apply security patch: release-11.3.6/382-202504030854.patch

commit 65f410c14ea1fc551ee6e668ce9479ade0293e86 Author: nmarrs <nathanielmarrs@gmail.com> Date: Thu Apr 3 09:51:47 2025 +0100 apply backport
apply security patch: release-11.3.6/376-202504022117.patch
2025-04-18 21:50:31 +00:00 · 2025-04-18 21:50:31 +00:00 · 2025-04-18 21:50:31 +00:00
191 changed files with 2330 additions and 4591 deletions
--- a/.bingo/golangci-lint.mod
+++ b/.bingo/golangci-lint.mod
@@ -1,5 +1,5 @@
 module _ // Auto generated by https://github.com/bwplotka/bingo. DO NOT EDIT

-go 1.24.3
+go 1.24.2

 require github.com/golangci/golangci-lint v1.64.2 // cmd/golangci-lint
--- a/.drone.yml
+++ b/.drone.yml
@@ -25,7 +25,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - ./bin/build verify-drone
@@ -75,7 +75,7 @@ steps:
  - go install github.com/bazelbuild/buildtools/buildifier@latest
  - buildifier --lint=warn -mode=check -r .
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: lint-starlark
 trigger:
  event:
@@ -424,7 +424,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -433,21 +433,21 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - apk add --update build-base shared-mime-info shared-mime-info-lang
  - go list -f '{{.Dir}}/...' -m  | xargs go test -short -covermode=atomic -timeout=5m
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend
 - commands:
  - apk add --update build-base
@@ -456,7 +456,7 @@ steps:
    | grep -o '\(.*\)/' | sort -u)
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend-integration
 trigger:
  event:
@@ -510,7 +510,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - echo $(/usr/bin/github-app-external-token) > /github-app/token
@@ -554,16 +554,16 @@ steps:
  - apk add --update make
  - make gen-go
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - go run scripts/modowners/modowners.go check go.mod
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-modfile
 - commands:
  - apk add --update make
  - make swagger-validate
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-openapi-spec
 trigger:
  event:
@@ -638,7 +638,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
@@ -648,7 +648,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -657,7 +657,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - yarn install --immutable || yarn install --immutable
@@ -695,7 +695,7 @@ steps:
  - /src/grafana-build artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
-    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.3 --yarn-cache=$$YARN_CACHE_FOLDER
+    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.2 --yarn-cache=$$YARN_CACHE_FOLDER
    --build-id=$$DRONE_BUILD_NUMBER --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3
    --tag-format='{{ .version_base }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{
    .version_base }}-{{ .buildID }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD
@@ -721,8 +721,10 @@ steps:
      from_secret: docker_password
    DOCKER_USER:
      from_secret: docker_username
-    GITHUB_APP_ID: "329617"
-    GITHUB_APP_INSTALLATION_ID: "37346161"
+    GITHUB_APP_ID:
+      from_secret: delivery-bot-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: delivery-bot-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  failure: ignore
@@ -1101,7 +1103,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - echo $DRONE_RUNNER_NAME
@@ -1115,7 +1117,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -1124,14 +1126,14 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - dockerize -wait tcp://postgres:5432 -timeout 120s
@@ -1152,7 +1154,7 @@ steps:
    GRAFANA_TEST_DB: postgres
    PGPASSWORD: grafanatest
    POSTGRES_HOST: postgres
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: postgres-integration-tests
 - commands:
  - dockerize -wait tcp://mysql57:3306 -timeout 120s
@@ -1173,7 +1175,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql57
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-5.7-integration-tests
 - commands:
  - dockerize -wait tcp://mysql80:3306 -timeout 120s
@@ -1194,7 +1196,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql80
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-8.0-integration-tests
 - commands:
  - dockerize -wait tcp://redis:6379 -timeout 120s
@@ -1210,7 +1212,7 @@ steps:
  - wait-for-redis
  environment:
    REDIS_URL: redis://redis:6379/0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: redis-integration-tests
 - commands:
  - dockerize -wait tcp://memcached:11211 -timeout 120s
@@ -1226,7 +1228,7 @@ steps:
  - wait-for-memcached
  environment:
    MEMCACHED_HOSTS: memcached:11211
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: memcached-integration-tests
 - commands:
  - dockerize -wait tcp://mimir_backend:8080 -timeout 120s
@@ -1243,7 +1245,7 @@ steps:
    AM_TENANT_ID: test
    AM_URL: http://mimir_backend:8080
  failure: ignore
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: remote-alertmanager-integration-tests
 trigger:
  event:
@@ -1328,7 +1330,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 trigger:
  event:
@@ -1448,7 +1450,7 @@ steps:
    && return 1; fi
  depends_on:
  - clone-enterprise
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: swagger-gen
 trigger:
  event:
@@ -1563,7 +1565,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
@@ -1574,7 +1576,7 @@ steps:
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on:
  - clone-enterprise
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -1584,14 +1586,14 @@ steps:
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on:
  - clone-enterprise
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - apk add --update build-base
@@ -1599,7 +1601,7 @@ steps:
  - go test -v -run=^$ -benchmem -timeout=1h -count=8 -bench=. ${GO_PACKAGES}
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: sqlite-benchmark-integration-tests
 - commands:
  - apk add --update build-base
@@ -1611,7 +1613,7 @@ steps:
    GRAFANA_TEST_DB: postgres
    PGPASSWORD: grafanatest
    POSTGRES_HOST: postgres
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: postgres-benchmark-integration-tests
 - commands:
  - apk add --update build-base
@@ -1622,7 +1624,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql57
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-5.7-benchmark-integration-tests
 - commands:
  - apk add --update build-base
@@ -1633,7 +1635,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql80
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-8.0-benchmark-integration-tests
 trigger:
  event:
@@ -1708,7 +1710,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 trigger:
  branch: main
@@ -1881,7 +1883,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -1890,21 +1892,21 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - apk add --update build-base shared-mime-info shared-mime-info-lang
  - go list -f '{{.Dir}}/...' -m  | xargs go test -short -covermode=atomic -timeout=5m
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend
 - commands:
  - apk add --update build-base
@@ -1913,7 +1915,7 @@ steps:
    | grep -o '\(.*\)/' | sort -u)
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend-integration
 trigger:
  branch: main
@@ -1958,22 +1960,22 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - apk add --update make
  - make gen-go
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - go run scripts/modowners/modowners.go check go.mod
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-modfile
 - commands:
  - apk add --update make
  - make swagger-validate
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-openapi-spec
 - commands:
  - ./bin/build verify-drone
@@ -2104,7 +2106,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - '# It is required that code generated from Thema/CUE be committed and in sync
@@ -2114,7 +2116,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -2123,7 +2125,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - yarn install --immutable || yarn install --immutable
@@ -2160,7 +2162,7 @@ steps:
  - /src/grafana-build artifacts -a targz:grafana:linux/amd64 -a targz:grafana:linux/arm64
    -a targz:grafana:linux/arm/v7 -a docker:grafana:linux/amd64 -a docker:grafana:linux/amd64:ubuntu
    -a docker:grafana:linux/arm64 -a docker:grafana:linux/arm64:ubuntu -a docker:grafana:linux/arm/v7
-    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.3 --yarn-cache=$$YARN_CACHE_FOLDER
+    -a docker:grafana:linux/arm/v7:ubuntu --go-version=1.24.2 --yarn-cache=$$YARN_CACHE_FOLDER
    --build-id=$$DRONE_BUILD_NUMBER --ubuntu-base=ubuntu:22.04 --alpine-base=alpine:3.21.3
    --tag-format='{{ .version_base }}-{{ .buildID }}-{{ .arch }}' --ubuntu-tag-format='{{
    .version_base }}-{{ .buildID }}-ubuntu-{{ .arch }}' --verify='false' --grafana-dir=$$PWD
@@ -2188,8 +2190,10 @@ steps:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
-    GITHUB_APP_ID: "329617"
-    GITHUB_APP_INSTALLATION_ID: "37346161"
+    GITHUB_APP_ID:
+      from_secret: delivery-bot-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: delivery-bot-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
@@ -2490,8 +2494,10 @@ steps:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
-    GITHUB_APP_ID: "329617"
-    GITHUB_APP_INSTALLATION_ID: "37346161"
+    GITHUB_APP_ID:
+      from_secret: delivery-bot-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: delivery-bot-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
@@ -2642,7 +2648,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - echo $DRONE_RUNNER_NAME
@@ -2656,7 +2662,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -2665,14 +2671,14 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - dockerize -wait tcp://postgres:5432 -timeout 120s
@@ -2693,7 +2699,7 @@ steps:
    GRAFANA_TEST_DB: postgres
    PGPASSWORD: grafanatest
    POSTGRES_HOST: postgres
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: postgres-integration-tests
 - commands:
  - dockerize -wait tcp://mysql57:3306 -timeout 120s
@@ -2714,7 +2720,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql57
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-5.7-integration-tests
 - commands:
  - dockerize -wait tcp://mysql80:3306 -timeout 120s
@@ -2735,7 +2741,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql80
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-8.0-integration-tests
 - commands:
  - dockerize -wait tcp://redis:6379 -timeout 120s
@@ -2751,7 +2757,7 @@ steps:
  - wait-for-redis
  environment:
    REDIS_URL: redis://redis:6379/0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: redis-integration-tests
 - commands:
  - dockerize -wait tcp://memcached:11211 -timeout 120s
@@ -2767,7 +2773,7 @@ steps:
  - wait-for-memcached
  environment:
    MEMCACHED_HOSTS: memcached:11211
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: memcached-integration-tests
 - commands:
  - dockerize -wait tcp://mimir_backend:8080 -timeout 120s
@@ -2784,7 +2790,7 @@ steps:
    AM_TENANT_ID: test
    AM_URL: http://mimir_backend:8080
  failure: ignore
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: remote-alertmanager-integration-tests
 trigger:
  branch: main
@@ -3046,7 +3052,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -3055,21 +3061,21 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - apk add --update build-base shared-mime-info shared-mime-info-lang
  - go list -f '{{.Dir}}/...' -m  | xargs go test -short -covermode=atomic -timeout=5m
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend
 - commands:
  - apk add --update build-base
@@ -3078,7 +3084,7 @@ steps:
    | grep -o '\(.*\)/' | sort -u)
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend-integration
 trigger:
  branch:
@@ -3121,22 +3127,22 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - apk add --update make
  - make gen-go
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - go run scripts/modowners/modowners.go check go.mod
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-modfile
 - commands:
  - apk add --update make
  - make swagger-validate
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: validate-openapi-spec
 trigger:
  branch:
@@ -3226,7 +3232,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - echo $DRONE_RUNNER_NAME
@@ -3240,7 +3246,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -3249,14 +3255,14 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - dockerize -wait tcp://postgres:5432 -timeout 120s
@@ -3277,7 +3283,7 @@ steps:
    GRAFANA_TEST_DB: postgres
    PGPASSWORD: grafanatest
    POSTGRES_HOST: postgres
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: postgres-integration-tests
 - commands:
  - dockerize -wait tcp://mysql57:3306 -timeout 120s
@@ -3298,7 +3304,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql57
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-5.7-integration-tests
 - commands:
  - dockerize -wait tcp://mysql80:3306 -timeout 120s
@@ -3319,7 +3325,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql80
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-8.0-integration-tests
 - commands:
  - dockerize -wait tcp://redis:6379 -timeout 120s
@@ -3335,7 +3341,7 @@ steps:
  - wait-for-redis
  environment:
    REDIS_URL: redis://redis:6379/0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: redis-integration-tests
 - commands:
  - dockerize -wait tcp://memcached:11211 -timeout 120s
@@ -3351,7 +3357,7 @@ steps:
  - wait-for-memcached
  environment:
    MEMCACHED_HOSTS: memcached:11211
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: memcached-integration-tests
 - commands:
  - dockerize -wait tcp://mimir_backend:8080 -timeout 120s
@@ -3368,7 +3374,7 @@ steps:
    AM_TENANT_ID: test
    AM_URL: http://mimir_backend:8080
  failure: ignore
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: remote-alertmanager-integration-tests
 trigger:
  branch:
@@ -3471,7 +3477,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - ./bin/build artifacts docker fetch --edition oss
@@ -3549,8 +3555,10 @@ steps:
      from_secret: docker_username
    GCP_KEY:
      from_secret: gcp_grafanauploads
-    GITHUB_APP_ID: "329617"
-    GITHUB_APP_INSTALLATION_ID: "37346161"
+    GITHUB_APP_ID:
+      from_secret: delivery-bot-app-id
+    GITHUB_APP_INSTALLATION_ID:
+      from_secret: delivery-bot-app-installation-id
    GITHUB_APP_PRIVATE_KEY:
      from_secret: delivery-bot-app-private-key
  image: google/cloud-sdk:431.0.0
@@ -3601,7 +3609,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - ./bin/build artifacts docker fetch --edition oss
@@ -3742,7 +3750,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - ./bin/build artifacts packages --artifacts-editions=oss --tag $${DRONE_TAG} --src-bucket
@@ -3833,7 +3841,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - yarn install --immutable || yarn install --immutable
@@ -3933,7 +3941,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - depends_on:
  - compile-build-cmd
@@ -4030,7 +4038,7 @@ steps:
  depends_on: []
  environment:
    CGO_ENABLED: 0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: compile-build-cmd
 - commands:
  - ./bin/build publish grafana-com --edition oss ${DRONE_TAG}
@@ -4092,7 +4100,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4167,7 +4175,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4284,7 +4292,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4435,7 +4443,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -4444,21 +4452,21 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - apk add --update build-base shared-mime-info shared-mime-info-lang
  - go list -f '{{.Dir}}/...' -m  | xargs go test -short -covermode=atomic -timeout=5m
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend
 - commands:
  - apk add --update build-base
@@ -4467,7 +4475,7 @@ steps:
    | grep -o '\(.*\)/' | sort -u)
  depends_on:
  - wire-install
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: test-backend-integration
 trigger:
  cron:
@@ -4521,7 +4529,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4665,7 +4673,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4771,7 +4779,7 @@ steps:
  - export GITHUB_TOKEN=$(cat /github-app/token)
  - 'dagger run --silent /src/grafana-build artifacts -a $${ARTIFACTS} --grafana-ref=$${GRAFANA_REF}
    --enterprise-ref=$${ENTERPRISE_REF} --grafana-repo=$${GRAFANA_REPO} --version=$${VERSION} '
-  - --go-version=1.24.3
+  - --go-version=1.24.2
  depends_on:
  - github-app-generate-token
  environment:
@@ -4792,7 +4800,7 @@ steps:
      from_secret: grafana_api_key
    GCP_KEY_BASE64:
      from_secret: gcp_key_base64
-    GO_VERSION: 1.24.3
+    GO_VERSION: 1.24.2
    GPG_PASSPHRASE:
      from_secret: packages_gpg_passphrase
    GPG_PRIVATE_KEY:
@@ -4937,7 +4945,7 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-cue
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-cue
 - commands:
  - '# It is required that generated jsonnet is committed and in sync with its inputs.'
@@ -4946,14 +4954,14 @@ steps:
  - apk add --update make
  - CODEGEN_VERIFY=1 make gen-jsonnet
  depends_on: []
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: verify-gen-jsonnet
 - commands:
  - apk add --update make
  - make gen-go
  depends_on:
  - verify-gen-cue
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: wire-install
 - commands:
  - dockerize -wait tcp://postgres:5432 -timeout 120s
@@ -4974,7 +4982,7 @@ steps:
    GRAFANA_TEST_DB: postgres
    PGPASSWORD: grafanatest
    POSTGRES_HOST: postgres
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: postgres-integration-tests
 - commands:
  - dockerize -wait tcp://mysql57:3306 -timeout 120s
@@ -4995,7 +5003,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql57
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-5.7-integration-tests
 - commands:
  - dockerize -wait tcp://mysql80:3306 -timeout 120s
@@ -5016,7 +5024,7 @@ steps:
  environment:
    GRAFANA_TEST_DB: mysql
    MYSQL_HOST: mysql80
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: mysql-8.0-integration-tests
 - commands:
  - dockerize -wait tcp://redis:6379 -timeout 120s
@@ -5032,7 +5040,7 @@ steps:
  - wait-for-redis
  environment:
    REDIS_URL: redis://redis:6379/0
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: redis-integration-tests
 - commands:
  - dockerize -wait tcp://memcached:11211 -timeout 120s
@@ -5048,7 +5056,7 @@ steps:
  - wait-for-memcached
  environment:
    MEMCACHED_HOSTS: memcached:11211
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: memcached-integration-tests
 - commands:
  - dockerize -wait tcp://mimir_backend:8080 -timeout 120s
@@ -5065,7 +5073,7 @@ steps:
    AM_TENANT_ID: test
    AM_URL: http://mimir_backend:8080
  failure: ignore
-  image: golang:1.24.3-alpine
+  image: golang:1.24.2-alpine
  name: remote-alertmanager-integration-tests
 trigger:
  event:
@@ -5371,7 +5379,7 @@ steps:
 - commands:
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM docker:27-cli
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM alpine/git:2.40.1
-  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.24.3-alpine
+  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM golang:1.24.2-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM node:20.9.0-alpine
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM node:20-bookworm
  - trivy --exit-code 0 --severity UNKNOWN,LOW,MEDIUM google/cloud-sdk:431.0.0
@@ -5410,7 +5418,7 @@ steps:
 - commands:
  - trivy --exit-code 1 --severity HIGH,CRITICAL docker:27-cli
  - trivy --exit-code 1 --severity HIGH,CRITICAL alpine/git:2.40.1
-  - trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.24.3-alpine
+  - trivy --exit-code 1 --severity HIGH,CRITICAL golang:1.24.2-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL node:20.9.0-alpine
  - trivy --exit-code 1 --severity HIGH,CRITICAL node:20-bookworm
  - trivy --exit-code 1 --severity HIGH,CRITICAL google/cloud-sdk:431.0.0
@@ -5531,13 +5539,13 @@ name: prerelease_bucket
 ---
 get:
  name: username
-  path: ci/data/common/dockerhub
+  path: infra/data/ci/grafanaci-docker-hub
 kind: secret
 name: docker_username
 ---
 get:
  name: password
-  path: ci/data/common/dockerhub
+  path: infra/data/ci/grafanaci-docker-hub
 kind: secret
 name: docker_password
 ---
@@ -5656,8 +5664,20 @@ kind: secret
 name: dagger_token
 ---
 get:
-  name: PRIVATE_KEY
-  path: ci/data/repo/grafana/grafana/delivery-bot-app
+  name: app-id
+  path: infra/data/ci/grafana-release-eng/grafana-delivery-bot
+kind: secret
+name: delivery-bot-app-id
+---
+get:
+  name: app-installation-id
+  path: infra/data/ci/grafana-release-eng/grafana-delivery-bot
+kind: secret
+name: delivery-bot-app-installation-id
+---
+get:
+  name: app-private-key
+  path: infra/data/ci/grafana-release-eng/grafana-delivery-bot
 kind: secret
 name: delivery-bot-app-private-key
 ---
@@ -5668,6 +5688,6 @@ kind: secret
 name: gcr_credentials
 ---
 kind: signature
-hmac: 3575a2899316cbc94d9a26960841ccd6efba6464b4e847d2a1c4e357a37ab8cb
+hmac: 10351df8b46f884d83178ff3abb14c25eee0a0bd7498d78e0e79d0d6f81c1f9b

