./.github/actions/setup-enterprise
+      with:
+        github-app-name: 'grafana-ci-bot'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run test:ci
+      env:
+        TEST_MAX_WORKERS: 2
+        TEST_SHARD: ${{ matrix.chunk }}
+        TEST_SHARD_TOTAL: 8

.github/workflows/pr-go-workspace-check.yml

@@ -4,6 +4,15 @@ on:
   workflow_dispatch:
   pull_request:
     branches: [main]
+    paths:
+      - .github/workflows/pr-go-workspace-check.yml
+      - go.mod
+      - go.sum
+      - go.work
+      - go.work.sum
+      - '**/go.mod'
+      - '**/go.sum'
+      - '**.go'
 
 jobs:
   check:
@@ -13,10 +22,13 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set go version
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
       with:
+        cache: false
         go-version-file: go.mod
 
     - name: Update workspace
@@ -30,4 +42,6 @@ jobs:
           echo "Please run 'make update-workspace' and commit the changes."
           echo "If there is a change in enterprise dependencies, please update pkg/extensions/main.go."
           exit 1
-        fi
+        fi
+    - name: Ensure Dockerfile contains submodule COPY commands
+      run: ./scripts/go-workspace/validate-dockerfile.sh

.github/workflows/pr-k8s-codegen-check.yml

@@ -0,0 +1,41 @@
+name: "K8s Codegen Check"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+    paths:
+      - "pkg/apis/**"
+      - "pkg/aggregator/apis/**"
+      - "pkg/apimachinery/apis/**"
+      - "hack/**"
+      - "apps/**"
+      - "*.sum"
+
+jobs:
+  check:
+    name: K8s Codegen Check
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+
+    - name: Set go version
+      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+      with:
+        go-version-file: go.mod
+
+    - name: Update k8s codegen
+      run: ./hack/update-codegen.sh
+
+    - name: Check for k8s codegen changes
+      run: |
+        if ! git diff --exit-code --quiet; then
+          echo "Changes detected:"
+          git diff
+          echo "Please run './hack/update-codegen.sh' and commit the changes."
+          exit 1
+        fi

.github/workflows/pr-patch-check-event.yml

@@ -0,0 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana
+name: Dispatch check for patch conflicts
+run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+permissions: {}
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  dispatch-job:
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+      REPO: ${{ github.repository }}
+      SENDER: ${{ github.event.sender.login }}
+      SHA: ${{ github.sha }}
+      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: "Dispatch job"
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'test-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_repo: REPO,
+                  src_ref: HEAD_REF,
+                  src_merge_sha: SHA,
+                  src_pr_commit_sha: PR_COMMIT_SHA,
+                  patch_repo: REPO + '-security-patches',
+                  patch_ref: BASE_REF,
+                  triggering_github_handle: SENDER
+                }
+            })

.github/workflows/pr-patch-check.yml

@@ -1,27 +0,0 @@
-# Owned by grafana-release-guild
-# Intended to be dropped into the base repo Ex: grafana/grafana
-name: Check for patch conflicts
-run-name: check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
-on:
-  pull_request:
-    types:
-      - opened
-      - reopened
-      - synchronize
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-# Since this is run on a pull request, we want to apply the patches intended for the
-# target branch onto the source branch, to verify compatibility before merging.
-jobs:
-  trigger_downstream_patch_check:
-    uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
-    if: github.repository == 'grafana/grafana'
-    with:
-      src_repo: "${{ github.repository }}"
-      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
-      patch_repo: "${{ github.repository }}-security-patches"
-      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
-    secrets: inherit

.github/workflows/pr-test-integration.yml

@@ -0,0 +1,89 @@
+name: Integration Tests
+
+on:
+  push:
+    branches:
+      - main
+      - release-*.*.*
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
+
+jobs:
+  sqlite:
+    name: Sqlite
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - run: |
+          make gen-go
+          go test -tags=sqlite -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
+  mysql:
+    name: MySQL
+    runs-on: ubuntu-latest-8-cores
+    env:
+      GRAFANA_TEST_DB: mysql
+      MYSQL_HOST: 127.0.0.1
+    services:
+      mysql:
+        image: mysql:8.0.32
+        env:
+          MYSQL_ROOT_PASSWORD: rootpass
+          MYSQL_DATABASE: grafana_tests
+          MYSQL_USER: grafana
+          MYSQL_PASSWORD: password
+        options: --health-cmd="mysqladmin ping --silent" --health-interval=10s --health-timeout=5s --health-retries=3
+        ports:
+          - 3306:3306
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - run: |
+          sudo apt-get update -yq && sudo apt-get install mariadb-client
+          cat devenv/docker/blocks/mysql_tests/setup.sql | mariadb -h 127.0.0.1 -P 3306 -u root -prootpass --disable-ssl-verify-server-cert
+          make gen-go
+          go test -tags=mysql -p=1 -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
+  postgres:
+    name: Postgres
+    runs-on: ubuntu-latest-8-cores
+    services:
+      postgres:
+        image: postgres:12.3-alpine
+        env:
+          POSTGRES_USER: grafanatest
+          POSTGRES_PASSWORD: grafanatest
+          POSTGRES_DB: grafanatest
+        ports:
+          - 5432:5432
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - env:
+          GRAFANA_TEST_DB: postgres
+          PGPASSWORD: grafanatest
+          POSTGRES_HOST: 127.0.0.1
+        run: |
+          sudo apt-get update -yq && sudo apt-get install postgresql-client
+          psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
+          make gen-go
+          go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)

.github/workflows/publish-kinds-next.yml

@@ -32,9 +32,10 @@ jobs:
         uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/workflows/publish-kinds-release.yml

@@ -35,9 +35,10 @@ jobs:
         with:
           # required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/workflows/publish-technical-documentation-next.yml

@@ -16,6 +16,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
+      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
         with:
           website_directory: content/docs/grafana/next

.github/workflows/publish-technical-documentation-release.yml

@@ -3,7 +3,7 @@ name: publish-technical-documentation-release
 on:
   push:
     branches:
-      - v[0-9]+.[0-9]+.x
+      - release-[0-9]+.[0-9]+.[0-9]+
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
     paths:
@@ -20,10 +20,11 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v1
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
         with:
-          release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
-          release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"
-          release_branch_with_patch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
+          release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
+          release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
+          release_branch_with_patch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
           website_directory: content/docs/grafana
           version_suffix: ""

.github/workflows/release-comms.yml

@@ -8,17 +8,18 @@ on:
       dry_run:
         required: false
         default: true
+        type: boolean
       version:
         required: true
       latest:
-        type: bool
+        type: boolean
         default: false
   pull_request:
     types:
     - closed
     branches:
     - 'main'
-    - 'v*.*.*'
+    - 'release-*.*.*'
 
 jobs:
   setup:
@@ -26,30 +27,75 @@ jobs:
     name: Setup and establish latest
     outputs:
       version: ${{ steps.output.outputs.version }}
+      release_branch: ${{ steps.output.outputs.release_branch }}
       dry_run: ${{ steps.output.outputs.dry_run }}
       latest: ${{ steps.output.outputs.latest }}
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      DRY_RUN: ${{ inputs.dry_run }}
+      LATEST: ${{ inputs.latest && '1' || '0' }}
+      VERSION: ${{ inputs.version }}
     runs-on: ubuntu-latest
     steps:
-    - if: ${{ github.event_name == 'workflow_dispatch' }}
-      run: |
-        echo setting up GITHUB_ENV for ${{ github.event_name }}
-        echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
-        echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
-        echo "LATEST=${{ inputs.latest }}" >> $GITHUB_ENV
     - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
       run: |
-        echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\///g')" >> $GITHUB_ENV
+        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
         echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
-        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') }}" >> $GITHUB_ENV
+        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
     - id: output
       run: |
         echo "dry_run: $DRY_RUN"
         echo "latest: $LATEST"
         echo "version: $VERSION"
 