 ...
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -12,8 +12,8 @@
 # This should make it easy to add new rules without breaking existing ones.

 # Documentation
-/.changelog-archive @grafana/grafana-developer-enablement-squad
-/CHANGELOG.md @grafana/grafana-developer-enablement-squad
+/.changelog-archive @grafana/grafana-release-guild
+/CHANGELOG.md @grafana/grafana-release-guild
 /CODE_OF_CONDUCT.md @grafana/grafana-community-support
 /CONTRIBUTING.md @grafana/grafana-community-support
 /GOVERNANCE.md @RichiH
@@ -32,15 +32,15 @@
 /devenv/README.md @grafana/docs-grafana

 # START Technical documentation
-/.vale.ini @grafana/docs-tooling
 # `make docs` procedure and related workflows are owned @grafana/docs-tooling. Slack #docs.
 /docs/                                                                            @grafana/docs-tooling

+/docs/.codespellignore                                                            @grafana/docs-tooling
 /docs/sources/                                                                    @irenerl24

-/docs/sources/alerting/                                                           @JohnnyK-Grafana
+/docs/sources/alerting/                                                           @brendamuir
 /docs/sources/dashboards/                                                         @imatwawana
-/docs/sources/datasources/                                                        @lwandz13
+/docs/sources/explore/                                                            @grafana/explore-squad @lwandz13
 /docs/sources/panels-visualizations/                                              @imatwawana
 /docs/sources/release-notes/                                                      @irenerl24 @GrafanaWriter
 /docs/sources/upgrade-guide/                                                      @imatwawana
@@ -57,7 +57,6 @@
 /go.work @grafana/grafana-app-platform-squad
 /go.work.sum @grafana/grafana-app-platform-squad
 /.bingo/ @grafana/grafana-backend-group
-/.citools @grafana/grafana-developer-enablement-squad
 /pkg/README.md @grafana/grafana-backend-group
 /pkg/ruleguard.rules.go @grafana/grafana-backend-group
 /.bra.toml @grafana/grafana-backend-group
@@ -67,21 +66,12 @@
 /scripts/go-workspace @grafana/grafana-app-platform-squad
 /hack/ @grafana/grafana-app-platform-squad

-/pkg/apis/provisioning @grafana/grafana-git-ui-sync-team
-/public/app/features/provisioning @grafana/grafana-git-ui-sync-team
-/pkg/registry/apis/provisioning @grafana/grafana-git-ui-sync-team
-
 /apps/alerting/ @grafana/alerting-backend
-/apps/dashboard/ @grafana/grafana-app-platform-squad @grafana/dashboards-squad
-/apps/folder/ @grafana/grafana-app-platform-squad
 /apps/playlist/ @grafana/grafana-app-platform-squad
-/apps/investigations/ @fcjack @matryer @svennergr
-/apps/advisor/ @grafana/plugins-platform-backend
 /pkg/api/ @grafana/grafana-backend-group
 /pkg/apis/ @grafana/grafana-app-platform-squad
+/pkg/apis/alerting_notifications @grafana/grafana-app-platform-squad @grafana/alerting-backend @grafana/alerting-frontend
 /pkg/apis/query @grafana/grafana-datasources-core-services
-/pkg/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
-/pkg/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/bus/ @grafana/grafana-search-and-storage
 /pkg/cmd/ @grafana/grafana-backend-group
 /pkg/cmd/grafana-cli/commands/install_command.go @grafana/plugins-platform-backend
@@ -125,20 +115,18 @@
 /pkg/apimachinery @grafana/grafana-app-platform-squad
 /pkg/apimachinery/identity/ @grafana/identity-squad
 /pkg/apimachinery/errutil/ @grafana/grafana-backend-group
-/pkg/promlib @grafana/oss-big-tent
+/pkg/promlib @grafana/observability-metrics
 /pkg/storage/ @grafana/grafana-search-and-storage
-/pkg/storage/secret/ @grafana/grafana-operator-experience-squad
 /pkg/services/annotations/ @grafana/grafana-search-and-storage
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
 /pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
-/pkg/services/correlations/ @grafana/dataviz-squad
+/pkg/services/correlations/ @grafana/explore-squad
 /pkg/services/dashboardimport/ @grafana/grafana-backend-group
 /pkg/services/dashboards/ @grafana/grafana-app-platform-squad
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
 /pkg/services/encryption/ @grafana/grafana-operator-experience-squad
 /pkg/services/folder/ @grafana/grafana-search-and-storage
-/pkg/services/frontend/ @grafana/grafana-frontend-platform
 /pkg/services/apiserver @grafana/grafana-app-platform-squad
 /pkg/services/hooks/ @grafana/grafana-backend-group
 /pkg/services/kmsproviders/ @grafana/grafana-operator-experience-squad
@@ -151,7 +139,7 @@
 /pkg/services/provisioning/ @grafana/grafana-search-and-storage
 /pkg/services/provisioning/alerting/ @grafana/alerting-backend
 /pkg/services/query/ @grafana/grafana-app-platform-squad
-/pkg/services/queryhistory/ @grafana/observability-traces-and-profiling
+/pkg/services/queryhistory/ @grafana/explore-squad
 /pkg/services/quota/ @grafana/grafana-search-and-storage
 /pkg/services/screenshot/ @grafana/grafana-backend-group
 /pkg/services/search/ @grafana/grafana-search-and-storage
@@ -171,9 +159,8 @@
 /pkg/setting/ @grafana/grafana-backend-services-squad
 /pkg/tests/ @grafana/grafana-backend-services-squad
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
-/pkg/tests/apis/query @grafana/grafana-datasources-core-services
 /pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
-/pkg/tests/api/correlations/ @grafana/dataviz-squad
+/pkg/tests/api/correlations/ @grafana/explore-squad
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
 /pkg/util/ @grafana/grafana-backend-group
@@ -189,7 +176,7 @@
 # Logs code, developers environment
 /devenv/docker/blocks/loki* @grafana/observability-logs
 /devenv/docker/blocks/elastic* @grafana/aws-datasources
-/devenv/docker/blocks/self-instrumentation* @grafana/oss-big-tent
+/devenv/docker/blocks/self-instrumentation* @grafana/observability-metrics

 /devenv/bulk-dashboards/ @grafana/dashboards-squad
 /devenv/bulk-folders/ @grafana/grafana-frontend-platform
@@ -199,57 +186,8 @@
 /devenv/datasources.yaml @grafana/grafana-backend-group
 /devenv/datasources_docker.yaml @grafana/grafana-backend-group
 /devenv/dev-dashboards-without-uid/ @grafana/dashboards-squad
-
-/devenv/dev-dashboards/annotations @grafana/dataviz-squad
-/devenv/dev-dashboards/migrations @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-barchart @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-bargauge @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-candlestick @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-canvas @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-datagrid @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-gauge @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-geomap @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-graph @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-heatmap @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-histogram @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-library @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-piechart @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-stat @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-table @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-timeline @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-timeseries @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-trend @grafana/dataviz-squad
-/devenv/dev-dashboards/panel-xychart @grafana/dataviz-squad
-/devenv/dev-dashboards/transforms @grafana/dataviz-squad
-/devenv/dev-dashboards/all-panels.json @grafana/dataviz-squad
-/devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
-/devenv/dev-dashboards/home.json @grafana/dataviz-squad
-
-/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/aws-datasources
-/devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
-/devenv/dev-dashboards/datasource-loki/ @grafana/plugins-platform-frontend
-/devenv/dev-dashboards/datasource-testdata/ @grafana/plugins-platform-frontend
-/devenv/dev-dashboards/datasource-mysql/ @grafana/oss-big-tent
-/devenv/dev-dashboards/datasource-postgres/ @grafana/oss-big-tent
-
-/devenv/dev-dashboards/e2e-repeats/ @grafana/grafana-frontend-platform
-/devenv/dev-dashboards/panel-text @grafana/grafana-frontend-platform
-/devenv/dev-dashboards/scenarios @grafana/grafana-frontend-platform
-
-/devenv/dev-dashboards/feature-templating/ @grafana/dashboards-squad
-/devenv/dev-dashboards/panel-common @grafana/dashboards-squad
-/devenv/dev-dashboards/panel-dashlist @grafana/dashboards-squad
-/devenv/dev-dashboards/live @grafana/dashboards-squad
-
-/devenv/dev-dashboards/panel-flamegraph/ @grafana/observability-traces-and-profiling
-/devenv/dev-dashboards/panel-polystat @grafana/plugins-platform-frontend
-/devenv/dev-dashboards/extensions/ @grafana/plugins-platform-frontend
-
+/devenv/dev-dashboards/ @grafana/dashboards-squad
 /devenv/docker/blocks/alert_webhook_listener/ @grafana/alerting-backend
-/devenv/docker/blocks/stateful_webhook/ @grafana/alerting-backend
-/devenv/docker/blocks/caddy_tls/ @grafana/alerting-backend
 /devenv/docker/blocks/clickhouse/ @grafana/partner-datasources
 /devenv/docker/blocks/collectd/ @grafana/observability-metrics
 /devenv/docker/blocks/etcd @grafana/grafana-app-platform-squad
@@ -276,10 +214,9 @@
 /devenv/docker/blocks/opentsdb/ @grafana/partner-datasources
 /devenv/docker/blocks/postgres/ @grafana/oss-big-tent
 /devenv/docker/blocks/postgres_tests/ @grafana/oss-big-tent
-/devenv/docker/blocks/prometheus/ @grafana/oss-big-tent
-/devenv/docker/blocks/prometheus_random_data/ @grafana/oss-big-tent
-/devenv/docker/blocks/prometheus_high_card/ @grafana/oss-big-tent
-/devenv/docker/blocks/prometheus_utf8/ @grafana/oss-big-tent
+/devenv/docker/blocks/prometheus/ @grafana/observability-metrics
+/devenv/docker/blocks/prometheus_random_data/ @grafana/observability-metrics
+/devenv/docker/blocks/prometheus_high_card/ @grafana/observability-metrics
 /devenv/docker/blocks/pyroscope/ @grafana/observability-traces-and-profiling
 /devenv/docker/blocks/redis/ @bergquist
 /devenv/docker/blocks/sensugo/ @grafana/grafana-backend-group
@@ -297,8 +234,8 @@
 /devenv/docker/loadtest/ @grafana/grafana-backend-services-squad
 /devenv/docker/rpmtest/ @grafana/grafana-backend-services-squad
 /devenv/jsonnet/ @grafana/dataviz-squad
-/devenv/local_cdn/ @grafana/frontend-ops
 /devenv/local-npm/ @grafana/frontend-ops
+/devenv/vscode/ @grafana/frontend-ops
 /devenv/setup.sh @grafana/grafana-backend-services-squad
 /devenv/plugins.yaml @grafana/plugins-platform-frontend