+        echo "release_branch=$(echo $VERSION | sed -s 's/^v/release-/g')" >> "$GITHUB_OUTPUT"
         echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
         echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
         echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+  create_next_release_branch_grafana:
+    name: Create next release branch (Grafana)
+    needs: setup
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    with:
+      ownerRepo: 'grafana/grafana'
+      source: ${{ needs.setup.outputs.release_branch }}
+  create_next_release_branch_enterprise:
+    name: Create next release branch (Grafana Enterprise)
+    needs: setup
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    with:
+      ownerRepo: 'grafana/grafana-enterprise'
+      source: ${{ needs.setup.outputs.release_branch }}
+  migrate_prs_grafana:
+    needs:
+      - setup
+      - create_next_release_branch_grafana
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    with:
+      ownerRepo: 'grafana/grafana'
+      from: ${{ needs.setup.outputs.release_branch }}
+      to: ${{ needs.create_next_release_branch_grafana.outputs.branch }}
+  migrate_prs_enterprise:
+    needs:
+      - setup
+      - create_next_release_branch_enterprise
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+    with:
+      ownerRepo: 'grafana/grafana-enterprise'
+      from: ${{ needs.setup.outputs.release_branch }}
+      to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
   post_changelog_on_forum:
     needs: setup
     uses: ./.github/workflows/community-release.yml
@@ -72,7 +118,10 @@ jobs:
   post_on_slack:
     needs: setup
     runs-on: ubuntu-latest
+    env:
+      DRY_RUN: ${{ needs.setup.outputs.dry_run }}
+      VERSION: ${{ needs.setup.outputs.version }}
     steps:
     - run: |
-        echo announce on slack that ${{ needs.setup.outputs.version }} has been released
-        echo dry run: ${{ needs.setup.outputs.dry_run }}
+        echo announce on slack that $VERSION has been released
+        echo dry run: $DRY_RUN

.github/workflows/release-pr.yml

@@ -4,10 +4,14 @@
 # Please refrain from including any processes that do not result in code changes in this workflow. Instead, they should
 # either be triggered in the release promotion process or in the release comms process (that is triggered by merging
 # this PR).
-name: Complete a Grafana release
+name: Grafana Release PR
 on:
   workflow_dispatch:
     inputs:
+      previous_version:
+        type: string
+        required: false
+        description: 'The release version (semver, git tag, branch or commit) to use for comparison'
       version:
         required: true
         type: string
@@ -15,7 +19,7 @@ on:
       target:
         required: true
         type: string
-        description: The base branch that these changes are being merged into
+        description: The release branch pattern (eg v9.5.x) that these changes are being merged into
       backport:
         required: false
         type: string
@@ -29,15 +33,17 @@ on:
         default: false
         type: boolean
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   push-changelog-to-main:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Create PR to main to update the changelog
     uses: ./.github/workflows/changelog.yml
     with:
+      previous_version: ${{inputs.previous_version}}
       version: ${{ inputs.version }}
       latest: ${{ inputs.latest }}
       dry_run: ${{ inputs.dry_run }}
@@ -45,23 +51,33 @@ jobs:
     secrets:
       GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
       GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
   create-prs:
+    permissions:
+      contents: write
+      pull-requests: write
     name: Create Release PR
     runs-on: ubuntu-latest
     if: github.repository == 'grafana/grafana'
+    env:
+      VERSION: ${{ inputs.version }}
+      LATEST: ${{ inputs.latest }}
+      DRY_RUN: ${{ inputs.dry_run }}
     steps:
-      - name: Generate bot token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+      - name: Get release branch
+        id: branch
+        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
         with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ownerRepo: 'grafana/grafana'
+          pattern: ${{ inputs.target }}
       - name: Checkout Grafana
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.target }}
-          fetch-depth: 0
+          ref: ${{ steps.branch.outputs.branch }}
           fetch-tags: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Checkout Grafana (main)
         uses: actions/checkout@v4
         with:
@@ -69,6 +85,8 @@ jobs:
           fetch-depth: '0'
           fetch-tags: 'false'
           path: .grafana-main
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Setup nodejs environment
         uses: actions/setup-node@v4
         with:
@@ -80,37 +98,43 @@ jobs:
           git config --local --add --bool push.autoSetupRemote true
 
       - name: Create branch
-        run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}"
+        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
+      - name: Generate changelog token
+        id: generate_changelog_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
       - name: Generate changelog
         id: changelog
-        uses: ./.grafana-main/.github/workflows/actions/changelog
+        uses: ./.grafana-main/.github/actions/changelog
         with:
-          github_token: ${{ steps.generate_token.outputs.token }}
-          target: v${{ inputs.version }}
+          github_token: ${{ steps.generate_changelog_token.outputs.token }}
+          target: v${{ env.VERSION }}
           output_file: changelog_items.md
       - name: Patch CHANGELOG.md
         run: |
           # Prepare CHANGELOG.md content with version delimiters
           (
             echo
-            echo "# ${{ inputs.version}} ($(date '+%F'))"
+            echo "# $VERSION ($(date '+%F'))"
             echo
             cat changelog_items.md
           ) > CHANGELOG.part
 
           # Check if a version exists in the changelog
-          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
+          if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
             # Replace the content between START and END delimiters
-            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
-                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
+            echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
+            sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
+                   -e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
           else
             # Prepend changelog part to the main changelog file
-            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
+            echo "Version $VERSION not found in the CHANGELOG.md"
             (
-              echo "<!-- ${{ inputs.version }} START -->"
+              echo "<!-- $VERSION START -->"
               cat CHANGELOG.part
-              echo "<!-- ${{ inputs.version }} END -->"
+              echo "<!-- $VERSION END -->"
               cat CHANGELOG.md
             ) > CHANGELOG.tmp
             mv CHANGELOG.tmp CHANGELOG.md
@@ -119,7 +143,6 @@ jobs:
           rm -f CHANGELOG.part changelog_items.md
 
           git diff CHANGELOG.md
-          
       - name: "Prettify CHANGELOG.md"
         run: npx prettier --write CHANGELOG.md
       - name: Commit CHANGELOG.md changes
@@ -133,35 +156,46 @@ jobs:
       - name: Add package.json changes
         run: |
           git add package.json lerna.json yarn.lock packages public
-          git commit -m "Update version to ${{ inputs.version }}"
+          test -e e2e/test-plugins && git add e2e/test-plugins
+          git commit -m "Update version to $VERSION"
 
       - name: Git push
         if: ${{ inputs.dry_run }} != true
-        run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }}
+        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
 
       - name: Create PR without backports
         if: "${{ inputs.backport == '' }}"
-        run: >
-          gh pr create \
-            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-            -l "no-changelog" \
-            --dry-run=${{ inputs.dry_run }} \
-            -B "${{ inputs.target }}" \
-            --title "Release: ${{ inputs.version }}" \
-            --body "These code changes must be merged after a release is complete"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"
 
       - name: Create PR with backports
         if: "${{ inputs.backport != '' }}"
-        run: >
-          gh pr create \
-            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
-            -l "product-approved" \
-            -l "no-changelog" \
-            --dry-run=${{ inputs.dry_run }} \
-            -B "${{ inputs.target }}" \
-            --title "Release: ${{ inputs.version }}" \
-            --body "These code changes must be merged after a release is complete"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "product-approved" \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"

.github/workflows/remove-milestone.yml

@@ -1,60 +0,0 @@
-name: Remove milestone
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: Needs to match, exactly, the name of a milestone
-  workflow_call:
-    inputs:
-      version_call:
-        description: Needs to match, exactly, the name of a milestone
-        required: true
-        type: string
-
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    permissions:
-      issues: write
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Actions
-        uses: actions/checkout@v4
-        with:
-          repository: "grafana/grafana-github-actions"
-          path: ./actions
-          ref: main
-      - name: Install Actions
-        run: npm install --production --prefix ./actions
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Remove milestone from open issues (manually invoked)
-        if: ${{ github.event.inputs.version != '' }}
-        uses: ./actions/remove-milestone
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Remove milestone from open issues (workflow invoked)
-        if: ${{ inputs.version_call != '' }}
-        uses: ./actions/remove-milestone
-        with:
-          version_call: ${{ inputs.version_call }}
-          token: ${{ steps.generate_token.outputs.token }}