@@ -310,16 +247,15 @@


 # Continuous Integration
-.drone.yml @grafana/grafana-developer-enablement-squad
-.drone.star @grafana/grafana-developer-enablement-squad
-/scripts/drone/ @grafana/grafana-developer-enablement-squad
-/pkg/build/ @grafana/grafana-developer-enablement-squad
-/.dockerignore @grafana/grafana-developer-enablement-squad
-/Dockerfile @grafana/grafana-developer-enablement-squad
-/Makefile @grafana/grafana-developer-enablement-squad
-/scripts/build/ @grafana/grafana-developer-enablement-squad
-/scripts/list-release-artifacts.sh @grafana/grafana-developer-enablement-squad
-/scripts/releasefinder.sh @baldm0mma
+.drone.yml @grafana/grafana-release-guild
+.drone.star @grafana/grafana-release-guild
+/scripts/drone/ @grafana/grafana-release-guild
+/pkg/build/ @grafana/grafana-release-guild
+/.dockerignore @grafana/grafana-release-guild
+/Dockerfile @grafana/grafana-release-guild
+/Makefile @grafana/grafana-release-guild
+/scripts/build/ @grafana/grafana-release-guild
+/scripts/list-release-artifacts.sh @grafana/grafana-release-guild
 /.trivyignore @grafana/grafana-backend-services-squad

 # OSS Plugin Partnerships backend code
@@ -328,7 +264,7 @@
 /pkg/tsdb/cloud-monitoring/ @grafana/partner-datasources

 # Observability backend code
-/pkg/tsdb/prometheus/ @grafana/oss-big-tent
+/pkg/tsdb/prometheus/ @grafana/observability-metrics
 /pkg/tsdb/elasticsearch/ @grafana/aws-datasources
 /pkg/tsdb/loki/ @grafana/observability-logs
 /pkg/tsdb/tempo/ @grafana/observability-traces-and-profiling
@@ -338,8 +274,6 @@
 # OSS Big Tent backend code
 /pkg/tsdb/mysql/ @grafana/oss-big-tent
 /pkg/tsdb/grafana-postgresql-datasource/ @grafana/oss-big-tent
-/pkg/tsdb/zipkin/ @grafana/oss-big-tent
-/pkg/tsdb/jaeger/ @grafana/oss-big-tent

 # Partner Datasources backend code
 /pkg/tsdb/mssql/ @grafana/partner-datasources
@@ -358,6 +292,7 @@
 /pkg/modules/ @grafana/grafana-app-platform-squad
 /pkg/services/grpcserver/ @grafana/grafana-search-and-storage
 /pkg/generated @grafana/grafana-app-platform-squad
+/pkg/services/unifiedSearch/ @grafana/grafana-search-and-storage

 # Alerting
 /pkg/services/ngalert/ @grafana/alerting-backend
@@ -377,7 +312,7 @@
 /pkg/services/datasourceproxy/ @grafana/plugins-platform-backend
 /pkg/services/datasources/ @grafana/plugins-platform-backend
 /pkg/services/pluginsintegration/ @grafana/plugins-platform-backend
-/pkg/plugins/codegen/pfs/ @grafana/plugins-platform-backend @grafana/grafana-as-code
+/pkg/plugins/pfs/ @grafana/plugins-platform-backend @grafana/grafana-as-code
 /pkg/tsdb/grafana-testdata-datasource/ @grafana/plugins-platform-backend
 /pkg/tsdb/Magefile.go @grafana/plugins-platform-backend
 /pkg/services/pluginsintegration/pluginsettings/ @grafana/plugins-platform-backend
@@ -388,9 +323,7 @@


 /crowdin.yml @grafana/grafana-frontend-platform
-/public/locales/ @grafanabot
-/public/locales/i18next-parser.config.cjs @grafana/grafana-frontend-platform
-/public/locales/i18next-parser-enterprise.config.cjs @grafana/grafana-frontend-platform
+/public/locales/ @grafana/grafana-frontend-platform
 /public/app/core/internationalization/ @grafana/grafana-frontend-platform
 /e2e/ @grafana/grafana-frontend-platform
 /e2e/cloud-plugins-suite/ @grafana/partner-datasources
@@ -412,11 +345,11 @@
 /packages/grafana-o11y-ds-frontend/src/TraceToMetrics/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/src/TraceToProfiles/ @grafana/observability-traces-and-profiling
 /packages/grafana-plugin-configs/ @grafana/plugins-platform-frontend
-/packages/grafana-prometheus/ @grafana/oss-big-tent
+/packages/grafana-prometheus/ @grafana/observability-metrics
 /packages/grafana-schema/src/**/*canvas* @grafana/dataviz-squad
 /packages/grafana-schema/src/**/*tempo* @grafana/observability-traces-and-profiling
 /packages/grafana-sql/ @grafana/partner-datasources @grafana/oss-big-tent
-/packages/grafana-ui/.storybook/ @grafana/grafana-frontend-platform
+/packages/grafana-ui/.storybook/ @grafana/plugins-platform-frontend
 /packages/grafana-ui/src/components/ @grafana/grafana-frontend-platform
 /packages/grafana-ui/src/components/BarGauge/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/DataLinks/ @grafana/dataviz-squad
@@ -425,7 +358,7 @@
 /packages/grafana-ui/src/components/PluginSignatureBadge/ @grafana/plugins-platform-frontend
 /packages/grafana-ui/src/components/Sparkline/ @grafana/grafana-frontend-platform @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/Table/ @grafana/dataviz-squad
-/packages/grafana-ui/src/components/Table/Cells/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
+/packages/grafana-ui/src/components/Table/SparklineCell.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /packages/grafana-ui/src/components/uPlot/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/ValuePicker/ @grafana/dataviz-squad
 /packages/grafana-ui/src/components/VizLayout/ @grafana/dataviz-squad
@@ -435,8 +368,9 @@
 /packages/grafana-ui/src/graveyard/Graph/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/GraphNG/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
-/packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
-/packages/grafana-alerting/ @grafana/alerting-frontend
+/packages/grafana-ui/src/utils/storybook/ @grafana/plugins-platform-frontend
+
+/plugins-bundled/ @grafana/plugins-platform-frontend

 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
@@ -446,11 +380,9 @@
 /.nxignore @grafana/frontend-ops
 /tsconfig.json @grafana/frontend-ops
 /.editorconfig @grafana/frontend-ops
-/eslint.config.js @grafana/frontend-ops
-/.betterer.eslint.config.js @grafana/frontend-ops
+/.eslintignore @grafana/frontend-ops
 /.gitattributes @grafana/frontend-ops
 /.gitignore @grafana/frontend-ops
-/.ignore @grafana/frontend-ops
 /.nvmrc @grafana/frontend-ops
 /.prettierignore @grafana/frontend-ops
 /.yarn @grafana/frontend-ops
@@ -458,19 +390,20 @@
 /yarn.lock @grafana/frontend-ops
 /lerna.json @grafana/frontend-ops
 /.prettierrc.js @grafana/frontend-ops
+/.eslintrc @grafana/frontend-ops
 /.vim @zoltanbedi
 /jest.config.js @grafana/frontend-ops
 /latest.json @grafana/frontend-ops
 /stylelint.config.js @grafana/frontend-ops
 /tools/ @grafana/frontend-ops
 /lefthook.yml @grafana/frontend-ops
+/lefthook.rc @grafana/frontend-ops
 /.husky/pre-commit @grafana/frontend-ops
 /cypress.config.js @grafana/grafana-frontend-platform
 /.levignore.js @grafana/plugins-platform-frontend
 playwright.config.ts @grafana/plugins-platform-frontend

 # public folder
-/public/app/api/ @grafana/grafana-frontend-platform
 /public/app/core/ @grafana/grafana-frontend-platform
 /public/app/core/components/TimePicker/ @grafana/grafana-frontend-platform
 /public/app/core/components/Layers/ @grafana/dataviz-squad
@@ -481,7 +414,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/core/components/OptionsUI/ @grafana/dashboards-squad @grafana/dataviz-squad


-/public/app/core/history/ @grafana/observability-traces-and-profiling
+/public/app/core/history/ @grafana/explore-squad
 /public/app/features/admin/ @grafana/identity-access-team

 # Temp owners until Enterprise team takes over
@@ -496,7 +429,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/visualization/data-hover/ @grafana/dataviz-squad
 /public/app/features/commandPalette/ @grafana/grafana-frontend-platform
 /public/app/features/connections/ @grafana/plugins-platform-frontend
-/public/app/features/correlations/ @grafana/dataviz-squad
+/public/app/features/correlations/ @grafana/explore-squad
 /public/app/features/dashboard/ @grafana/dashboards-squad
 /public/app/features/dashboard/components/TransformationsEditor/ @grafana/dataviz-squad
 /public/app/features/dashboard-scene/ @grafana/dashboards-squad
@@ -504,8 +437,8 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/datasources/ @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
-/public/app/features/explore/ @grafana/observability-traces-and-profiling
-/public/app/features/expressions/ @grafana/grafana-datasources-core-services
+/public/app/features/explore/ @grafana/explore-squad
+/public/app/features/expressions/ @grafana/observability-metrics
 /public/app/features/folders/ @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
 /public/app/features/invites/ @grafana/grafana-frontend-platform
@@ -520,12 +453,14 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
 /public/app/features/profile/ @grafana/grafana-frontend-platform
+/public/app/features/query-library/ @grafana/explore-squad
 /public/app/features/runtime/ @ryantxu
 /public/app/features/query/ @grafana/dashboards-squad
 /public/app/features/sandbox/ @grafana/grafana-frontend-platform
 /public/app/features/browse-dashboards/ @grafana/grafana-frontend-platform
 /public/app/features/search/ @grafana/grafana-frontend-platform
 /public/app/features/serviceaccounts/ @grafana/identity-squad
+/public/app/features/storage/ @grafana/grafana-app-platform-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
 /public/app/features/trails/ @grafana/observability-metrics
@@ -534,7 +469,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
 /public/app/features/preferences/ @grafana/grafana-frontend-platform
-/public/app/features/bookmarks/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
 /public/app/plugins/panel/annolist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
@@ -544,10 +478,10 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
 /public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/graph/ @grafana/dataviz-squad
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
-/public/app/plugins/panel/logs-new/ @grafana/observability-logs
 /public/app/plugins/panel/nodeGraph/ @grafana/observability-traces-and-profiling @grafana/app-o11y-visualizations
 /public/app/plugins/panel/traces/ @grafana/observability-traces-and-profiling
 /public/app/plugins/panel/flamegraph/ @grafana/observability-traces-and-profiling
@@ -556,6 +490,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/status-history/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/ @grafana/dataviz-squad
 /public/app/plugins/panel/table/cells/SparklineCellOptionsEditor.tsx @grafana/dataviz-squad @grafana/app-o11y-visualizations
+/public/app/plugins/panel/table-old/ @grafana/dataviz-squad
 /public/app/plugins/panel/timeseries/ @grafana/dataviz-squad
 /public/app/plugins/panel/trend/ @grafana/dataviz-squad
 /public/app/plugins/panel/geomap/ @grafana/dataviz-squad
@@ -567,12 +502,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
+/public/app/plugins/sdk.ts @grafana/plugins-platform-frontend
 /public/app/routes/ @grafana/grafana-frontend-platform
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
 /public/app/types/unified-alerting-dto.ts @grafana/alerting-frontend
-/public/app/types/unified-alerting.ts @grafana/alerting-frontend
 /public/dashboards/ @grafana/dashboards-squad
 /public/gazetteer/ @ryantxu
 /public/img/ @grafana/grafana-frontend-platform
@@ -590,16 +525,16 @@ playwright.config.ts @grafana/plugins-platform-frontend

 /public/app/features/explore/Logs/ @grafana/observability-logs

-/public/app/features/explore/RawPrometheus/ @grafana/oss-big-tent
+/public/app/features/explore/RawPrometheus/ @grafana/observability-metrics

 /public/app/features/explore/NodeGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/FlameGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/TraceView/ @grafana/observability-traces-and-profiling
-/public/app/features/explore/QueryLibrary/ @grafana/grafana-frontend-platform

 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
 /public/openapi3.json @grafana/grafana-backend-group
+/public/app/angular/ @torkelo
 /public/app/app.ts @grafana/frontend-ops
 /public/app/dev.ts @grafana/frontend-ops
 /public/app/core/utils/metrics.ts @grafana/plugins-platform-frontend
@@ -607,31 +542,34 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/AppWrapper.tsx @grafana/frontend-ops
 /public/app/partials/ @grafana/grafana-frontend-platform

+
+
+
 /scripts/benchmark-access-control.sh @grafana/access-squad
 /scripts/check-breaking-changes.sh @grafana/plugins-platform-frontend
-/scripts/ci-* @grafana/grafana-developer-enablement-squad
-/scripts/circle-* @grafana/grafana-developer-enablement-squad
-/scripts/publish-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
-/scripts/validate-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
+/scripts/ci-* @grafana/grafana-release-guild
+/scripts/circle-* @grafana/grafana-release-guild
+/scripts/publish-npm-packages.sh @grafana/grafana-release-guild @grafana/plugins-platform-frontend
+/scripts/validate-npm-packages.sh @grafana/grafana-release-guild @grafana/plugins-platform-frontend
 /scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad
 /scripts/cli/ @grafana/grafana-frontend-platform
 /scripts/clean-git-or-error.sh @grafana/grafana-as-code
 /scripts/grafana-server/ @grafana/grafana-frontend-platform
-/scripts/helpers/ @grafana/grafana-developer-enablement-squad
+/scripts/helpers/ @grafana/grafana-release-guild
 /scripts/import_many_dashboards.sh @torkelo
 /scripts/mixin-check.sh @bergquist
 /scripts/openapi3/ @grafana/grafana-operator-experience-squad
-/scripts/prepare-npm-package.js @grafana/frontend-ops
+/scripts/prepare-packagejson.js @grafana/frontend-ops
 /scripts/protobuf-check.sh @grafana/plugins-platform-backend
 /scripts/stripnulls.sh @grafana/grafana-as-code
-/scripts/tag_release.sh @grafana/grafana-developer-enablement-squad
-/scripts/trigger_docker_build.sh @grafana/grafana-developer-enablement-squad
-/scripts/trigger_grafana_packer.sh @grafana/grafana-developer-enablement-squad
-/scripts/trigger_windows_build.sh @grafana/grafana-developer-enablement-squad
+/scripts/tag_release.sh @grafana/grafana-release-guild
+/scripts/trigger_docker_build.sh @grafana/grafana-release-guild
+/scripts/trigger_grafana_packer.sh @grafana/grafana-release-guild
+/scripts/trigger_windows_build.sh @grafana/grafana-release-guild
 /scripts/cleanup-husky.sh @grafana/frontend-ops
-/scripts/verify-repo-update/ @grafana/grafana-developer-enablement-squad
+/scripts/verify-repo-update/ @grafana/grafana-release-guild
+/scripts/generate-icon-bundle.js @grafana/plugins-platform-frontend @grafana/grafana-frontend-platform
 /scripts/generate-rtk-apis.ts @grafana/grafana-frontend-platform
-/scripts/process-specs.ts @grafana/grafana-frontend-platform
 /scripts/generate-alerting-rtk-apis.ts @grafana/alerting-frontend
 /scripts/levitate-parse-json-report.js @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
@@ -643,8 +581,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 .pa11yci.conf.js @grafana/grafana-frontend-platform
 .pa11yci-pr.conf.js @grafana/grafana-frontend-platform
 .betterer.results @grafanabot
+.betterer.results.json @grafanabot
 .betterer.ts @grafana/grafana-frontend-platform

+# @grafana/ui component documentation
+*.mdx @grafana/plugins-platform-frontend
+
 # Design system
 /public/img/icons/unicons/ @grafana/design-system