.github/workflows/run-dashboard-search-e2e.yml

@@ -0,0 +1,130 @@
+name: run-dashboard-search-e2e
+
+on:
+  workflow_run:
+    workflows: 
+      - trigger-dashboard-search-e2e
+    types:
+      - completed
+  workflow_dispatch:
+
+env:
+  ARCH: linux-amd64
+
+permissions: {}
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    outputs:
+      ini_files: ${{ steps.get_files.outputs.ini_files }}
+
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Pin Go version to mod file
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - run: go version
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'yarn'
+      - name: Cache Node Modules
+        id: cache-node-modules
+        uses: actions/cache@v3
+        with:
+          path: |
+            node_modules
+            /home/runner/.cache/Cypress
+          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: yarn install --immutable
+      - name: Install Cypress dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          runTests: false
+      - name: Cache Grafana Build and Dependencies
+        id: cache-grafana
+        uses: actions/cache@v3
+        with:
+          path: |
+            bin/
+            scripts/grafana-server/
+            tools/
+            public/
+            conf/
+            e2e/test-plugins/
+            devenv/
+          key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
+      # only rebuild grafana if search files have changed ( or dependencies )
+      - name: Build Grafana (Runs Only If Not Cached)
+        if: steps.cache-grafana.outputs.cache-hit != 'true'
+        run: make build
+
+      - name: Get list of .ini files
+        id: get_files
+        run: |
+          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
+          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
+        shell: bash
+
+  run_tests:
+      needs: setup
+      runs-on: ubuntu-latest
+      continue-on-error: true
+      if: github.event.pull_request.draft == false
+      strategy:
+        matrix:
+          ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
+
+      permissions:
+        contents: read
+        id-token: write
+
+      steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+        - name: Restore Cached Node Modules
+          uses: actions/cache@v3
+          with:
+            path: |
+              node_modules
+              /home/runner/.cache/Cypress
+            key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+
+        - name: Restore Cached Grafana Build and Dependencies
+          uses: actions/cache@v3
+          with:
+            path: |
+              bin/
+              scripts/grafana-server/
+              tools/
+              public/
+              conf/
+              e2e/test-plugins/
+              devenv/
+            key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
+        - name: Set the step name
+          id: set_file_name
+          env:
+            INI_NAME: ${{ matrix.ini_file }}
+          run: |
+            FILE_NAME=$(basename "$env.INI_NAME" .ini)
+            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
+        - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
+          env:
+            INI_NAME: ${{ matrix.ini_file }}
+          run: |
+            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
+            yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"

.github/workflows/run-e2e-suite.yml

@@ -0,0 +1,39 @@
+name: e2e suite
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        type: string
+        required: true
+      suite:
+        type: string
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.package }}
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
+      - name: Set suite name
+        id: set-suite-name
+        if: always()
+        env:
+          SUITE: ${{ inputs.suite }}
+        run: |
+          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
+          path: videos
+          retention-days: 1

.github/workflows/run-scenes-e2e.yml

@@ -1,47 +0,0 @@
-name: Run dashboard scenes e2e
-
-on:
-  schedule:
-    - cron: "0 8 * * 1-5" # every day at 08:00UTC on weekdays
-  # push # uncomment for test run during PR
-
-env:
-  ARCH: linux-amd64
-
-jobs:
-  dashboard-scenes-e2e:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Pin Go version to mod file
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - run: go version
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - name: Install dependencies
-        run: yarn install --immutable
-      - name: Build grafana
-        run: make build
-      - name: Install Cypress dependencies
-        uses: cypress-io/github-action@v6
-        with: 
-          runTests: false
-      - name: Run dashboard scenes e2e
-        run: yarn e2e:scenes
-      - name: "Send Slack notification"
-        if: ${{ failure() }}
-        uses: slackapi/slack-github-action@v1.26.0
-        with:
-          payload: >
-            {
-              "icon_emoji": ":this-is-fine-fire:",
-              "username": "Dashboard scenes e2e tests failed",
-              "text": "Link to run: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}",
-              "channel": "#grafana-dashboards-squad"
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/run-schema-v2-e2e.yml

@@ -0,0 +1,46 @@
+name: Run dashboard schema v2 e2e
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '**' 
+
+env:
+  ARCH: linux-amd64
+
+jobs:
+  dashboard-schema-v2-e2e:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Pin Go version to mod file
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+      - run: go version
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'yarn'
+      - name: Install dependencies
+        run: yarn install --immutable
+      - name: Build grafana
+        run: make build
+      - name: Install Cypress dependencies
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          runTests: false
+      - name: Run dashboard scenes e2e
+        run: yarn e2e:schema-v2 || echo "Test failed but marking as success since schema V2 is behind a feature flag and should not block PRs"
+      
+      - name: Always succeed # This is a workaround to make the job pass even if the previous step fails
+        if: failure()
+        run: exit 0

.github/workflows/sbom-report.yml

@@ -1,20 +0,0 @@
-name: syft-sbom-ci
-
-on:
-  release:
-    types: [created]
-
-jobs:
-  syft-sbom:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-        
-    - name: Anchore SBOM Action
-      uses: anchore/sbom-action@v0.14.2
-      with:
-         artifact-name: ${{ github.event.repository.name }}-spdx.json
-

.github/workflows/scripts/crowdin/create-tasks.js

@@ -0,0 +1,84 @@
+const crowdin = require('@crowdin/crowdin-api-client');
+const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
+
+const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
+if (!API_TOKEN) {
+  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
+  process.exit(1);
+}
+
+const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
+if (!PROJECT_ID) {
+  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
+  process.exit(1);
+}
+
+const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
+  token: API_TOKEN,
+  organization: 'grafana'
+});
+
+const languages = await getLanguages();
+const fileIds = await getFileIds();
+console.log('Languages: ', languages);
+console.log('File IDs: ', fileIds);
+
+// for (const language of languages) {
+//   const { name, id } = language;
+//   await createTask(`Translate to ${name}`, id, fileIds);
+// }
+
+async function getLanguages() {
+  try {
+    const project = await projectsGroupsApi.getProject(PROJECT_ID);
+    const languages = project.data.targetLanguages;
+    return languages;
+  } catch (error) {
+    console.error('Failed to fetch languages: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getFileIds() {
+  try {
+    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
+    const files = response.data;
+    const fileIds = files.map(file => file.data.id);
+    return fileIds;
+  } catch (error) {
+    console.error('Failed to fetch file IDs: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function createTask(title, languageId, fileIds) {
+  try {
+    const taskParams = {
+      title,
+      description: TRANSLATED_CONNECTOR_DESCRIPTION,
+      languageId,
+      type: 2, // Translation by vendor
+      workflowStepId: 78, // Translation step ID
+      skipAssignedStrings: true,
+      fileIds,
+    };
+
+    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
+
+    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
+    console.log(`Task created successfully! Task ID: ${response.data.id}`);
+    return response.data;
+  } catch (error) {
+    console.error('Failed to create Crowdin task: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}

.github/workflows/scripts/pr-get-job-link.js

@@ -1,9 +0,0 @@
-
-module.exports = async ({ name, github, context, core }) => {
-    const { owner, repo } = context.repo;
-    const url = `https://api.github.com/repos/${owner}/${repo}/actions/runs/${context.runId}/jobs`
-    const result = await github.request(url);
-    const job = result.data.jobs.find(j => j.name === name);
-    
-    core.setOutput('link', `${job.html_url}?check_suite_focus=true`);
-}