@@ -664,7 +606,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
 /public/app/plugins/datasource/opentsdb/ @grafana/partner-datasources
 /public/app/plugins/datasource/grafana-postgresql-datasource/ @grafana/oss-big-tent
-/public/app/plugins/datasource/prometheus/ @grafana/oss-big-tent
+/public/app/plugins/datasource/prometheus/ @grafana/observability-metrics
 /public/app/plugins/datasource/cloud-monitoring/ @grafana/partner-datasources
 /public/app/plugins/datasource/zipkin/ @grafana/oss-big-tent
 /public/app/plugins/datasource/tempo/ @grafana/observability-traces-and-profiling
@@ -684,7 +626,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/rendering/ @grafana/sharing-squad

 # SSE - Server Side Expressions
-/pkg/expr/ @grafana/grafana-datasources-core-services
+/pkg/expr/ @grafana/observability-metrics

 # Cloud middleware
 /grafana-mixin/ @grafana/grafana-backend-services-squad
@@ -716,7 +658,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/caching/ @grafana/grafana-operator-experience-squad
 /pkg/services/cloudmigration/ @grafana/grafana-operator-experience-squad
 /pkg/services/gcom/ @grafana/grafana-operator-experience-squad
-/pkg/services/authapi/ @grafana/grafana-operator-experience-squad

 # Feature toggles
 /pkg/services/featuremgmt/ @grafana/grafana-backend-services-squad
@@ -725,7 +666,6 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Kind definitions
 /kinds/dashboard @grafana/dashboards-squad
 /kinds/ @grafana/grafana-as-code
-kindsv2/ @grafana/dashboards-squad

 # Kind system and code generation
 embed.go @grafana/grafana-as-code
@@ -734,9 +674,6 @@ embed.go @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
 /pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
-/pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
-/pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
-/pkg/registry/apps/advisor @grafana/plugins-platform-backend
 /pkg/codegen/ @grafana/grafana-as-code
 /pkg/codegen/generators @grafana/grafana-as-code
 /pkg/kinds/*/*_gen.go @grafana/grafana-as-code
@@ -753,21 +690,15 @@ embed.go @grafana/grafana-as-code
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
 /.github/metrics-collector.json @torkelo
-/.github/pr-checks.json @tolzhabayev
-/.github/pr-commands.json @tolzhabayev
+/.github/pr-checks.json @marefr
+/.github/pr-commands.json @marefr
 /.github/renovate.json5 @grafana/frontend-ops
-/.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
-/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
-/.github/actions/setup-grafana-bench/ @Proximyst
-/.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
-/.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
+/.github/teams.yml @armandgrillet
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
-/.github/workflows/alerting-update-module.yml @grafana/alerting-backend
 /.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
-/.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
 /.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/close-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/migrate-prs.yml @grafana/grafana-developer-enablement-squad
@@ -775,58 +706,47 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/codeowners-validator.yml @tolzhabayev
 /.github/workflows/codeql-analysis.yml @DanCech
 /.github/workflows/commands.yml @torkelo
-/.github/workflows/community-release.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/community-release.yml @grafana/grafana-release-guild
 /.github/workflows/detect-breaking-changes-* @grafana/plugins-platform-frontend
-/.github/workflows/documentation-ci.yml @grafana/docs-tooling
-/.github/workflows/deploy-pr-preview.yml @grafana/docs-tooling
-/.github/workflows/feature-toggles-ci.yml @grafana/docs-tooling
-/.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/doc-validator.yml @grafana/docs-tooling
+/.github/workflows/epic-add-to-platform-ux-parent-project.yml @meanmina
+/.github/workflows/github-release.yml @grafana/grafana-release-guild
+/.github/workflows/issue-labeled.yml @armandgrillet
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
-/.github/workflows/lint-build-docs.yml @grafana/docs-tooling
 /.github/workflows/metrics-collector.yml @torkelo
-/.github/workflows/pr-checks.yml @tolzhabayev
+/.github/workflows/milestone.yml @marefr
+/.github/workflows/pr-checks.yml @marefr
+/.github/workflows/pr-codeql-analysis-go.yml @DanCech
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
-/.github/workflows/pr-commands.yml @tolzhabayev
-/.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
-/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
-/.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-commands.yml @marefr
+/.github/workflows/pr-patch-check.yml @grafana/grafana-release-guild
+/.github/workflows/sync-mirror.yml @grafana/grafana-release-guild
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
+/.github/workflows/remove-milestone.yml @grafana/grafana-release-guild
+/.github/workflows/sbom-report.yml @grafana/security-team
 /.github/workflows/scripts/json-file-to-job-output.js @grafana/plugins-platform-frontend
-/.github/workflows/stale.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
+/.github/workflows/scripts/pr-get-job-link.js @grafana/plugins-platform-frontend
+/.github/workflows/stale.yml @grafana/grafana-release-guild
+/.github/workflows/update-changelog.yml @grafana/grafana-release-guild
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
-/.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
-/.github/workflows/publish-kinds-next.yml @grafana/platform-monitoring
-/.github/workflows/publish-kinds-release.yml @grafana/platform-monitoring
-/.github/workflows/verify-kinds.yml @grafana/platform-monitoring
+/.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-cat
+/.github/workflows/publish-kinds-next.yml @grafana/platform-cat
+/.github/workflows/publish-kinds-release.yml @grafana/platform-cat
+/.github/workflows/verify-kinds.yml @grafana/platform-cat
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
-/.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
-/.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
-/.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
-/.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-release-guild
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
-/.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
-/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
-/.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
 /.github/workflows/changelog.yml @zserge
-/.github/actions/changelog @zserge
-/.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
-/.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
-/.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
-/.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
-/.github/zizmor.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/actions/changelog @zserge

 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot
@@ -845,4 +765,3 @@ embed.go @grafana/grafana-as-code
 /conf/provisioning/dashboards/ @grafana/dashboards-squad
 /conf/provisioning/datasources/ @grafana/plugins-platform-backend
 /conf/provisioning/plugins/ @grafana/plugins-platform-backend
-/conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team
--- a/.github/actions/setup-enterprise/action.yml
+++ b/.github/actions/setup-enterprise/action.yml
@@ -1,48 +0,0 @@
-name: 'Setup Grafana Enterprise'
-description: 'Clones and sets up Grafana Enterprise repository for testing'
-
-inputs:
-  github-app-name:
-    description: 'Name of the GitHub App in Vault'
-    required: false
-    default: 'grafana-ci-bot'
-
-runs:
-  using: "composite"
-  steps:
-    - name: Retrieve GitHub App secrets
-      id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
-      with:
-        repo_secrets: |
-          APP_ID=${{ inputs.github-app-name }}:app-id
-          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
-          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
-
-    - name: Generate GitHub App token
-      id: generate_token
-      uses: actions/create-github-app-token@v1
-      with:
-        app-id: ${{ env.APP_ID }}
-        private-key: ${{ env.PRIVATE_KEY }}
-        repositories: "grafana-enterprise"
-        owner: "grafana"
-
-    - name: Setup Enterprise
-      shell: bash
-      env:
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-      run: |
-        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
-        
-        cd ../grafana-enterprise
-        
-        if git checkout ${GITHUB_HEAD_REF}; then
-          echo "checked out ${GITHUB_HEAD_REF}"
-        elif git checkout ${GITHUB_BASE_REF}; then
-          echo "checked out ${GITHUB_BASE_REF}"
-        else
-          git checkout main
-        fi
-        
-        ./build.sh
--- a/.github/actions/setup-grafana-bench/action.yml
+++ b/.github/actions/setup-grafana-bench/action.yml
@@ -1,45 +0,0 @@
-name: 'Setup Grafana Bench'
-description: 'Sets up and installs Grafana Bench'
-
-inputs:
-  github-app-name:
-    description: 'Name of the GitHub App in Vault'
-    required: false
-    default: 'grafana-ci-bot'
-  branch:
-    description: 'The branch to install from'
-    required: false
-    default: 'main'
-
-runs:
-  using: "composite"
-  steps:
-    - name: Retrieve GitHub App secrets
-      id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
-      with:
-        repo_secrets: |
-          APP_ID=${{ inputs.github-app-name }}:app-id
-          APP_INSTALLATION_ID=${{ inputs.github-app-name }}:app-installation-id
-          PRIVATE_KEY=${{ inputs.github-app-name }}:private-key
-
-    - name: Generate GitHub App token
-      id: generate_token
-      uses: actions/create-github-app-token@v1
-      with:
-        app-id: ${{ env.APP_ID }}
-        private-key: ${{ env.PRIVATE_KEY }}
-        repositories: "grafana-bench"
-        owner: "grafana"
-
-    - name: Setup Bench
-      shell: bash
-      env:
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        BRANCH: ${{ inputs.branch }}
-      run: |
-        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-bench.git ../grafana-bench
-
-        cd ../grafana-bench
-        git switch "$BRANCH"
-        go install .
--- a/.github/actions/test-coverage-processor/action.yml
+++ b/.github/actions/test-coverage-processor/action.yml
@@ -1,50 +0,0 @@
-name: 'Go Coverage Processor'
-description: 'Process Go test coverage files and generate reports'
-
-inputs:
-  test-type:
-    description: 'Type of test (e.g., be-unit, be-integration)'
-    required: true
-    type: string
-  coverage-file:
-    description: 'Path to the Go coverage file (.cov)'
-    required: true
-    type: string
-  codecov-token:
-    description: 'Token for CodeCov (required for CodeCov reporting)'
-    required: false
-    default: ''
-  codecov-flag:
-    description: 'Flag to categorize the upload to CodeCov'
-    required: false
-    default: ''
-  codecov-name:
-    description: 'Custom name for the upload to CodeCov'
-    required: false
-    default: ''
-
-runs:
-  using: 'composite'
-  steps:
-    - name: Process Go coverage output
-      shell: bash
-      env:
-        COVERAGE_FILE: ${{ inputs.coverage-file }}
-      run: |
-        # Ensure valid coverage file even if empty
-        if [ ! -s "$COVERAGE_FILE" ]; then
-          echo "Coverage file is empty, creating a minimal valid file"
-          echo "mode: set" > "$COVERAGE_FILE"
-        fi
-
-    - name: Report coverage to CodeCov
-      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
-      if: inputs.codecov-token != ''
-      with:
-        files: ${{ inputs.coverage-file }}
-        flags: ${{ inputs.codecov-flag || inputs.test-type }}
-        name: ${{ inputs.codecov-name || inputs.test-type }}
-        slug: grafana/grafana
-        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
-        url: https://codecov-webhook.grafana-dev.net
-        token: ${{ inputs.codecov-token }}
--- a/.github/workflows/actions/changelog/action.yml
+++ b/.github/workflows/actions/changelog/action.yml
--- a/.github/workflows/actions/changelog/index.js
+++ b/.github/workflows/actions/changelog/index.js
@@ -69,17 +69,8 @@ const graphql = async (ghtoken, query, variables) => {
    },
    body: JSON.stringify({ query, variables }),
  });
-
-  const res = await results.json();
-
-  LOG(
-    JSON.stringify({
-      status: results.status,
-      text: results.statusText,
-    })
-  );
-
-  return res.data;
+  const { data } = await results.json();
+  return data;
 };

 // Using Github GraphQL API find the timestamp for the given tag/commit hash.
@@ -108,20 +99,20 @@ const getCommitishDate = async (name, owner, target) => {
 // Using Github GraphQL API get a list of PRs between the two "commitish" items.
 // This resoves the "since" item's timestamp first and iterates over all PRs
 // till "target" using naïve pagination.
-const getHistory = async (name, owner, from, to) => {
-  LOG(`Fetching ${owner}/${name} PRs between ${from} and ${to}`);
+const getHistory = async (name, owner, target, sinceDate) => {
+  LOG(`Fetching ${owner}/${name} PRs since ${sinceDate} till ${target}`);
  const query = `
  query findCommitsWithAssociatedPullRequests(
    $name: String!
    $owner: String!
-    $from: String!
-    $to: String!
+    $target: String!
+    $sinceDate: GitTimestamp
    $cursor: String
  ) {
    repository(name: $name, owner: $owner) {
-      ref(qualifiedName: $from) {
-        compare(headRef: $to) {
-          commits(first: 25, after: $cursor) {
+      object(expression: $target) {
+        ... on Commit {
+          history(first: 50, since: $sinceDate, after: $cursor) {
            totalCount
            pageInfo {
              hasNextPage
@@ -164,13 +155,13 @@ const getHistory = async (name, owner, from, to) => {
    const result = await graphql(ghtoken, query, {
      name,
      owner,
-      from,
-      to,
+      target,
+      sinceDate,
      cursor,
    });
    LOG(`GraphQL: ${JSON.stringify(result)}`);
-    nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
-    const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
+    nodes = [...nodes, ...result.repository.object.history.nodes];
+    const { hasNextPage, endCursor } = result.repository.object.history.pageInfo;
    if (!hasNextPage) {
      break;
    }
@@ -184,11 +175,11 @@ const getHistory = async (name, owner, from, to) => {
 // feature, deprecation, breaking change and plugin fixes/enhancements).
 //
 // PR grouping relies on Github labels only, not on the PR contents.
-const getChangeLogItems = async (name, owner, from, to) => {
+const getChangeLogItems = async (name, owner, sinceDate, to) => {
  // check if a node contains a certain label
  const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
  // get all the PRs between the two "commitish" items
-  const history = await getHistory(name, owner, from, to);
+  const history = await getHistory(name, owner, to, sinceDate);

  const items = history.flatMap((node) => {
    // discard PRs without a "changelog" label
@@ -240,10 +231,13 @@ const previous = process.argv[3] || process.env.INPUT_PREVIOUS || (await getPrev

 LOG(`Previous tag/commit: ${previous}`);

+const sinceDate = await getCommitishDate('grafana', 'grafana', previous);
+LOG(`Previous tag/commit timestamp: ${sinceDate}`);
+
 // Get all changelog items from Grafana OSS
-const oss = await getChangeLogItems('grafana', 'grafana', previous, target);
+const oss = await getChangeLogItems('grafana', 'grafana', sinceDate, target);
 // Get all changelog items from Grafana Enterprise
-const entr = await getChangeLogItems('grafana-enterprise', 'grafana', previous, target);
+const entr = await getChangeLogItems('grafana-enterprise', 'grafana', sinceDate, target);

 LOG(`Found OSS PRs: ${oss.length}`);
 LOG(`Found Enterprise PRs: ${entr.length}`);
--- a/.github/workflows/actions/changelog/package.json
+++ b/.github/workflows/actions/changelog/package.json
--- a/.github/workflows/add-to-whats-new.yml
+++ b/.github/workflows/add-to-whats-new.yml
@@ -1,16 +0,0 @@
-name: Add comment about adding a What's new note
-on:
-  pull_request:
-    types: [labeled]
-
-jobs:
-  add-comment:
-    if: ${{ ! github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'add to what''s new') }}
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
-        with:
-          message: |
-            Since you've added the `Add to what's new` label, consider drafting a [What's new note](https://admin.grafana.com/content-admin/#/collections/whats-new/new) for this feature.
--- a/.github/workflows/alerting-swagger-gen.yml
+++ b/.github/workflows/alerting-swagger-gen.yml
@@ -13,16 +13,15 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 2
-          persist-credentials: false
      - name: Set go version
-        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+        uses: actions/setup-go@v4
        with:
          go-version-file: go.mod
      - name: Build swagger
        run: |
          make -C pkg/services/ngalert/api/tooling post.json api.json
      - name: Open Pull Request
-        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5
+        uses: peter-evans/create-pull-request@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          commit-message: "chore: update alerting swagger spec"
@@ -35,3 +34,4 @@ jobs:
          labels: 'area/alerting,type/docs,no-changelog'
          team-reviewers: 'grafana/alerting-backend'
          draft: false
+
--- a/.github/workflows/alerting-update-module.yml
+++ b/.github/workflows/alerting-update-module.yml
@@ -1,137 +0,0 @@
-name: Update Alerting Module
-
-on:
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  update-grafana:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4 # 4.2.2
-        with:
-          persist-credentials: false
-      - name: Check if update branch exists
-        run: |
-          if git ls-remote --heads origin update-alerting-module | grep -q 'update-alerting-module'; then
-            echo "Branch 'update-alerting-module' already exists. There might be an open PR with Grafana updates."
-            echo "Please review and merge/close the existing PR before running this workflow again."
-            exit 1
-          fi
-
-      - name: Setup Go
-        uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # 5.3.0
-        with:
-          "go-version-file": "go.mod"
-
-      - name: Extract current commit hash of alerting module
-        id: current-commit
-        run: |
-          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
-          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT
-
-      - name: Get current branch name
-        id: current-branch-name
-        run: echo "name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
-
-      - name: Get latest commit
-        id: latest-commit
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          BRANCH="${{ steps.current-branch-name.outputs.name }}"
-          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
-           if [ -z "$TO_COMMIT" ]; then
-            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
-            exit 1
-          fi
-          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT
-
-      - name: Compare commit hashes
-        run: |
-          FROM_COMMIT="${{ steps.current-commit.outputs.from_commit }}"
-          TO_COMMIT="${{ steps.latest-commit.outputs.to_commit }}"
-          
-          # Compare just the length of the shorter hash
-          SHORT_TO_COMMIT="${TO_COMMIT:0:${#FROM_COMMIT}}"
-          
-          if [ "$FROM_COMMIT" = "$SHORT_TO_COMMIT" ]; then
-            echo "Current version ($FROM_COMMIT) is already at latest ($SHORT_TO_COMMIT). No update needed."
-            exit 0
-          fi
-          echo "Updates available: $FROM_COMMIT -> $TO_COMMIT"
-
-      - name: Check for commit history
-        id: check-commits
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          # get all commits that contains 'Alerting:' in the message          
-          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
-            --jq '.commits[].commit.message | split("\n")[0]') || true
-          
-          # Use printf instead of echo -e for better multiline handling
-          printf "%s\n" "$ALERTING_COMMITS"
-          
-          # make the list for markdown and replace PR numbers with links
-          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
-          
-          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
-          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-
-      - name: Update alerting module
-        env:
-          GOSUMDB: off
-        run: |
-          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
-          make update-workspace
-
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          repo_secrets: |
-            GITHUB_APP_ID=alerting-team:app-id
-            GITHUB_APP_PRIVATE_KEY=alerting-team:private-key
-
-      - name: "Generate token"
-        id: generate_token
-        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # 1.11.5
-        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # 7.0.6
-        id: create-pr
-        with:
-          token: '${{ steps.generate_token.outputs.token }}'
-          title:  'Alerting: Update alerting module to ${{ steps.latest-commit.outputs.to_commit }}'
-          branch: alerting/update-alerting-module
-          delete-branch: true
-          body: |
-            Updates Grafana Alerting module to latest version.
-
-            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
-            <details>
-            <summary>Commits</summary>
-            
-            ${{ steps.check-commits.outputs.alerting_commits }}
-
-            </details>
-
-            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
-      - name: Add PR URL to Summary
-        if: steps.create-pr.outputs.pull-request-url != ''
-        run: |
-          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
-          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/analytics-events-report.yml
+++ b/.github/workflows/analytics-events-report.yml
@@ -1,25 +0,0 @@
-name: Analytics Events Report
-
-on:
-  workflow_dispatch:
-
-jobs:
-  generate-report:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
-
-      - name: Generate analytics report
-        run: yarn analytics-report
--- a/.github/workflows/auto-milestone.yml
+++ b/.github/workflows/auto-milestone.yml
@@ -21,7 +21,7 @@ jobs:
      # Note: Github will not trigger other actions from this because it uses
      # the GITHUB_TOKEN token
      - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@d4c452f92ed826d515dccf1f62923e537953acd8 # main
+        uses: grafana/grafana-github-actions-go/auto-milestone@main
        with:
          pr: ${{ github.event.pull_request.number }}
          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/auto-triager/labels.txt
+++ b/.github/workflows/auto-triager/labels.txt
@@ -1,124 +0,0 @@
-area/admin/user
-area/alerting
-area/annotations
-area/auth
-area/auth/ldap
-area/auth/oauth
-area/auth/rbac
-area/auth/serviceaccount
-area/backend
-area/backend/api
-area/backend/db
-area/backend/db/migration
-area/backend/db/mysql
-area/backend/db/postgres
-area/backend/db/sql
-area/backend/db/sqlite
-area/configuration
-area/dashboard/annotations
-area/dashboard/data-links
-area/dashboard/edit
-area/dashboard/folders
-area/dashboard/import
-area/dashboard/kiosk
-area/dashboard/links
-area/dashboard/rows
-area/dashboard/scenes
-area/dashboard/settings
-area/dashboard/snapshot
-area/dashboard/templating
-area/dashboard/timerange
-area/dashboard/tv
-area/dashboard/variable
-area/dashboards/panel
-area/data/export
-area/explore
-area/expressions
-area/field/overrides
-area/frontend/library-panels
-area/frontend/login
-area/image-rendering
-area/internationalization
-area/legend
-area/library-panel
-area/metricsdrilldown
-area/navigation
-area/panel/annotation-list
-area/panel/barchart
-area/panel/bargauge
-area/panel/candlestick
-area/panel/canvas
-area/panel/dashboard-list
-area/panel/edit
-area/panel/edit
-area/panel/field-override
-area/panel/flame-graph
-area/panel/gauge
-area/panel/geomap
-area/panel/heatmap
-area/panel/histogram
-area/panel/logs
-area/panel/node-graph
-area/panel/node-graph
-area/panel/piechart
-area/panel/repeat
-area/panel/singlestat
-area/panel/stat
-area/panel/state-timeline
-area/panel/status-history
-area/panel/table
-area/panel/timeseries
-area/panel/traceview
-area/panel/trend
-area/panel/xychart
-area/permissions
-area/playlist
-area/plugins
-area/plugins-catalog
-area/provisioning
-area/provisioning/datasources
-area/public-dashboards
-area/query-library
-area/recorded-queries
-area/scenes
-area/search
-area/security
-area/streaming
-area/templating/repeating
-area/tooltip
-area/transformations
-datagrid
-datasource/Alertmanager
-datasource/Azure
-datasource/azure-cosmosdb
-datasource/BigQuery
-datasource/CloudWatch
-datasource/CloudWatch Logs
-datasource/CSV
-datasource/Elasticsearch
-datasource/GitHub
-datasource/GoogleCloudMonitoring
-datasource/GoogleSheets
-datasource/grafana-pyroscope
-datasource/Graphite
-datasource/InfluxDB
-datasource/Jaeger
-datasource/JSON
-datasource/Loki
-datasource/MSSQL
-datasource/MySQL
-datasource/OpenSearch
-datasource/OpenTSDB
-datasource/Parca
-datasource/Phlare
-datasource/Postgres
-datasource/Prometheus
-datasource/SiteWIse
-datasource/Splunk
-datasource/Tempo
-datasource/TestDataDB
-datasource/Timestream
-datasource/X-Ray
-datasource/Zabbix
-datasource/Zipkin
-team/grafana-aws-datasources
--- a/.github/workflows/auto-triager/prompt.txt
+++ b/.github/workflows/auto-triager/prompt.txt
@@ -1,25 +0,0 @@
-You are an expert Grafana issues categorizer.
-
-You are provided with a Grafana issue. Your task is to categorize the issue by analyzing the issue title and description to determine the most relevant category and type from the provided lists. Focus on precision and clarity, selecting only the most pertinent labels based on the issue details. Ensure that your selections reflect the core problem or functionality affected.
-
-The output should be a valid JSON object with the following fields:
-* id (string): The ID of the current issue.
-* categoryLabel (array of strings): The category labels for the current issue, emphasizing key terms and context.
-* typeLabel (array of strings): The type of the current issue, emphasizing clarity and relevance.
-
-**Instructions**:
-1. **Contextual Analysis**: Understand the context and intent behind the issue description. Analyze the overall narrative and relationships between different components within Grafana. Consider dependencies and related components to inform your decision.
-2. **Category and Type Differentiation**: Use language cues and patterns to differentiate between similar categories and types. Provide examples and counterexamples to clarify distinctions. Prioritize primary components over secondary ones unless they are critical to the issue.
-3. **Historical Data Utilization**: Compare current issues with past resolved issues by analyzing similarities in problem descriptions, leveraging patterns to inform categorization. Use historical data to recognize patterns and inform your decision-making.
-4. **Confidence Scoring**: Implement a confidence scoring mechanism to flag issues for review if the confidence is below a predefined threshold. Clearly indicate thresholds for high and low confidence predictions. Provide clarifying questions if data is ambiguous.
-5. **Feedback Loop Integration**: Integrate feedback from incorrect predictions to refine understanding and improve future predictions. Conduct error analysis to identify patterns in misclassifications and adapt your approach accordingly.
-6. **Semantic Analysis**: Evaluate the underlying intent of the issue using semantic analysis, considering broader implications and context. Leverage metadata or historical patterns to improve accuracy.
-7. **Avoid Over-Specification**: Maintain precision and conciseness, avoiding unnecessary details. Prioritize clarity and flag for further review if uncertain.
-8. **Consistent JSON Formatting**: Ensure the output maintains a consistent JSON structure with uniform formatting for readability and scalability.
-
-**Next Steps and Insights**:
- Suggest potential next steps or resources that could help address the issue, providing actionable insights to enhance user engagement.
- Regularly test responses against edge cases to ensure robustness and adaptability.
- Stay updated with changes in category and type lists to remain current.
-
-Provide a brief explanation of the categorization decision, highlighting key terms or context that influenced the choice. Use user-centric language and technical details to ensure the explanation is comprehensive and insightful.
--- a/.github/workflows/auto-triager/types.txt
+++ b/.github/workflows/auto-triager/types.txt
@@ -1,30 +0,0 @@
-type/accessibility
-type/angular-2-react
-type/browser-compatibility
-type/bug
-type/build-packaging
-type/chore
-type/ci
-type/cleanup
-type/codegen
-type/community
-type/debt
-type/design
-type/discussion
-type/docs
-type/duplicate
-type/e2e
-type/epic
-type/feature-request
-type/feature-toggle-enable
-type/feature-toggle-removal
-type/performance
-type/poc
-type/project
-type/proposal
-type/question
-type/refactor
-type/regression
-type/roadmap
-type/tech
-type/ux
--- a/.github/workflows/backend-code-checks.yml
+++ b/.github/workflows/backend-code-checks.yml
@@ -1,73 +0,0 @@
-name: Backend Code Checks
-
-on:
-  pull_request:
-    paths-ignore:
-      - '*.md'
-      - 'docs/**'
-      - 'latest.json'
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - '*.md'
-      - 'docs/**'
-      - 'latest.json'
-
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  validate-configs:
-    name: Validate Backend Configs
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
-          # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
-          # This ensures the GHAs environment matches what we use in the Drone pipeline
-          go-version: 1.24.1
-          cache: true
-
-      - name: Verify code generation
-        run: |
-          CODEGEN_VERIFY=1 make gen-cue
-          CODEGEN_VERIFY=1 make gen-jsonnet
-      
-      - name: Validate go.mod
-        run: go run scripts/modowners/modowners.go check go.mod
-
-      # Enterprise setup is needed for complete OpenAPI spec generation
-      # We only do this for internal PRs
-      - name: Setup Grafana Enterprise
-        if: github.event.pull_request.head.repo.fork == false
-        uses: ./.github/actions/setup-enterprise
-        
-      - name: Generate and Validate OpenAPI Specs
-        run: |
-          # For PRs from forks, we'll just run the basic swagger-gen without validation
-          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
-            echo "PR is from a fork, skipping enterprise-based validation"
-            make swagger-gen
-            exit 0
-          fi
-          
-          # Clean and regenerate OpenAPI specs
-          make swagger-clean && make openapi3-gen
-          
-          # Check if the generated specs differ from what's in the repository
-          for f in public/api-merged.json public/openapi3.json; do git add $f; done
-          if [ -z "$(git diff --name-only --cached)" ]; then
-            echo "OpenAPI specs are up to date!"
-          else
-            echo "OpenAPI specs are OUT OF DATE!"
-            git diff --cached
-            echo "Please ensure the branch is up-to-date, then regenerate the specification by running make swagger-clean && make openapi3-gen"
-            exit 1
-          fi
--- a/.github/workflows/backend-unit-tests.yml
+++ b/.github/workflows/backend-unit-tests.yml
@@ -1,71 +0,0 @@
-name: Backend Unit Tests
-
-on:
-  pull_request:
-    paths-ignore:
-      - 'docs/**'
-      - '**/*.md'
-  push:
-    branches:
-      - main
-      - release-*.*.*
-    paths-ignore:
-      - 'docs/**'
-      - '**/*.md'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-permissions: {}
-
-jobs:
-  grafana:
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
-    # the `pr-backend-unit-tests-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
-    name: Grafana
-    runs-on: ubuntu-latest-8-cores
-    continue-on-error: true
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Generate Go code
-        run: make gen-go
-      - name: Run unit tests
-        run: make test-go-unit
-
-  grafana-enterprise:
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
-    name: Grafana Enterprise
-    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Setup Enterprise
-        uses: ./.github/actions/setup-enterprise
-        with:
-          github-app-name: 'grafana-ci-bot'
-      - name: Generate Go code
-        run: make gen-go
-      - name: Run unit tests
-        run: make test-go-unit
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -5,28 +5,23 @@ on:
      - closed
      - labeled

-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
  main:
    if: github.repository == 'grafana/grafana'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4 # 4.2.2
+        uses: actions/checkout@v4
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          persist-credentials: false
-      - run: git config --local user.name "github-actions[bot]"
-      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
-      - run: git config --local --add --bool push.autoSetupRemote true
-      - name: Set remote URL
-        env:
-          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - run: git config --global user.email '132647405+grafana-delivery-bot[bot]@users.noreply.github.com'
+      - run: git config --global user.name 'grafana-delivery-bot[bot]'
+      - run: git remote set-url origin "https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/grafana.git"
      - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/backport@main
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -11,37 +11,33 @@ on:
      dry_run:
        default: false
        required: false
-
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
-  bump-version:
+  main:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Grafana
        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - name: Update package.json versions
        uses: ./pkg/build/actions/bump-version
        with:
          version: ${{ inputs.version }}
+      - if: ${{ inputs.push }}
+        name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - if: ${{ inputs.push }}
        name: Push & Create PR
-        env:
-          VERSION: ${{ inputs.version }}
-          DRY_RUN: ${{ inputs.dry_run }}
-          REF_NAME: ${{ github.ref_name }}
-          RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --local user.name "github-actions[bot]"
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true
-          git checkout -b "bump-version/${RUN_ID}/${VERSION}"
+          git checkout -b "bump-version/${{ github.run_id }}/${{ inputs.version }}"
          git add .
-          git commit -m "bump version ${VERSION}"
+          git commit -m "bump version ${{ inputs.version }}"
          git push
-          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
+          gh pr create --dry-run=${{ inputs.dry_run }} -l "type/ci" -l "no-changelog" -B "${{ github.ref_name }}" --title "Release: Bump version to ${{ inputs.version }}" --body "Updated version to ${{ inputs.version }}"
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -51,21 +51,15 @@ on:
        default: false
        type: boolean