.github/workflows/skye-add-to-project.yml

@@ -0,0 +1,106 @@
+name: Add issues and PRs to Skye project board
+on:
+  workflow_dispatch:
+    inputs:
+      manual_issue_number:
+        description: 'Issue/PR number to add to project'
+        required: false
+        type: number
+  issues:
+    types: [opened]
+  pull_request:
+    types: [opened]
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  ORGANIZATION: grafana
+  REPO: grafana
+  PROJECT_ID: "PVT_kwDOAG3Mbc4AxfcI" # Retrieved manually from GitHub GraphQL Explorer
+
+concurrency:
+  group: skye-add-to-project-${{ github.event.number }}
+
+jobs:
+  main:
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Vault secret paths:
+          # - ci/repo/grafana/grafana/grafana_pr_automation_app
+          # - ci/repo/grafana/grafana/frontend_platform_skye_usernames (comma separated list of usernames)
+          repo_secrets: |
+            GH_APP_ID=grafana_pr_automation_app:app_id
+            GH_APP_PEM=grafana_pr_automation_app:app_pem
+            ALLOWED_USERS=frontend_platform_skye_usernames:allowed_users
+
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
+
+      # Check if the user is in the list from the secret
+      - name: Check if user is allowed
+        id: check_user
+        env:
+          ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
+          USERNAME: ${{ github.event.sender.login }}
+        run: |
+          # Convert the comma-separated list to an array
+          IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"
+
+          # Check if user is in the allowed list
+          for allowed_user in "${ALLOWED_USERS[@]}"; do
+            if [ "$allowed_user" = "$USERNAME" ]; then
+              echo "user_allowed=true" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+          done
+          echo "user_allowed=false" >> $GITHUB_OUTPUT
+
+      # Convert the issue/PR number to a node ID for the GraphQL API
+      - name: Get node ID for item
+        if: steps.check_user.outputs.user_allowed == 'true'
+        id: get_node_id
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        with:
+          query: |
+            query getNodeId($owner: String!, $repo: String!, $number: Int!) {
+              repository(owner: $owner, name: $repo) {
+                issueOrPullRequest(number: $number) {
+                  ... on Issue { id }
+                  ... on PullRequest { id }
+                }
+              }
+            }
+          variables: |
+            owner: ${{ env.ORGANIZATION }}
+            repo: ${{ env.REPO }}
+            number: ${{ github.event.number || github.event.inputs.manual_issue_number }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      # Finally, add the issue/PR to the project board
+      - name: Add to project board
+        if: steps.check_user.outputs.user_allowed == 'true'
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        with:
+          query: |
+            mutation addItem($projectid: ID!, $itemid: ID!) {
+              addProjectV2ItemById(input: {projectId: $projectid, contentId: $itemid}) {
+                item { id }
+              }
+            }
+          variables: |
+            projectid: ${{ env.PROJECT_ID }}
+            itemid: ${{ fromJSON(steps.get_node_id.outputs.data).repository.issueOrPullRequest.id }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

.github/workflows/storybook-verification.yml

@@ -0,0 +1,48 @@
+name: Verify Storybook
+
+on:
+  pull_request:
+    paths:
+      - 'packages/grafana-ui/**'
+      - '!docs/**'
+      - '!*.md'
+  push:
+    branches:
+      - main
+    paths:
+      - 'packages/grafana-ui/**'
+      - '!docs/**'
+      - '!*.md'
+
+jobs:
+  verify-storybook:
+    name: Verify Storybook
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: 'package.json'
+          cache: 'yarn'
+      
+      - name: Install dependencies
+        run: yarn install --immutable
+      
+      - name: Run Storybook and E2E tests
+        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
+        with:
+          browser: chrome
+          start: yarn storybook --quiet
+          wait-on: 'http://localhost:9001'
+          wait-on-timeout: 60
+          command: yarn e2e:storybook
+          install: false
+        env:
+          HOST: localhost
+          PORT: 9001

.github/workflows/sync-mirror-event.yml

@@ -0,0 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Dispatch sync to mirror
+run-name: dispatch-sync-to-mirror-${{ github.ref_name }}
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+permissions: {}
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  dispatch-job:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      REF_NAME: ${{ github.ref_name }}
+      REPO: ${{ github.repository }}
+      SHA: ${{ github.sha }}
+    steps:
+      - name: "Get vault secrets"
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
+          repo_secrets: |
+            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
+
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
+          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+      - uses: actions/github-script@v7
+        if: github.repository == 'grafana/grafana'
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {REF_NAME, REPO, SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'mirror-branch-and-apply-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_ref: REF_NAME,
+                  src_repo: REPO,
+                  src_sha: SHA,
+                  dest_repo: REPO + "-security-mirror",
+                  patch_repo: REPO + "-security-patches"
+                }
+            })

.github/workflows/sync-mirror.yml

@@ -1,25 +0,0 @@
-# Owned by grafana-release-guild
-# Intended to be dropped into the base repo, Ex: grafana/grafana
-name: Sync to mirror
-run-name: sync-to-mirror-${{ github.ref_name }}
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-# This is run after the pull request has been merged, so we'll run against the target branch
-jobs:
-  trigger_downstream_patch_mirror:
-    concurrency: patch-mirror-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
-    if: github.repository == 'grafana/grafana'
-    with:
-      ref: "${{ github.ref_name }}" # this is the target branch name, Ex: "main"
-      src_repo: "${{ github.repository }}"
-      dest_repo: "${{ github.repository }}-security-mirror"
-      patch_repo: "${{ github.repository }}-security-patches"
-    secrets: inherit
-

.github/workflows/trigger-dashboard-search-e2e.yml

@@ -0,0 +1,28 @@
+name: trigger-dashboard-search-e2e
+# triggers the dashboard search e2e tests which runs async 
+# doesn't block prs, allows setting up notifications from grafana
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - public/app/features/search/**/*.ts
+      - public/app/features/search/**/*.tsx
+      - pkg/storage/**/*.go
+  pull_request:
+    branches:
+      - main
+    paths:
+      - public/app/features/search/**/*.ts
+      - public/app/features/search/**/*.tsx
+      - pkg/storage/**/*.go
+env:
+  ARCH: linux-amd64
+
+jobs:
+  trigger-search-e2e:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false
+    steps:
+      - name: Trigger Dashboard Search E2E
+        run: echo "Triggered Dashboard Search e2e..."

.github/workflows/trivy-scan.yml

@@ -4,48 +4,64 @@ on:
     # only run on PRs where go.mod/go.sum/etc have been updated
     paths:
       - go.*
+      - .github/workflows/trivy-scan.yml
   push:
     branches:
       - main
     paths:
       - go.*
+      - .github/workflows/trivy-scan.yml
 
 jobs:
   trivy-scan:
     runs-on: ubuntu-22.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Install Trivy
+      uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
+      with:
+        version: v0.56.2
+        cache: true
+    - name: Download Trivy DB
+      run: |
+        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
     - name: Run Trivy vulnerability scanner (table output)
-      uses: aquasecurity/trivy-action@0.24.0
-      with:
-        # scan the filesystem, rather than building a Docker image prior - the
-        # downside is we won't catch dependencies that are only installed in the
-        # image, but the upside is we'll only catch vulnerabilities that are
-        # explicitly in the our dependencies
-        scan-type: 'fs'
-        scanners: 'vuln'
-        format: 'table'
-        exit-code: 1
-        ignore-unfixed: true
-        vuln-type: 'os,library'
-        severity: 'CRITICAL,HIGH'
-        trivyignores: .trivyignore
-        # for the PR check, ignore JS-related issues
-        skip-files: 'yarn.lock,package.json'
+      # Use the trivy binary rather than the aquasecurity/trivy-action action
+      # to avoid a few bugs.
+      #
+      # We scan the file system rather than building the Docker image to only scan
+      # our direct dependencies. The Docker images are still scanned by
+      # Vulnerability Observability:
+      #   - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
+      #   - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
+      #   (If these links are outdated, just go to the list and find the images manually.)
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format table \
+          --exit-code 1 \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --severity CRITICAL,HIGH \
+          --ignorefile .trivyignore \
+          --skip-files yarn.lock,package.json \
+          --skip-db-update \
+          .
     - name: Run Trivy vulnerability scanner (SARIF)
-      uses: aquasecurity/trivy-action@0.24.0
-      with:
-        scan-type: 'fs'
-        scanners: 'vuln'
-        # Note: The SARIF format ignores severity and uploads all vulns for
-        # later triage. The table-format step above is used to fail the build
-        # if there are any critical or high vulnerabilities.
-        # See https://github.com/aquasecurity/trivy-action/issues/95
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-        ignore-unfixed: true
-        vuln-type: 'os,library'
-        trivyignores: .trivyignore
+      # Use the trivy binary rather than the aquasecurity/trivy-action action
+      # to avoid a few bugs
+      run: |
+        trivy fs \
+          --scanners vuln \
+          --format sarif \
+          --output trivy-results.sarif \
+          --ignore-unfixed \
+          --pkg-types os,library \
+          --ignorefile .trivyignore \
+          --skip-db-update \
+          .
       if: always() && github.repository == 'grafana/grafana'
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3