-permissions: {}
+permissions:
+  contents: write
+  pull-requests: write

 jobs:
  main:
-    env:
-      RUN_ID: ${{ github.run_id }}
-      VERSION: ${{ inputs.version }}
-      PREVIOUS_VERISON: ${{ inputs.previous_version }}
-      TARGET: ${{ inputs.target }}
-      DRY_RUN: ${{ inputs.dry_run }}
    runs-on: ubuntu-latest
    permissions:
-      id-token: write
      contents: write
-      pull-requests: write
    steps:
      - name: "Generate token"
        id: generate_token
@@ -85,7 +79,6 @@ jobs:
            .prettierrc.js
          fetch-depth: 0
          fetch-tags: true
-          persist-credentials: false
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
@@ -96,10 +89,10 @@ jobs:
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true
      - name: "Create branch"
-        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
+        run: git checkout -b "changelog/${{ github.run_id }}/${{ inputs.version }}"
      - name: "Generate changelog"
        id: changelog
-        uses: ./.github/actions/changelog
+        uses: ./.github/workflows/actions/changelog
        with:
          previous: ${{ inputs.previous_version }}
          github_token: ${{ steps.generate_token.outputs.token }}
@@ -110,24 +103,24 @@ jobs:
          # Prepare CHANGELOG.md content with version delimiters
          (
            echo
-            echo "# ${VERSION} ($(date '+%F'))"
+            echo "# ${{ inputs.version}} ($(date '+%F'))"
            echo
            cat changelog_items.md
          ) > CHANGELOG.part

          # Check if a version exists in the changelog
-          if grep -q "<!-- ${VERSION} START" CHANGELOG.md ; then
+          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
            # Replace the content between START and END delimiters
-            echo "Version ${VERSION} is found in the CHANGELOG.md, patching contents..."
-            sed -i -e "/${VERSION} START/,/${VERSION} END/{//!d;}" \
-                   -e "/${VERSION} START/r CHANGELOG.part" CHANGELOG.md
+            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
+            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
+                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
          else
            # Prepend changelog part to the main changelog file
-            echo "Version $VERSION not found in the CHANGELOG.md"
+            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
            (
-              echo "<!-- ${VERSION} START -->"
+              echo "<!-- ${{ inputs.version }} START -->"
              cat CHANGELOG.part
-              echo "<!-- ${VERSION} END -->"
+              echo "<!-- ${{ inputs.version }} END -->"
              cat CHANGELOG.md
            ) > CHANGELOG.tmp
            mv CHANGELOG.tmp CHANGELOG.md
@@ -145,11 +138,11 @@ jobs:
      - name: "Create changelog PR"
        run: >
          gh pr create \
-            --dry-run=${DRY_RUN} \
+            --dry-run=${{ inputs.dry_run }} \
            --label "no-backport" \
            --label "no-changelog" \
-            -B "${TARGET}" \
-            --title "Release: update changelog for ${VERSION}" \
-            --body "Changelog changes for release ${VERSION}"
+            -B "${{ inputs.target }}" \
+            --title "Release: update changelog for ${{ inputs.version }}" \
+            --body "Changelog changes for release ${{ inputs.version }}"
        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/close-milestone.yml
+++ b/.github/workflows/close-milestone.yml
@@ -0,0 +1,44 @@
+name: Close milestone
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: Needs to match, exactly, the name of a milestone
+  workflow_call:
+    inputs:
+      version_call:
+        description: Needs to match, exactly, the name of a milestone
+        required: true
+        type: string
+
+jobs:
+  main:
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Close milestone (manually invoked)
+        if: ${{ github.event.inputs.version != '' }}
+        uses: ./actions/close-milestone
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Close milestone (workflow invoked)
+        if: ${{ inputs.version_call != '' }}
+        uses: ./actions/close-milestone
+        with:
+          version_call: ${{ inputs.version_call }}
+          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/codeowners-validator.yml
+++ b/.github/workflows/codeowners-validator.yml
@@ -10,10 +10,8 @@ jobs:
    steps:
      # Checks-out your repository, which is validated in the next step
      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - name: GitHub CODEOWNERS Validator
-        uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
+        uses: mszostok/codeowners-validator@v0.7.4
        # input parameters
        with:
          # ==== GitHub Auth ====
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -3,19 +3,18 @@
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
-name: "CodeQL checks"
+name: "CodeQL"

 on:
  workflow_dispatch:
  push:
-    branches: ['**'] # run on all branches
+    branches: [main, v1.8.x, v2.0.x, v2.1.x, v2.6.x, v3.0.x, v3.1.x, v4.0.x, v4.1.x, v4.2.x, v4.3.x, v4.4.x, v4.5.x, v4.6.x, v4.7.x, v5.0.x, v5.1.x, v5.2.x, v5.3.x, v5.4.x, v6.0.x, v6.1.x, v6.2.x, v6.3.x, v6.4.x, v6.5.x, v6.6.x, v6.7.x, v7.0.x, v7.1.x, v7.2.x]
    paths-ignore:
      - '**/*.cue'
      - '**/*.json'
      - '**/*.md'
      - '**/*.txt'
      - '**/*.yml'
-      - pkg/storage/unified/sql/db/dbimpl/db.go # Ignoring warnings on the whole file for now while inline comments is not supported in Go (https://github.com/github/codeql/issues/11427)
  schedule:
    - cron: '0 4 * * 6'

@@ -26,7 +25,6 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
-    continue-on-error: true # doesn't block PRs from being merged if this fails
    if: github.repository == 'grafana/grafana'

    strategy:
@@ -45,17 +43,16 @@ jobs:
        # We must fetch at least the immediate parents so that if this is
        # a pull request then we can checkout the head.
        fetch-depth: 2
-        persist-credentials: false

    - if: matrix.language == 'go'
      name: Set go version
-      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+      uses: actions/setup-go@v4
      with:
        go-version-file: go.mod

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,4 +67,4 @@ jobs:
        make build-go

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -12,7 +12,9 @@ on:
 concurrency:
  group: issue-commands-${{ github.event.issue.number }}

-permissions: {}
+permissions:
+  contents: read
+  id-token: write

 jobs:
  config:
@@ -32,13 +34,10 @@ jobs:
    needs: config
    if: needs.config.outputs.has-secrets
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
    steps:
      - name: "Get vault secrets"
        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
@@ -53,12 +52,11 @@ jobs:
          private_key: ${{ env.GH_APP_PEM }}

      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
+        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-          persist-credentials: false

      - name: Install Actions
        run: npm install --production --prefix ./actions
--- a/.github/workflows/community-release.yml
+++ b/.github/workflows/community-release.yml
@@ -36,7 +36,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/community-release@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
--- a/.github/workflows/core-plugins-build-and-release.yml
+++ b/.github/workflows/core-plugins-build-and-release.yml
@@ -33,8 +33,6 @@ permissions:

 jobs:
  build-and-publish:
-    env:
-      PLUGIN_ID: ${{ inputs.plugin_id }}
    name: Build and publish ${{ inputs.plugin_id }}
    runs-on: ubuntu-latest
    outputs:
@@ -44,13 +42,11 @@ jobs:
    steps:
      - name: checkout
        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - name: Verify inputs
        run: |
-          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z ${{ inputs.plugin_id }} ]; then echo "Missing plugin ID"; exit 1; fi
      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in the ci/repo/grafana/<repo>/<path> path in Vault
          repo_secrets: |
@@ -58,11 +54,11 @@ jobs:
            PLUGINS_GRAFANA_API_KEY=core-plugins-build-and-release:PLUGINS_GRAFANA_API_KEY
            PLUGINS_GCOM_TOKEN=core-plugins-build-and-release:PLUGINS_GCOM_TOKEN
      - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
+        uses: 'google-github-actions/auth@v2'
        with:
          credentials_json: '${{ env.PLUGINS_GOOGLE_CREDENTIALS }}'
      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
+        uses: 'google-github-actions/setup-gcloud@v2'
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
@@ -74,7 +70,7 @@ jobs:
        run: |
          dir=$(dirname \
            $(egrep -lir --include=plugin.json --exclude-dir=dist \
-              '"id": "${PLUGIN_ID}"' \
+              '"id": "${{ inputs.plugin_id }}"' \
              public/app/plugins \
            ) \
          )
@@ -89,19 +85,19 @@ jobs:
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
          [ ! -d ./bin ] && mkdir -pv ./bin || true
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v${{ env.GRABPL_VERSION }}/grabpl
          chmod 0755 ./bin/grabpl
      - name: Check backend
        id: check_backend
        shell: bash
        run: |
-          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
+          if egrep -qr --include=main.go 'datasource.Manage\("${{ inputs.plugin_id }}"' pkg/tsdb; then
            echo "has_backend=true" >> $GITHUB_OUTPUT
          else
            echo "has_backend=false" >> $GITHUB_OUTPUT
          fi
      - name: Setup golang environment
-        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+        uses: actions/setup-go@v4
        if: steps.check_backend.outputs.has_backend == 'true'
        with:
          go-version-file: go.mod
@@ -155,7 +151,7 @@ jobs:
            # Release branch, do not add commit hash to version
            command="plugin:build"
          fi
-          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
+          yarn $command --scope="@grafana-plugins/${{ inputs.plugin_id }}"
          version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
          echo "version=${version}" >> $GITHUB_OUTPUT
      - name: build:backend
@@ -164,7 +160,7 @@ jobs:
        env:
          VERSION: ${{ steps.build_frontend.outputs.version }}  
        run: |
-          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
+          make build-plugin-go PLUGIN_ID=${{ inputs.plugin_id }}
      - name: package
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
@@ -179,7 +175,7 @@ jobs:
          VERSION: ${{ steps.build_frontend.outputs.version }}  
        run: |
          api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
+            '${{ env.GCOM_API}}/api/plugins/${{ inputs.plugin_id }}?version=$VERSION' \
            -H 'accept: application/json')
          api_res_code=$(echo $api_res | jq -r .code)
          if [ "$api_res_code" = "NotFound" ]; then
@@ -201,10 +197,10 @@ jobs:
        run: |
          echo "Publish release to Google Cloud Storage:"
          touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
-          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
-          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
-          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
+          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows
+          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux 
+          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin
+          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any
      - name: Publish new plugin version on grafana.com
        if: steps.check_backend.outputs.has_backend == 'true'
        working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -218,27 +214,27 @@ jobs:
            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
            \"download\": {
              \"linux-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_amd64.zip\",
                \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
              },
              \"linux-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm64.zip\",
                \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
              },
              \"linux-arm\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/linux/${{ inputs.plugin_id }}-${VERSION}.linux_arm.zip\",
                \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
              },
              \"windows-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/windows/${{ inputs.plugin_id }}-${VERSION}.windows_amd64.zip\",
                \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
              },
              \"darwin-amd64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_amd64.zip\",
                \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
              },
              \"darwin-arm64\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/darwin/${{ inputs.plugin_id }}-${VERSION}.darwin_arm64.zip\",
                \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
              }
            }
@@ -261,7 +257,7 @@ jobs:
            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
            \"download\": {
              \"any\": {
-                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/${{ inputs.plugin_id }}/release/${VERSION}/any/${{ inputs.plugin_id }}-${VERSION}.any.zip\",
                \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
              }
            }
--- a/.github/workflows/create-next-release-branch.yml
+++ b/.github/workflows/create-next-release-branch.yml
@@ -46,7 +46,7 @@ jobs:
          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Create release branch
        id: branch
-        uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/bump-release@main
        with:
          ownerRepo: ${{ inputs.ownerRepo }}
          source: ${{ inputs.source }}
--- a/.github/workflows/create-security-patch-from-security-mirror.yml
+++ b/.github/workflows/create-security-patch-from-security-mirror.yml
@@ -17,7 +17,7 @@ on:
 jobs:
  trigger_downstream_create_security_patch:
    concurrency: create-patch-${{ github.ref_name }}
-    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main # zizmor: ignore[unpinned-uses]
+    uses: grafana/security-patch-actions/.github/workflows/create-patch.yml@main
    if: github.repository == 'grafana/grafana-security-mirror'
    with:
      repo: "${{ github.repository }}"
@@ -25,4 +25,5 @@ jobs:
      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
      patch_repo: "grafana/grafana-security-patches"
      patch_prefix: "${{ github.event.pull_request.number }}"
-    secrets: inherit # zizmor: ignore[secrets-inherit]
+    secrets: inherit
+
--- a/.github/workflows/dashboards-issue-add-label.yml
+++ b/.github/workflows/dashboards-issue-add-label.yml
@@ -3,11 +3,8 @@ on:
  issues:
    types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]

-permissions:
-  contents: read
-  id-token: write
-
 env:
+  GITHUB_TOKEN: ${{ secrets.ISSUE_COMMANDS_TOKEN }}
  ORGANIZATION: ${{ github.repository_owner }}
  REPO: ${{ github.event.repository.name }}
  TARGET_PROJECT: 202
@@ -16,35 +13,32 @@ env:
 concurrency:
  group: issue-label-when-in-project-${{ github.event.number }}
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.ISSUE_COMMANDS_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
  main:
-    if: github.repository == 'grafana/grafana'
+    needs: config
+    if: needs.config.outputs.has-secrets
    runs-on: ubuntu-latest
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
-          repo_secrets: |
-            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
-            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem
-
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
+      - name: log in
+        run: gh api user -q .login
      - name: Check if issue is in target project
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-          ISSUE_NUMBER: ${{ github.event.issue.number }}
-          TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
        run: |
          gh api graphql -f query='
            query($org: String!, $repo: String!) {
              repository(name: $repo, owner: $org) {
-                issue (number: $ISSUE_NUMBER) {
+                issue (number: ${{ github.event.issue.number }}) {
                  id
                  projectItems(first:20) {
                    nodes {
@@ -57,22 +51,17 @@ jobs:
              }
            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json