.github/workflows/update-changelog.yml

@@ -1,52 +0,0 @@
-name: Update changelog
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        required: true
-        description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
-      skip_pr:
-        required: false
-        default: "0"
-      skip_community_post:
-        required: false
-        default: "0"
-jobs:
-  config:
-    runs-on: "ubuntu-latest"
-    outputs:
-      has-secrets: ${{ steps.check.outputs.has-secrets }}
-    steps:
-      - name: "Check for secrets"
-        id: check
-        shell: bash
-        run: |
-          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
-                        secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
-                        secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
-                        secrets.GRAFANABOT_FORUM_KEY != ''
-                        ) || '' }}" ]; then
-            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
-          fi
-
-  main:
-    needs: config
-    if: needs.config.outputs.has-secrets
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: Run update changelog (manually invoked)
-        uses: grafana/grafana-github-actions-go/update-changelog@main
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          version: ${{ inputs.version }}
-          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
-          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
-          community_api_username: grafanabot
-          skip_pr: ${{ inputs.skip_pr }}
-          skip_community_post: ${{ inputs.skip_community_post }}

.github/workflows/update-make-docs.yml

@@ -9,7 +9,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
+        with:
+          persist-credentials: false
+      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
         with:
           pr_options: >
             --label 'backport v10.1.x'

.github/workflows/verify-kinds.yml

@@ -14,9 +14,10 @@ jobs:
         uses: "actions/checkout@v4"
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: "Setup Go"
-        uses: "actions/setup-go@v4"
+        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
         with:
           go-version-file: go.mod
 

.github/workflows/zizmor.yml

@@ -0,0 +1,23 @@
+name: Zizmor GitHub Actions static analysis
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  zizmor:
+    name: Analyse with Zizmor
+
+    permissions:
+      actions: read
+      contents: read
+      # required to comment on pull requests with the results of the check
+      pull-requests: write
+      # required to upload the results to GitHub's code scanning service
+      security-events: write
+
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@main  # zizmor: ignore[unpinned-uses]
+    with:
+      fail-severity: high
+      min-severity: high

.github/zizmor.yml

@@ -0,0 +1,31 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": hash-pin
+        actions/*: any
+        github/*: any
+        grafana/*: any
+  forbidden-uses:
+    config:
+      deny:
+        # Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
+        # https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30066
+        # https://nvd.nist.gov/vuln/detail/cve-2025-30154
+        - reviewdog/*
+  cache-poisoning:
+    ignore:
+      - backend-unit-tests.yml
+      - frontend-lint.yml
+      - pr-frontend-unit-tests.yml
+      - pr-test-integration.yml
+      - publish-kinds-release.yml
+  dangerous-triggers:
+    ignore:
+      - auto-milestone.yml
+      - backport.yml
+      - pr-checks.yml
+      - pr-commands.yml
+      - pr-patch-check-event.yml
+      - run-dashboard-search-e2e.yml

.golangci.toml

@@ -1,261 +0,0 @@
-[run]
-timeout = "20m"
-concurrency = 10
-
-[linters-settings.exhaustive]
-default-signifies-exhaustive = true
-
-[linters-settings.revive]
-ignore-generated-header = false
-severity = "warning"
-confidence = 3
-
-[linters-settings.depguard.rules.main]
-allow = [] # allow all
-deny = [
-  { pkg = "io/ioutil", desc = "Deprecated: As of Go 1.16, the same functionality is now provided by package io or package os, and those implementations should be preferred in new code. See the specific function documentation for details." },
-  { pkg = "gopkg.in/yaml.v2", desc = "Grafana packages are not allowed to depend on gopkg.in/yaml.v2 as gopkg.in/yaml.v3 is now available" },
-  { pkg = "github.com/pkg/errors", desc = "Deprecated: Go 1.13 supports the functionality provided by pkg/errors in the standard library." },
-  { pkg = "github.com/xorcare/pointer", desc = "Use pkg/util.Pointer instead, which is a generic one-liner alternative" },
-  { pkg = "github.com/gofrs/uuid", desc = "Use github.com/google/uuid instead, which we already depend on." },
-  { pkg = "github.com/bmizerany/assert", desc = "Use github.com/stretchr/testify/assert instead, which we already depend on." },
-]
-
-[linters-settings.depguard.rules.coreplugins]
-deny = [
-  { pkg = "github.com/grafana/grafana/pkg/api", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/cmd", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/cuectx", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/extensions", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/kinds", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/middleware", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/modules", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/registry", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/services", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/build", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/codegen", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/events", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/ifaces", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/kindsysreport", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/mocks", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/plugins", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/setting", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/util", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/bus", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/components", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/expr", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/infra", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/login", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/models", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/server", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/tests", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/web", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-  { pkg = "github.com/grafana/grafana/pkg/tsdb/intervalv2", desc = "Core plugins are not allowed to depend on Grafana core packages" },
-]
-files = [
-  "**/pkg/tsdb/grafana-pyroscope-datasource/*",
-  "**/pkg/tsdb/grafana-pyroscope-datasource/**/*",
-  "**/pkg/tsdb/grafana-testdata-datasource/*",
-  "**/pkg/tsdb/grafana-testdata-datasource/**/*",
-  "**/pkg/tsdb/azuremonitor/*",
-  "**/pkg/tsdb/azuremonitor/**/*",
-  "**/pkg/tsdb/cloud-monitoring/*",
-  "**/pkg/tsdb/cloud-monitoring/**/*",
-  "**/pkg/tsdb/mysql/*",
-  "**/pkg/tsdb/mysql/**/*",
-  "**/pkg/tsdb/parca/*",
-  "**/pkg/tsdb/parca/**/*",
-  "**/pkg/tsdb/tempo/*",
-  "**/pkg/tsdb/tempo/**/*",
-  "**/pkg/tsdb/cloudwatch/*",
-  "**/pkg/tsdb/cloudwatch/**/*",
-]
-
-[linters-settings.depguard.rules.apiserver]
-list-mode = "lax"
-allow = [
-  "github.com/grafana/grafana/pkg/apimachinery",
-  "github.com/grafana/grafana/pkg/apiserver",
-]
-deny = [
-  { pkg = "github.com/grafana/grafana/pkg", desc = "apiserver is not allowed to import grafana core" }
-]
-files = [
-  "**/pkg/apiserver/*",
-  "**/pkg/apiserver/**/*"
-]
-
-[linters-settings.depguard.rules.apimachinery]
-list-mode = "lax"
-allow = [
-  "github.com/grafana/grafana/pkg/apimachinery",
-]
-deny = [
-  { pkg = "github.com/grafana/grafana/pkg", desc = "apimachinery is not allowed to import grafana core" }
-]
-files = [
-  "**/pkg/apimachinery/*",
-  "**/pkg/apimachinery/**/*"
-]
-
-[linters-settings.depguard.rules.promlib]
-list-mode = "lax" # allow unless explicitely denied
-deny = [
-  { pkg = "github.com/grafana/grafana/pkg", desc = "promlib is not allowed to import grafana core" }
-]
-allow = [
-  "github.com/grafana/grafana/pkg/promlib"
-]
-files = [
-  "**/pkg/promlib/*",
-  "**/pkg/promlib/**/*"
-]
-
-[linters-settings.gocritic]
-enabled-checks = ["ruleguard"]
-[linters-settings.gocritic.settings.ruleguard]
-rules = "pkg/ruleguard.rules.go"
-
-[linters-settings.misspell]
-ignore-words = ["Unknwon", "Creater"]
-
-[linters-settings.nakedret]
-max-func-lines = 60
-
-[linters]
-disable-all = true
-# try to keep this list sorted, please
-enable = [
-  "asciicheck",
-  "bodyclose",
-  "depguard",
-  "dogsled",
-  "errcheck",
-  "errorlint",
-  "exhaustive",
-  "exportloopref",
-  # "gochecknoinits",
-  # "goconst",
-  # "gocritic", # Temporarily disabled on 2022-09-09, running into weird bug "ruleguard: execution error: used Run() with an empty rule set; forgot to call Load() first?"
-  "gocyclo",
-  "goimports",
-  "goprintffuncname",
-  "gosec",
-  "gosimple",
-  "govet",
-  "ineffassign",
-  "misspell",
-  "nakedret",
-  "prealloc",
-  "revive",
-  "staticcheck",
-  "stylecheck",
-  "unconvert",
-  "unused",
-  "whitespace",
-]
-
-# Disabled linters (might want them later)
-# "unparam"
-# "rowserrcheck" # The linter doesn't detect that both Scan and Close also returns the error message returned by Err.
-
-[issues]
-exclude-use-default = false
-max-same-issues = 0
-
-# Enable when appropriate
-# Poorly chosen identifier
-[[issues.exclude-rules]]
-linters = ["stylecheck"]
-text = "ST1003"
-
-# Enable when appropriate
-# Dot imports that aren't in external test packages are discouraged.
-[[issues.exclude-rules]]
-linters = ["stylecheck"]
-text = "ST1001"
-
-# Enable when appropriate
-# http.CloseNotifier has been deprecated since Go 1.11 and an alternative has been available since Go 1.7: We currently need it in pkg/web/response_writer.go.
-[[issues.exclude-rules]]
-linters = ["staticcheck"]
-text = "SA1019: http.CloseNotifier"
-
-# strings.Title has been deprecated since Go 1.18 and an alternative has been available since Go 1.0: The rule Title uses for word boundaries does not handle Unicode punctuation properly.
-# Use golang.org/x/text/cases instead.
-[[issues.exclude-rules]]
-linters = ["staticcheck"]
-text = "SA1019: strings.Title"
-
-# go.opentelemetry.io/otel/exporters/jaeger" is deprecated: This module is no longer supported. OpenTelemetry dropped support for Jaeger exporter in July 2023.
-# Jaeger officially accepts and recommends using OTLP.
-# Use [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp] or [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc] instead.
-[[issues.exclude-rules]]
-linters = ["staticcheck"]
-text = "SA1019: \"go.opentelemetry.io/otel/exporters/jaeger\""
-
-[[issues.exclude-rules]]
-linters = ["staticcheck"]
-text = "use fake service and real access control evaluator instead"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "G108"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "G110"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "G201"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "G202"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "G306"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "401"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "402"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "501"
-
-[[issues.exclude-rules]]
-linters = ["gosec"]
-text = "404"
-
-[[issues.exclude-rules]]
-linters = ["errorlint"]
-text = "non-wrapping format verb for fmt.Errorf"
-
-# TODO: Enable
-[[issues.exclude-rules]]
-linters = ["stylecheck"]
-text = "ST1000"
-
-# TODO: Enable
-[[issues.exclude-rules]]
-linters = ["stylecheck"]
-text = "ST1020"
-
-# TODO: Enable
-[[issues.exclude-rules]]
-linters = ["stylecheck"]
-text = "ST1021"
-
-# Remove this when we have go v1.22 in place
-# https://stackoverflow.com/a/68247837/767660
-[[issues.exclude-rules]]
-linters = ["gosec"]
-path = '(.+)_test\.go'
-text = "G601"