-            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.TARGET_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
            echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
      - name: Set up label array
        if: env.IN_TARGET_PROJ
-        env:
-          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
-          IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
+          IFS=',' read -ra LABEL_IDs <<< "${{ env.LABEL_IDs }}"
          for item in "${LABEL_IDs[@]}"; do
            echo "Item: $item"
          done
      - name: Add label to issue
        if: env.IN_TARGET_PROJ
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
          gh api graphql -f query='
            mutation ($labelableId: ID!, $labelIds: [ID!]!) {
@@ -81,4 +70,4 @@ jobs:
              ) {
                  clientMutationId
              }
-            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS
+            }' -f labelableId=$ITEM_ID -f labelIds=${{ env.LABEL_IDs }}
--- a/.github/workflows/deploy-pr-preview.yml
+++ b/.github/workflows/deploy-pr-preview.yml
@@ -1,31 +0,0 @@
-name: Deploy pr preview
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - closed
-    paths:
-      - "docs/sources/**"
-
-jobs:
-  deploy-pr-preview:
-    if: "!github.event.pull_request.head.repo.fork"
-    uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses]
-    with:
-      branch: ${{ github.head_ref }}
-      event_number: ${{ github.event.number }}
-      repo: grafana
-      sha: ${{ github.event.pull_request.head.sha }}
-      sources: |
-        [
-          {
-            "index_file": "content/docs/grafana/_index.md",
-            "relative_prefix": "/docs/grafana/latest/",
-            "repo": "grafana",
-            "source_directory": "docs/sources",
-            "website_directory": "content/docs/grafana/latest"
-          }
-        ]
-      title: ${{ github.event.pull_request.title }}
--- a/.github/workflows/detect-breaking-changes-levitate.yml
+++ b/.github/workflows/detect-breaking-changes-levitate.yml
@@ -6,8 +6,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: {}
-
 on:
  pull_request:
    paths:
@@ -22,18 +20,14 @@ jobs:
    defaults:
      run:
        working-directory: './pr'
-    permissions:
-      contents: read
-      id-token: write

    steps:
      - uses: actions/checkout@v4
        with:
          path: './pr'
-          persist-credentials: false
      - uses: actions/setup-node@v4
        with:
-          node-version: 22.11.0
+          node-version: 20.9.0

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
@@ -69,9 +63,6 @@ jobs:
  buildBase:
    name: Build Base packages artifacts
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
    defaults:
      run:
        working-directory: './base'
@@ -84,7 +75,7 @@ jobs:

      - uses: actions/setup-node@v4
        with:
-          node-version: 22.11.0
+          node-version: 20.9.0

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
@@ -131,7 +122,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
-          node-version: 22.11.0
+          node-version: 20.9.0

      - name: Get built packages from pr
        uses: actions/download-artifact@v4
@@ -150,29 +141,39 @@ jobs:
        run: unzip -j base_built_packages.zip -d ./base && rm base_built_packages.zip

      - id: 'auth'
-        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
+        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
          service_account: ${{ secrets.LEVITATE_SA }}
          project_id: 'grafanalabs-global'

      - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
+        uses: 'google-github-actions/setup-gcloud@v2'
        with:
          version: '>= 363.0.0'
          project_id: 'grafanalabs-global'
          install_components: 'bq'

+      - name: Get link for the Github Action job
+        id: job
+        uses: actions/github-script@v6
+        with:
+          script: |
+              const name = 'Detect breaking changes';
+              const script = require('./.github/workflows/scripts/pr-get-job-link.js')
+              await script({name, github, context, core})
+
      - name: Detect breaking changes
        id: breaking-changes
        run: ./scripts/check-breaking-changes.sh
        env:
          FORCE_COLOR: 3
+          GITHUB_JOB_LINK: ${{ steps.job.outputs.link }}

      - name: Persisting the check output
        run: |
            mkdir -p ./levitate
-            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json
+            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"job_link\": \"${{ steps.job.outputs.link }}#step:${GITHUB_STEP_NUMBER}:1\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json

      - name: Upload check output as artifact
        uses: actions/upload-artifact@v4
@@ -185,9 +186,6 @@ jobs:
    name: Report breaking changes in PR comment
    runs-on: ubuntu-latest
    needs: ['Detect']
-    permissions:
-      contents: read
-      id-token: write

    steps:
      - name: "Generate token"
@@ -221,12 +219,15 @@ jobs:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        with:
          script: |
-            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
-              issue_number: context.issue.number,
+            const { data } = await github.rest.issues.listLabelsOnIssue({
+              issue_number: process.env.PR_NUMBER,
              owner: context.repo.owner,
              repo: context.repo.repo,
            });
-            return labels.some(label => label.name === 'levitate breaking change') ? 1 : 0
+            const labels = data.map(({ name }) => name);
+            const doesExist = labels.includes('levitate breaking change');
+
+            return doesExist ? 1 : 0;

      # put the markdown into a variable
      - name: Levitate Markdown
@@ -246,7 +247,7 @@ jobs:
      # Comment on the PR
      - name: Comment on PR
        if: steps.levitate-run.outputs.exit_code == 1
-        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
+        uses: marocchino/sticky-pull-request-comment@v2
        with:
          header: levitate-breaking-change-comment
          number: ${{ github.event.pull_request.number }}
@@ -263,48 +264,30 @@ jobs:
      # Remove comment from the PR (no more breaking changes)
      - name: Remove comment from PR
        if: steps.levitate-run.outputs.exit_code == 0
-        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728
+        uses: marocchino/sticky-pull-request-comment@v2
        with:
          header: levitate-breaking-change-comment
          number: ${{ github.event.pull_request.number }}
          delete: true
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

-      - name: Send Slack Message via Payload
+      # Posts a notification to Slack if a PR has a breaking change and it did not have a breaking change before
+      - name: Post to Slack
        id: slack
-        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && github.repository == 'grafana/grafana'
-        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
+        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0 && env.HAS_SECRETS
+        uses: slackapi/slack-github-action@v1.26.0
        with:
-          channel-id: "C031SLFH6G0"
-          payload:  |
+          payload: |
            {
-              "channel": "C031SLFH6G0",
-              "text": ":warning: Possible breaking changes detected in *PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }} :warning:",
-              "icon_emoji": ":grot:",
-              "username": "Levitate Bot",
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*grafana/grafana* repository has possible breaking changes"
-                  }
-                },
-                {
-                  "type": "section",
-                  "fields": [
-                    {
-                      "type": "mrkdwn",
-                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>"
-                    },
-                    {
-                      "type": "mrkdwn",
-                      "text": "*Job:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Job>"
-                    }
-                  ]
-                }
-              ]
+              "pr_link": "https://github.com/grafana/grafana/pull/${{ steps.levitate-run.outputs.pr_number }}",
+              "pr_number": "${{ steps.levitate-run.outputs.pr_number }}",
+              "job_link": "${{ steps.levitate-run.outputs.job_link }}",
+              "reporting_job_link": "${{ github.event.workflow_run.html_url }}",
+              "message": "${{ steps.levitate-run.outputs.message }}"
            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_LEVITATE_WEBHOOK_URL }}
+          HAS_SECRETS: ${{ (github.repository == 'grafana/grafana' || secrets.SLACK_LEVITATE_WEBHOOK_URL != '') || '' }}

      # Add the label
      - name: Add "levitate breaking change" label
--- a/.github/workflows/doc-validator.yml
+++ b/.github/workflows/doc-validator.yml
@@ -0,0 +1,26 @@
+name: "doc-validator"
+on:
+  workflow_dispatch:
+    inputs:
+      include:
+        description: |
+          Regular expression that matches paths to include in linting.
+
+          For example: docs/sources/(?:alerting|fundamentals)/.+\.md
+        required: true
+jobs:
+  doc-validator:
+    runs-on: "ubuntu-latest"
+    container:
+      image: "grafana/doc-validator:v5.2.0"
+    steps:
+      - name: "Checkout code"
+        uses: "actions/checkout@v4"
+      - name: "Run doc-validator tool"
+        # Only run doc-validator on specific directories.
+        run: >
+          doc-validator
+          '--include=${{ inputs.include }}'
+          '--skip-checks=^(?:image.+|canonical-does-not-match-pretty-URL)$'
+          ./docs/sources
+          /docs/grafana/latest
--- a/.github/workflows/documentation-ci.yml
+++ b/.github/workflows/documentation-ci.yml
@@ -1,19 +0,0 @@
-name: Documentation CI
-on:
-  pull_request:
-    branches: ["main"]
-    paths: ["docs/sources/**"]
-  workflow_dispatch:
-jobs:
-  vale:
-    runs-on: ubuntu-latest
-    container:
-      image: grafana/vale:latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: grafana/writers-toolkit/vale-action@vale-action/v1 # zizmor: ignore[unpinned-uses]
-        with:
-          filter: '.Name in ["Grafana.GrafanaCom", "Grafana.WordList", "Grafana.Spelling", "Grafana.ProductPossessives"]'
-          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/ephemeral-instances-pr-comment.yml
+++ b/.github/workflows/ephemeral-instances-pr-comment.yml
@@ -47,7 +47,6 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
          ref: main
          path: ephemeral
-          persist-credentials: false

      - name: build and deploy ephemeral instance
        uses: ./ephemeral
--- a/.github/workflows/epic-add-to-platform-ux-parent-project.yml
+++ b/.github/workflows/epic-add-to-platform-ux-parent-project.yml
@@ -0,0 +1,149 @@
+name: When epic issues changed in Platform UX squad projects, check if epic is part of specified child projects and update on Platform UX parent project
+
+on:
+  issues:
+    types: [opened, closed, edited, reopened, assigned, unassigned, labeled, unlabeled]
+    labels:
+      - 'type/epic'
+
+env:
+  GH_TOKEN: ${{ secrets.GH_BOT_PROJECTS_ACCESS_TOKEN }}
+  ORGANIZATION: ${{ github.repository_owner }}
+  REPO: ${{ github.event.repository.name }}
+  PARENT_PROJECT: 304
+  CHILD_PROJECT_1: 78
+  CHILD_PROJECT_2: 111
+  CHILD_PROJECT_3: 202
+
+concurrency:
+  group: issue-add-to-parent-project-${{ github.event.number }}
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GH_BOT_PROJECTS_ACCESS_TOKEN != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets && contains(github.event.issue.labels.*.name, 'type/epic')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if issue is in child or parent projects
+        run: |
+          gh api graphql -f query='
+            query($org: String!, $repo: String!) {
+              repository(name: $repo, owner: $org) {
+                issue (number: ${{ github.event.issue.number }}) {
+                  projectItems(first:20) {
+                    nodes {
+                      id,
+                      project {
+                        number,
+                        title
+                      },
+                      fieldValueByName(name:"Status") {
+                        ... on ProjectV2ItemFieldSingleSelectValue {
+                          optionId
+                          name
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json
+
+            echo 'IN_PARENT_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'PARENT_PROJ_STATUS_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | select(.fieldValueByName != null) | .fieldValueByName.optionId' projects_data.json) >> $GITHUB_ENV
+            echo 'ITEM_ID='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.PARENT_PROJECT }}) | .id' projects_data.json) >> $GITHUB_ENV
+            echo 'IN_CHILD_PROJ='$(jq 'first(.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | .project != null)' projects_data.json) >> $GITHUB_ENV
+            echo 'CHILD_PROJ_STATUS='$(jq -r '.data.repository.issue.projectItems.nodes[] | select(.project.number==${{ env.CHILD_PROJECT_1 }} or .project.number==${{ env.CHILD_PROJECT_2 }} or .project.number==${{ env.CHILD_PROJECT_3 }}) | select(.fieldValueByName != null) | .fieldValueByName.name' projects_data.json) >> $GITHUB_ENV
+      - name: Get parent project project data
+        if: env.IN_CHILD_PROJ
+        run: |
+          gh api graphql -f query='
+            query($org: String!, $number: Int!) {
+              organization(login: $org){
+                projectV2(number: $number) {
+                  id
+                  fields(first:20) {
+                    nodes {
+                      ... on ProjectV2Field {
+                        id
+                        name
+                      }
+                      ... on ProjectV2SingleSelectField {
+                        id
+                        name
+                        options {
+                          id
+                          name
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }' -f org=$ORGANIZATION -F number=$PARENT_PROJECT > project_data.json
+
+          echo 'PROJECT_ID='$(jq '.data.organization.projectV2.id' project_data.json) >> $GITHUB_ENV
+          echo 'STATUS_FIELD_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .id' project_data.json) >> $GITHUB_ENV
+          echo 'TODO_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Todo") |.id' project_data.json) >> $GITHUB_ENV
+          echo 'PROGRESS_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="In Progress") |.id' project_data.json) >> $GITHUB_ENV
+          echo 'DONE_OPTION_ID='$(jq '.data.organization.projectV2.fields.nodes[] | select(.name== "Status") | .options[] | select(.name=="Done") |.id' project_data.json) >> $GITHUB_ENV
+      - name: Add issue to parent project
+        if: env.IN_CHILD_PROJ && !env.IN_PARENT_PROJ
+        run: |
+          item_id="$( gh api graphql -f query='
+            mutation($project:ID!, $issue:ID!) {
+              addProjectV2ItemById(input: {projectId: $project, contentId: $issue}) {
+                item {
+                  id
+                }
+              }
+            }' -f project=$PROJECT_ID -f issue=${{ github.event.issue.node_id }} --jq '.data.addProjectV2ItemById.item.id')"
+
+            echo 'ITEM_ID='$item_id >> $GITHUB_ENV
+      - name: Set parent project status Done
+        if: contains(env.CHILD_PROJ_STATUS, 'Done')
+        run: |
+          echo 'OPTION_ID='$DONE_OPTION_ID >> $GITHUB_ENV
+      - name: Set parent project status In Progress
+        if: contains(env.CHILD_PROJ_STATUS, 'In ') || contains(env.CHILD_PROJ_STATUS, 'Blocked')
+        run: |
+          echo 'OPTION_ID='$PROGRESS_OPTION_ID >> $GITHUB_ENV
+      - name: Set parent project status To do
+        if: env.CHILD_PROJ_STATUS && !contains(env.CHILD_PROJ_STATUS, 'In ') && !contains(env.CHILD_PROJ_STATUS, 'Blocked') && ! contains(env.CHILD_PROJ_STATUS, 'Done')
+        run: |
+          echo 'OPTION_ID='$TODO_OPTION_ID >> $GITHUB_ENV
+      - name: Set issue status in parent project
+        if: env.OPTION_ID && (env.OPTION_ID != env.PARENT_PROJ_STATUS_ID)
+        run: |
+          gh api graphql -f query='
+            mutation (
+              $project: ID!
+              $item: ID!
+              $status_field: ID!
+              $status_value: String!
+            ) {
+              set_status: updateProjectV2ItemFieldValue(input: {
+                projectId: $project
+                itemId: $item
+                fieldId: $status_field
+                value: {
+                  singleSelectOptionId: $status_value
+                  }
+              }) {
+                projectV2Item {
+                  id
+                  }
+              }
+            }' -f project=$PROJECT_ID -f item=$ITEM_ID -f status_field=$STATUS_FIELD_ID -f status_value=${{ env.OPTION_ID }} --silent
--- a/.github/workflows/feature-toggles-ci.yml
+++ b/.github/workflows/feature-toggles-ci.yml
@@ -1,25 +0,0 @@
-name: Feature toggles CI
-
-on:
-  pull_request:
-    paths:
-      - 'pkg/services/featuremgmt/toggles_gen_test.go'
-      - 'pkg/services/featuremgmt/registry.go'
-      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-          cache: true
-
-      - name: Run feature toggle tests
-        run: go test -v -run TestFeatureToggleFiles ./pkg/services/featuremgmt/
--- a/.github/workflows/frontend-lint.yml
+++ b/.github/workflows/frontend-lint.yml
@@ -1,133 +0,0 @@
-name: Lint Frontend
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-permissions: {}
-
-jobs:
-  lint-frontend-verify-i18n:
-    name: Verify i18n
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: |
-        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
-        make i18n-extract || (echo "${extract_error_message}" && false)
-    - run: |
-        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
-        file_diff=$(git diff --dirstat public/locales)
-        if [ -n "$file_diff" ]; then
-            echo $file_diff
-            echo "${uncommited_error_message}"
-            exit 1
-        fi
-  lint-frontend-prettier:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-prettier-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-prettier-enterprise:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-typecheck:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-typecheck-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
-    name: Typecheck
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run typecheck
-  lint-frontend-typecheck-enterprise:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
-    name: Typecheck
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run typecheck
-  lint-frontend-betterer:
-    permissions:
-      contents: read
-      id-token: write
-    name: Betterer
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run betterer:ci
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -40,7 +40,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Create GitHub release (manually invoked)
-        uses: grafana/grafana-github-actions-go/github-release@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/github-release@main
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
--- a/.github/workflows/go-lint.yml
+++ b/.github/workflows/go-lint.yml
@@ -17,16 +17,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - uses: actions/setup-go@v5
        with:
          go-version-file: ./go.mod
      - run: make gen-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
+        uses: golangci/golangci-lint-action@v6
        with:
-          version: v2.0.2
+          version: v1.64.2
          args: |
            --verbose $(go list -m -f '{{.Dir}}' | xargs -I{} sh -c 'test ! -f {}/.nolint && echo {}/...')
          install-mode: binary
--- a/.github/workflows/i18n-crowdin-create-tasks.yml
+++ b/.github/workflows/i18n-crowdin-create-tasks.yml
@@ -1,27 +0,0 @@
-name: Crowdin Create Tasks
-
-on:
-  workflow_dispatch:
-  # schedule:
-  #   - cron: "0 0 * * *"
-
-jobs:
-  create-tasks-in-crowdin:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-
-      - name: Create tasks
-        env:
-          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
-        run: node ./.github/workflows/scripts/crowdin/create-tasks.js
--- a/.github/workflows/i18n-crowdin-download.yml
+++ b/.github/workflows/i18n-crowdin-download.yml
@@ -3,7 +3,7 @@ name: Crowdin Download Action
 on:
  workflow_dispatch:
  schedule:
-    - cron: "0 0 * * *"
+    - cron: "0 * * * *"

 jobs:
  download-sources-from-crowdin:
@@ -12,7 +12,6 @@ jobs:
    permissions:
      contents: write # needed to commit changes into the PR
      pull-requests: write # needed to update PR description, labels, etc
-      id-token: write # needed to get vault secrets

    steps:
      - name: Generate token
@@ -26,11 +25,10 @@ jobs:
        with:
          ref: ${{ github.head_ref }}
          token: ${{ steps.generate_token.outputs.token }}
-          persist-credentials: false