.golangci.yml

@@ -0,0 +1,298 @@
+run:
+  timeout: 10m
+  concurrency: 10
+  allow-parallel-runners: true
+linters-settings:
+  exhaustive:
+    default-signifies-exhaustive: true
+  revive:
+    ignore-generated-header: false
+    severity: warning
+    confidence: 3
+  depguard:
+    rules:
+      main:
+        allow: []
+        deny:
+          - pkg: io/ioutil
+            desc: >-
+              Deprecated: As of Go 1.16, the same functionality is now provided
+              by package io or package os, and those implementations should be
+              preferred in new code. See the specific function documentation for
+              details.
+          - pkg: gopkg.in/yaml.v2
+            desc: >-
+              Grafana packages are not allowed to depend on gopkg.in/yaml.v2 as
+              gopkg.in/yaml.v3 is now available
+          - pkg: github.com/pkg/errors
+            desc: >-
+              Deprecated: Go 1.13 supports the functionality provided by
+              pkg/errors in the standard library.
+          - pkg: github.com/xorcare/pointer
+            desc: >-
+              Use pkg/util.Pointer instead, which is a generic one-liner
+              alternative
+          - pkg: github.com/gofrs/uuid
+            desc: 'Use github.com/google/uuid instead, which we already depend on.'
+          - pkg: github.com/bmizerany/assert
+            desc: >-
+              Use github.com/stretchr/testify/assert instead, which we already
+              depend on.
+      coreplugins:
+        deny:
+          - pkg: github.com/grafana/grafana/pkg/api
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/cmd
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/cuectx
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/extensions
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/kinds
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/middleware
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/modules
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/registry
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/services
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/build
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/codegen
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/events
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/ifaces
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/kindsysreport
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/mocks
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/plugins
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/setting
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/util
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/bus
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/components
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/expr
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/infra
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/login
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/models
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/server
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/tests
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/web
+            desc: Core plugins are not allowed to depend on Grafana core packages
+          - pkg: github.com/grafana/grafana/pkg/tsdb/intervalv2
+            desc: Core plugins are not allowed to depend on Grafana core packages
+        files:
+          - '**/pkg/tsdb/grafana-pyroscope-datasource/*'
+          - '**/pkg/tsdb/grafana-pyroscope-datasource/**/*'
+          - '**/pkg/tsdb/grafana-testdata-datasource/*'
+          - '**/pkg/tsdb/grafana-testdata-datasource/**/*'
+          - '**/pkg/tsdb/azuremonitor/*'
+          - '**/pkg/tsdb/azuremonitor/**/*'
+          - '**/pkg/tsdb/cloud-monitoring/*'
+          - '**/pkg/tsdb/cloud-monitoring/**/*'
+          - '**/pkg/tsdb/mysql/*'
+          - '**/pkg/tsdb/mysql/**/*'
+          - '**/pkg/tsdb/parca/*'
+          - '**/pkg/tsdb/parca/**/*'
+          - '**/pkg/tsdb/tempo/*'
+          - '**/pkg/tsdb/tempo/**/*'
+          - '**/pkg/tsdb/cloudwatch/*'
+          - '**/pkg/tsdb/cloudwatch/**/*'
+      apiserver:
+        list-mode: lax
+        allow:
+          - github.com/grafana/grafana/pkg/apimachinery
+          - github.com/grafana/grafana/pkg/apiserver
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: apiserver is not allowed to import grafana core
+        files:
+          - '**/pkg/apiserver/*'
+          - '**/pkg/apiserver/**/*'
+      apimachinery:
+        list-mode: lax
+        allow:
+          - github.com/grafana/grafana/pkg/apimachinery
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: apimachinery is not allowed to import grafana core
+        files:
+          - '**/pkg/apimachinery/*'
+          - '**/pkg/apimachinery/**/*'
+      aggregator:
+        list-mode: lax
+        allow:
+          - github.com/grafana/grafana/pkg/aggregator
+          - github.com/grafana/grafana/pkg/semconv
+          - github.com/grafana/grafana/pkg/apimachinery
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: apimachinery is not allowed to import grafana core
+        files:
+          - ./pkg/aggregator/*
+          - ./pkg/aggregator/**/*
+      promlib:
+        list-mode: lax
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: promlib is not allowed to import grafana core
+        allow:
+          - github.com/grafana/grafana/pkg/promlib
+        files:
+          - '**/pkg/promlib/**/*'
+      storage-unified-resource:
+        list-mode: lax
+        allow:
+          - github.com/grafana/grafana/pkg/apimachinery
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: pkg/storage/unified/resource is not allowed to import grafana core
+        files:
+          - ./pkg/storage/unified/resource/*
+          - ./pkg/storage/unified/resource/**/*
+      storage-unified-apistore:
+        list-mode: lax
+        allow:
+          - github.com/grafana/grafana/pkg/apimachinery
+          - github.com/grafana/grafana/pkg/apiserver
+          - github.com/grafana/grafana/pkg/unified/resource
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: pkg/storage/unified/apistore is not allowed to import grafana core
+        files:
+          - ./pkg/storage/unified/apistore/*
+          - ./pkg/storage/unified/apistore/**/*
+      apps-playlist:
+        list-mode: lax
+        allow: []
+        deny:
+          - pkg: github.com/grafana/grafana/pkg
+            desc: apps/playlist is not allowed to import grafana core
+        files:
+          - ./apps/playlist/*
+          - ./apps/playlist/**/*
+  gocritic:
+    enabled-checks:
+      - ruleguard
+    settings:
+      ruleguard:
+        rules: pkg/ruleguard.rules.go
+  misspell:
+    ignore-words:
+      - Unknwon
+      - Creater
+  nakedret:
+    max-func-lines: 60
+linters:
+  disable-all: true
+  enable:
+    - asciicheck
+    - bodyclose
+    - depguard
+    - dogsled
+    - errcheck
+    - errorlint
+    - exhaustive
+    - gocyclo
+    - goimports
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - prealloc
+    - revive
+    - staticcheck
+    - stylecheck
+    - unconvert
+    - unused
+    - whitespace
+issues:
+  exclude-use-default: false
+  max-same-issues: 0
+  exclude-dirs:
+    - devenv
+    - scripts
+  exclude-rules:
+    - linters:
+        - stylecheck
+      text: ST1003
+    - linters:
+        - stylecheck
+      text: ST1001
+    - linters:
+        - staticcheck
+      text: 'SA1019: http.CloseNotifier'
+    - linters:
+        - staticcheck
+      text: 'SA1019: strings.Title'
+    - linters:
+        - staticcheck
+      text: 'SA1019: "go.opentelemetry.io/otel/exporters/jaeger"'
+    - linters:
+        - staticcheck
+      text: use fake service and real access control evaluator instead
+    - linters:
+        - gosec
+      text: G108
+    - linters:
+        - gosec
+      text: G110
+    - linters:
+        - gosec
+      text: G115
+    - linters:
+        - gosec
+      text: G201
+    - linters:
+        - gosec
+      text: G202
+    - linters:
+        - gosec
+      text: G306
+    - linters:
+        - gosec
+      text: '401'
+    - linters:
+        - gosec
+      text: '402'
+    - linters:
+        - gosec
+      text: '501'
+    - linters:
+        - gosec
+      text: '404'
+    - linters:
+        - errorlint
+      text: non-wrapping format verb for fmt.Errorf
+    - linters:
+        - stylecheck
+      text: ST1000
+    - linters:
+        - stylecheck
+      text: ST1020
+    - linters:
+        - stylecheck
+      text: ST1021
+    - linters:
+        - gosec
+      path: (.+)_test\.go
+      text: G601
+

.trivyignore

@@ -1 +1,5 @@
 # See https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignore
+
+# Adding CVE in grafana-plugin-sdk-go to exclusions as it does not have direct impact on the product
+# and updating library version requires complex changes in the codebase
+CVE-2024-8986

CHANGELOG.md

@@ -1,3 +1,139 @@
+<!-- 11.2.10 START -->
+
+# 11.2.10 (2025-05-22)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.24.3 [#105113](https://github.com/grafana/grafana/pull/105113), [@macabu](https://github.com/macabu)
+- **Dependencies:** Bump github.com/openfga/openfga from v1.8.5 to v1.8.12 [#105378](https://github.com/grafana/grafana/pull/105378), [@macabu](https://github.com/macabu)
+- **Dependencies:** Unpin and bump github.com/getkin/kin-openapi from v0.125.0 to v0.132.0 [#105255](https://github.com/grafana/grafana/pull/105255), [@macabu](https://github.com/macabu)
+
+### Bug fixes
+
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.2.10 END -->
+<!-- 11.2.9 START -->
+
+# 11.2.9 (2025-04-22)
+
+### Features and enhancements
+
+- **Chore:** Update libs with CVE in dependencies [#102712](https://github.com/grafana/grafana/pull/102712), [@grambbledook](https://github.com/grambbledook)
+- **Go:** Bump to 1.24.2 [#103529](https://github.com/grafana/grafana/pull/103529), [@Proximyst](https://github.com/Proximyst)
+- **Go:** Bump to 1.24.2 (Enterprise)
+
+### Bug fixes
+
+- **Auth:** Fix SAML user IsExternallySynced not being set correctly [#103102](https://github.com/grafana/grafana/pull/103102), [@volcanonoodle](https://github.com/volcanonoodle)
+- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#102982](https://github.com/grafana/grafana/pull/102982), [@kalleep](https://github.com/kalleep)
+- **Security:** Fix CVE-2025-3454
+- **Security:** Fix CVE-2025-2703
+
+<!-- 11.2.9 END -->
+<!-- 11.2.8 START -->
+
+# 11.2.8 (2025-03-25)
+
+### Features and enhancements
+
+- **Chore:** Bump Go version to 1.23.7 [#101294](https://github.com/grafana/grafana/pull/101294), [@macabu](https://github.com/macabu)
+- **Chore:** Bump Go version to 1.23.7 (Enterprise)
+
+### Bug fixes
+
+- **Alerting:** Update slack image upload to use new API [#101487](https://github.com/grafana/grafana/pull/101487), [@moustafab](https://github.com/moustafab)
+- **CloudMigrations:** Fix OrderBy clause in GetSnapshotList sql handler [#102351](https://github.com/grafana/grafana/pull/102351), [@mmandrus](https://github.com/mmandrus)
+- **Service Accounts:** Do not show error pop-ups for Service Account and Renderer UI flows [#101795](https://github.com/grafana/grafana/pull/101795), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+
+<!-- 11.2.8 END -->
+<!-- 11.2.7 START -->
+
+# 11.2.7 (2025-02-18)
+
+### Features and enhancements
+
+- **Docker:** Use our own glibc 2.40 binaries [#99922](https://github.com/grafana/grafana/pull/99922), [@DanCech](https://github.com/DanCech)
+
+### Bug fixes
+
+- **Azure:** Correctly set application insights resource values [#99596](https://github.com/grafana/grafana/pull/99596), [@aangelisc](https://github.com/aangelisc)
+
+<!-- 11.2.7 END -->
+<!-- 11.2.6 START -->
+
+# 11.2.6 (2025-01-28)
+
+### Features and enhancements
+
+- **Azure Monitor:** Add a feature flag to toggle user auth for Azure Monitor only [#97565](https://github.com/grafana/grafana/pull/97565), [@adamyeats](https://github.com/adamyeats)
+- **Security:** Update to Go 1.22.11 - Backport to v11.2.x [#99125](https://github.com/grafana/grafana/pull/99125), [@Proximyst](https://github.com/Proximyst)
+- **Security:** Update to Go 1.22.11 - Backport to v11.2.x (Enterprise)
+
+### Bug fixes
+
+- **Azure/GCM:** Improve error display [#97591](https://github.com/grafana/grafana/pull/97591), [@aangelisc](https://github.com/aangelisc)
+
+<!-- 11.2.6 END -->
+<!-- 11.2.5 START -->
+
+# 11.2.5 (2024-12-04)
+
+### Bug fixes
+
+- **Fix:** Do not fetch Orgs if the user is authenticated by apikey/sa or render key [#97264](https://github.com/grafana/grafana/pull/97264), [@mgyongyosi](https://github.com/mgyongyosi)
+
+<!-- 11.2.5 END -->
+<!-- 11.2.4 START -->
+
+# 11.2.4 (2024-11-19)
+
+### Features and enhancements
+
+- **Alerting:** Make context deadline on AlertNG service startup configurable [#96133](https://github.com/grafana/grafana/pull/96133), [@fayzal-g](https://github.com/fayzal-g)
+- **MigrationAssistant:** Restrict dashboards, folders and datasources by the org id of the signed in user [#96344](https://github.com/grafana/grafana/pull/96344), [@leandro-deveikis](https://github.com/leandro-deveikis)
+- **Transformations:** Add 'transpose' transform [#95076](https://github.com/grafana/grafana/pull/95076), [@jmdane](https://github.com/jmdane)
+- **User:** Check SignedInUser OrgID in RevokeInvite [#95489](https://github.com/grafana/grafana/pull/95489), [@mgyongyosi](https://github.com/mgyongyosi)
+
+### Bug fixes
+
+- **Alerting:** Force refetch prom rules when refreshing panel [#96124](https://github.com/grafana/grafana/pull/96124), [@soniaAguilarPeiron](https://github.com/soniaAguilarPeiron)
+- **Anonymous User:** Adds validator service for anonymous users [#94993](https://github.com/grafana/grafana/pull/94993), [@leandro-deveikis](https://github.com/leandro-deveikis)
+- **Anonymous User:** Adds validator service for anonymous users (Enterprise)
+- **Azure Monitor:** Support metric namespaces fallback [#95154](https://github.com/grafana/grafana/pull/95154), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Fix duplicated traces in multi-resource trace query [#95246](https://github.com/grafana/grafana/pull/95246), [@aangelisc](https://github.com/aangelisc)
+- **Azure:** Handle namespace request rejection [#95908](https://github.com/grafana/grafana/pull/95908), [@aangelisc](https://github.com/aangelisc)
+- **Folders:** Add admin permissions upon creation of a folder w. SA [#95416](https://github.com/grafana/grafana/pull/95416), [@eleijonmarck](https://github.com/eleijonmarck)
+- **Migration:** Remove table aliasing in delete statement to make it work for mariadb [#95231](https://github.com/grafana/grafana/pull/95231), [@kalleep](https://github.com/kalleep)
+- **ServerLock:** Fix pg concurrency/locking issue [#95934](https://github.com/grafana/grafana/pull/95934), [@mgyongyosi](https://github.com/mgyongyosi)
+- **ServerSideExpressions:** Disable SQL Expressions to prevent RCE and LFI vulnerability [#94959](https://github.com/grafana/grafana/pull/94959), [@samjewell](https://github.com/samjewell)
+
+<!-- 11.2.4 END -->
+<!-- 11.2.3+security-01 START -->
+
+# 11.2.3+security-01 (2024-11-12)
+
+### Bug fixes
+
+- **MigrationAssistant:** Fix Migration Assistant issue [CVE-2024-9476]
+
+<!-- 11.2.3+security-01 END -->
+<!-- 11.2.3 START -->
+
+# 11.2.3 (2024-10-22)
+
+### Bug fixes
+
+- **Alerting:** Fix incorrect permission on POST external rule groups endpoint [CVE-2024-8118] [#93947](https://github.com/grafana/grafana/pull/93947), [@alexweav](https://github.com/alexweav)
+- **AzureMonitor:** Fix App Insights portal URL for multi-resource trace queries [#94475](https://github.com/grafana/grafana/pull/94475), [@aangelisc](https://github.com/aangelisc)
+- **Canvas:** Allow API calls to grafana origin [#94129](https://github.com/grafana/grafana/pull/94129), [@adela-almasan](https://github.com/adela-almasan)
+- **Folders:** Correctly show new folder button under root folder [#94712](https://github.com/grafana/grafana/pull/94712), [@IevaVasiljeva](https://github.com/IevaVasiljeva)
+- **OrgSync:** Do not set default Organization for a user to a non-existent Organization [#94549](https://github.com/grafana/grafana/pull/94549), [@mgyongyosi](https://github.com/mgyongyosi)
+- **Plugins:** Skip install errors if dependency plugin already exists [#94717](https://github.com/grafana/grafana/pull/94717), [@wbrowne](https://github.com/wbrowne)
+- **ServerSideExpressions:** Disable SQL Expressions to prevent RCE and LFI vulnerability [#94959](https://github.com/grafana/grafana/pull/94959), [@samjewell](https://github.com/samjewell)
+
+<!-- 11.2.3 END -->
 <!-- 11.2.2+security-01 START -->
 
 # 11.2.2+security-01 (2024-10-17)

Dockerfile

@@ -1,14 +1,19 @@
 # syntax=docker/dockerfile:1
 
-ARG BASE_IMAGE=alpine:3.19.1
+# to maintain formatting of multiline commands in vscode, add the following to settings.json:
+# "docker.languageserver.formatter.ignoreMultilineInstructions": true
+
+ARG BASE_IMAGE=alpine:3.21
 ARG JS_IMAGE=node:20-alpine
 ARG JS_PLATFORM=linux/amd64
-ARG GO_IMAGE=golang:1.22.7-alpine
+ARG GO_IMAGE=golang:1.24.3-alpine
 
+# Default to building locally
 ARG GO_SRC=go-builder
 ARG JS_SRC=js-builder
 
-FROM --platform=${JS_PLATFORM} ${JS_IMAGE} as js-builder
+# Javascript build stage
+FROM --platform=${JS_PLATFORM} ${JS_IMAGE} AS js-builder
 
 ENV NODE_OPTIONS=--max_old_space_size=8000
 
@@ -32,7 +37,8 @@ COPY emails emails
 ENV NODE_ENV production
 RUN yarn build
 
-FROM ${GO_IMAGE} as go-builder
+# Golang build stage
+FROM ${GO_IMAGE} AS go-builder
 
 ARG COMMIT_SHA=""
 ARG BUILD_BRANCH=""
@@ -86,7 +92,8 @@ ENV BUILD_BRANCH=${BUILD_BRANCH}
 
 RUN make build-go GO_BUILD_TAGS=${GO_BUILD_TAGS} WIRE_TAGS=${WIRE_TAGS}
 
-FROM ${BASE_IMAGE} as tgz-builder
+# From-tarball build stage
+FROM ${BASE_IMAGE} AS tgz-builder
 
 WORKDIR /tmp/grafana
 
@@ -98,8 +105,8 @@ COPY ${GRAFANA_TGZ} /tmp/grafana.tar.gz
 RUN tar x -z -f /tmp/grafana.tar.gz --strip-components=1
 
 # helpers for COPY --from
-FROM ${GO_SRC} as go-src
-FROM ${JS_SRC} as js-src
+FROM ${GO_SRC} AS go-src
+FROM ${JS_SRC} AS js-src
 
 # Final stage
 FROM ${BASE_IMAGE}
@@ -134,19 +141,20 @@ RUN if grep -i -q alpine /etc/issue; then \
     fi
 
 # glibc support for alpine x86_64 only
+# docker run --rm --env STDOUT=1 sgerrand/glibc-builder 2.40 /usr/glibc-compat > glibc-bin-2.40.tar.gz
+ARG GLIBC_VERSION=2.40
+
 RUN if grep -i -q alpine /etc/issue && [ `arch` = "x86_64" ]; then \
-      wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
-      wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-2.35-r0.apk \
-        -O /tmp/glibc-2.35-r0.apk && \
-      wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.35-r0/glibc-bin-2.35-r0.apk \
-        -O /tmp/glibc-bin-2.35-r0.apk && \
-      apk add --force-overwrite --no-cache /tmp/glibc-2.35-r0.apk /tmp/glibc-bin-2.35-r0.apk && \
-      rm -f /lib64/ld-linux-x86-64.so.2 && \
-      ln -s /usr/glibc-compat/lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 && \
-      rm -f /tmp/glibc-2.35-r0.apk && \
-      rm -f /tmp/glibc-bin-2.35-r0.apk && \
-      rm -f /lib/ld-linux-x86-64.so.2 && \
-      rm -f /etc/ld.so.cache; \
+      wget -qO- "https://dl.grafana.com/glibc/glibc-bin-$GLIBC_VERSION.tar.gz" | tar zxf - -C / \
+        usr/glibc-compat/lib/ld-linux-x86-64.so.2 \
+        usr/glibc-compat/lib/libc.so.6 \
+        usr/glibc-compat/lib/libdl.so.2 \
+        usr/glibc-compat/lib/libm.so.6 \
+        usr/glibc-compat/lib/libpthread.so.0 \
+        usr/glibc-compat/lib/librt.so.1 \
+        usr/glibc-compat/lib/libresolv.so.2 && \
+      mkdir /lib64 && \
+      ln -s /usr/glibc-compat/lib/ld-linux-x86-64.so.2 /lib64; \
     fi
 
 COPY --from=go-src /tmp/grafana/conf ./conf

Makefile

@@ -8,7 +8,7 @@ WIRE_TAGS = "oss"
 include .bingo/Variables.mk
 
 GO = go
-GO_VERSION = 1.22.7
+GO_VERSION = 1.24.3
 GO_LINT_FILES ?= $(shell ./scripts/go-workspace/golangci-lint-includes.sh)
 GO_TEST_FILES ?= $(shell ./scripts/go-workspace/test-includes.sh)
 SH_FILES ?= $(shell find ./scripts -name *.sh)
@@ -289,7 +289,7 @@ test: test-go test-js ## Run all tests.
 golangci-lint: $(GOLANGCI_LINT)
 	@echo "lint via golangci-lint"
 	$(GOLANGCI_LINT) run \
-		--config .golangci.toml \
+		--config .golangci.yml \
 		$(GO_LINT_FILES)
 
 .PHONY: lint-go