      - name: Download sources
        id: crowdin-download
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        uses: crowdin/github-action@v2
        with:
          upload_sources: false
          upload_translations: false
@@ -43,11 +41,17 @@ jobs:
          pull_request_body:  |
            :robot: Automatic download of translations from Crowdin.

-            This runs once per day and will merge automatically if all the required checks pass.
+            Steps for merging:
+              1. A quick sanity check of the changes and approve. Things to look out for:
+                - No changes in the English file. The source of truth is in the main branch, NOT in Crowdin.
+                - Translations maybe be removed if the English phrase was removed, but there should not be many of these
+                - Anything else that looks 'funky'. Ask if you're not sure.
+              2. Approve & (Auto-)merge. :tada:

-            If there's a conflict, close the pull request and **delete the branch**.
-            You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
+            If there's a conflict, close the pull request and **delete the branch**. A GH action will recreate the pull request.
+            Remember, the longer this pull request is open, the more likely it is that it'll get conflicts.
          pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
+          pull_request_reviewers: 'grafana-frontend-platform'
          pull_request_base_branch_name: 'main'
          base_url: 'https://grafana.api.crowdin.com'
          config: 'crowdin.yml'
@@ -73,7 +77,7 @@ jobs:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

      - name: Get project board ID
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        uses: octokit/graphql-action@v2.x
        id: get-project-id
        if: steps.crowdin-download.outputs.pull_request_url
        with:
@@ -93,7 +97,7 @@ jobs:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

      - name: Add to project board
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        uses: octokit/graphql-action@v2.x
        if: steps.crowdin-download.outputs.pull_request_url
        with:
          projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
@@ -110,50 +114,8 @@ jobs:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

      - name: Run auto-milestone
-        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/auto-milestone@main
        if: steps.crowdin-download.outputs.pull_request_url
        with:
          pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
          token: ${{ steps.generate_token.outputs.token }}
-
-      - name: Get vault secrets
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
-          repo_secrets: |
-            GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
-            GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
-
-      - name: Generate approver token
-        if: steps.crowdin-download.outputs.pull_request_url
-        id: generate_approver_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
-          private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
-
-      - name: Approve and automerge PR
-        if: steps.crowdin-download.outputs.pull_request_url
-        shell: bash
-        # Only approve if:
-        # - the PR does not modify files other than json files under the public/locales/ directory
-        # - the PR does not modify the en-US locale
-        run: |
-          filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
-
-          if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
-            echo "Non-i18n changes detected, not approving"
-            exit 1
-          fi
-
-          if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
-            echo "public/locales/en-US changes detected, not approving"
-            exit 1
-          fi
-
-          echo "Approving and enabling automerge"
-          gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
-          gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}
--- a/.github/workflows/i18n-crowdin-upload.yml
+++ b/.github/workflows/i18n-crowdin-upload.yml
@@ -15,11 +15,9 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
-        with:
-          persist-credentials: false

      - name: Upload sources
-        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        uses: crowdin/github-action@v2
        with:
          upload_sources: true
          upload_sources_args: '--dest=public/locales/en-US/grafana.json'
--- a/.github/workflows/issue-labeled.yml
+++ b/.github/workflows/issue-labeled.yml
@@ -0,0 +1,99 @@
+name: Notify Slack channel based on new issue label
+
+on:
+  issues:
+    types: [labeled]
+
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.SLACK_WEBHOOK_URL != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  notify:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Download teams.yml to know which label is for which team"
+        run: wget https://raw.githubusercontent.com/grafana/grafana/main/.github/teams.yml
+
+      - name: "Determine which team to notify"
+        run: |
+          # Default to null values.
+          CHANNEL="null"
+          TEAM="null"
+
+          echo "${{ github.event.label.name }} label added"
+          export CURRENT_LABEL="${{ github.event.label.name }}" # Enable the use of the label in yq evaluations
+          # yq is installed by default in ubuntu-latest
+          if [[ $(yq e 'keys | .[] | select(. == env(CURRENT_LABEL))' teams.yml ) ]]; then
+            # Check if we have a channel set to notify on comments.
+            if [[ $(yq '.[env(CURRENT_LABEL)] | has("channel-label")' teams.yml ) == true ]]; then
+              CHANNEL=$(yq '.[env(CURRENT_LABEL)].channel-label' teams.yml)
+              echo "Ready to send issue to channel ID ${CHANNEL}"
+            fi
+
+            if [[ $(yq '.[env(CURRENT_LABEL)] | has("exclude-github-team")' teams.yml ) == true ]]; then
+              TEAM=$(yq '.[env(CURRENT_LABEL)].exclude-github-team' teams.yml)
+              echo "Will not send issue to channel if issue author is part of the team ${TEAM}"
+            fi
+          fi
+
+          # set environment for next steps
+          echo "CHANNEL=${CHANNEL}" >> "$GITHUB_ENV"
+          echo "TEAM=${TEAM}" >> "$GITHUB_ENV"
+
+      - name: "Prepare payload"
+        uses: frabert/replace-string-action@v2.5
+        id: preparePayload
+        with:
+          # replace double quotes with single quotes to avoid breaking the JSON payload sent to Slack
+          string: ${{ github.event.issue.title }}
+          pattern: '"'
+          replace-with: "'"
+          flags: 'g'
+
+      - name: Get Token
+        id: get_workflow_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          app_id: ${{ secrets.APP_GRAFANA_TEAM_CHECKER_ID }}
+          private_key: ${{ secrets.APP_GRAFANA_TEAM_CHECKER_KEY }}
+
+      - name: "Check that issue author is not part of the team"
+        if: ${{ env.TEAM != 'null' }}
+        run: |
+          response=$(gh api /orgs/grafana/teams/${{ env.TEAM }}/memberships/${{ github.event.issue.user.login }} -i -H "Accept: application/vnd.github.v3+json")
+          STATUS_CODE=$(echo "$response" | head -n 1 | cut -d' ' -f2)
+          if [ "$STATUS_CODE" -eq "404" ]; then
+            echo "The user was not found in the team."
+            echo "USER_FOUND=false" >> "$GITHUB_ENV"
+          else
+            echo "The user was potentially found in the team"
+            echo "USER_FOUND=maybe" >> "$GITHUB_ENV"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
+
+      - name: "Send Slack notification"
+        if: ${{ (env.CHANNEL != 'null') && ((env.USER_FOUND == 'false') || (env.TEAM != 'null')) }}
+        uses: slackapi/slack-github-action@v1.26.0
+        with:
+          payload: >
+            {
+              "icon_emoji": ":grafana:",
+              "username": "Grafana issue labeled",
+              "text": "Issue \"${{ steps.preparePayload.outputs.replaced }}\" labeled \"${{ github.event.label.name }}\": ${{ github.event.issue.html_url }}, please triage.",
+              "channel": "${{ env.CHANNEL }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -10,24 +10,22 @@ on:
 concurrency:
  group: issue-opened-${{ github.event.issue.number }}

-permissions: {}
+permissions:
+  contents: read
+  id-token: write

 jobs:
  main:
    runs-on: ubuntu-latest
    if: github.repository == 'grafana/grafana'
-    permissions:
-      contents: read
-      id-token: write
    steps:

      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
+        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-          persist-credentials: false

      - name: Install Actions
        run: npm install --production --prefix ./actions
@@ -39,7 +37,7 @@ jobs:

      - name: "Get vault secrets"
        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
@@ -62,16 +60,13 @@ jobs:

  auto-triage:
    needs: [main]
-    permissions:
-      contents: read
-      id-token: write
    if: github.repository == 'grafana/grafana' && github.event.issue.author_association != 'MEMBER' && github.event.issue.author_association != 'OWNER'
    runs-on: ubuntu-latest
    steps:

      - name: "Get vault secrets"
        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_triager path in Vault
          repo_secrets: |
@@ -87,24 +82,31 @@ jobs:
          app_id: ${{ env.GH_APP_ID }}
          private_key: ${{ env.GH_APP_PEM }}

-      - name: Checkout
-        uses: actions/checkout@v4 # v4.2.2
+      - name: Checkout auto-triager repository
+        uses: actions/checkout@v4
+        with:
+          repository: grafana/auto-triager
+          path: auto-triager
+          token:  ${{ steps.generate_token.outputs.token }}

      - name: Send issue to the auto triager action
        id: auto_triage
-        uses: grafana/auto-triager@main # zizmor: ignore[unpinned-uses]
+        # https://github.com/grafana/auto-triager/blob/main/action.yml
+        #uses: grafana/auto-triager@main
+        uses: ./auto-triager
        with:
          token: ${{ steps.generate_token.outputs.token }}
          issue_number: ${{ github.event.issue.number }}
          openai_api_key: ${{ env.AUTOTRIAGER_OPENAI_API_KEY }}
          add_labels: true
-          labels_file: ${{ github.workspace }}/.github/workflows/auto-triager/labels.txt
-          types_file: ${{ github.workspace }}/.github/workflows/auto-triager/types.txt
-          prompt_file: ${{ github.workspace }}/.github/workflows/auto-triager/prompt.txt
+
+      - name: Labels from auto triage
+        run: |
+          echo ${{ steps.auto_triage.outputs.triage_labels }}

      - name: "Send Slack notification"
        if: ${{ steps.auto_triage.outputs.triage_labels != '' }}
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@v1.27.0
        with:
          payload: >
            {
--- a/.github/workflows/lint-build-docs.yml
+++ b/.github/workflows/lint-build-docs.yml
@@ -1,62 +0,0 @@
-name: Documentation
-
-on:
-  pull_request:
-    paths:
-      - '*.md'
-      - 'docs/**'
-      - 'packages/**/*.md'
-      - 'latest.json'
-  push:
-    branches:
-      - main
-    paths:
-      - '*.md'
-      - 'docs/**'
-      - 'packages/**/*.md'
-      - 'latest.json'
-
-jobs:
-  docs:
-    name: Build & Verify Docs
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22.11.0'
-          cache: 'yarn'
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Lint docs
-        run: yarn run prettier:checkDocs
-        env:
-          # Increase memory for prettier due to large number of files
-          NODE_OPTIONS: --max_old_space_size=8192
-
-      - name: Build docs website
-        run: |
-          # Create and start a container from the docs-base image in detached mode
-          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
-          
-          # Create the directory structure inside the container
-          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
-          
-          # Create the _index.md file
-          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
-          
-          # Copy the docs sources from the host to the container
-          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
-          
-          # Run the make prod command inside the container
-          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
-          
-          # Clean up the container
-          docker rm -f docs-builder
--- a/.github/workflows/metrics-collector.yml
+++ b/.github/workflows/metrics-collector.yml
@@ -15,9 +15,6 @@ on:
  issues:
    types: [opened, closed]

-permissions:
-  contents: read
-
 jobs:
  config:
    runs-on: "ubuntu-latest"
@@ -38,12 +35,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
+        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-          persist-credentials: false
      - name: Install Actions
        run: npm install --production --prefix ./actions
      - name: Run metrics collector
--- a/.github/workflows/migrate-prs.yml
+++ b/.github/workflows/migrate-prs.yml
@@ -51,7 +51,7 @@ jobs:
          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Migrate PRs
-        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main
        with:
          token: ${{ steps.generate_token.outputs.token }}
          ownerRepo: ${{ inputs.ownerRepo }}
--- a/.github/workflows/milestone.yml
+++ b/.github/workflows/milestone.yml
@@ -0,0 +1,19 @@
+name: Close Milestone
+on:
+  workflow_dispatch:
+    inputs:
+      version_input:
+        description: 'The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
+        required: true
+jobs:
+  call-remove-milestone:
+    uses: grafana/grafana/.github/workflows/remove-milestone.yml@main
+    with:
+      version_call: ${{ github.event.inputs.version_input }}
+    secrets: inherit
+  call-close-milestone:
+    uses: grafana/grafana/.github/workflows/close-milestone.yml@main
+    with:
+      version_call: ${{ github.event.inputs.version_input }}
+    secrets: inherit
+    needs: call-remove-milestone
--- a/.github/workflows/pr-backend-coverage.yml
+++ b/.github/workflows/pr-backend-coverage.yml
@@ -1,71 +0,0 @@
-name: Coverage
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - 'docs/**'
-      - '**/*.md'
-
-permissions:
-  contents: read
-  id-token: write
-
-env:
-  EDITION: 'oss'
-  WIRE_TAGS: 'oss'
-
-jobs:
-  main:
-    name: Backend Unit Tests
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y build-essential shared-mime-info
-          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
-      - name: Generate Go code
-        run: make gen-go
-      - name: Run unit tests
-        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
-      - name: Process and upload coverage
-        uses: ./.github/actions/test-coverage-processor
-        with:
-          test-type: 'be-unit'
-          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
-          coverage-file: 'unit.cov'
-          codecov-token: ${{ secrets.CODECOV_TOKEN }}
-          codecov-flag: 'be-unit'
-          codecov-name: 'be-unit'
-
-      - name: Install Grafana Bench
-        # We can't allow forks here, as we need secret access.
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: ./.github/actions/setup-grafana-bench
-
-      - name: Process output for Bench
-        if: ${{ github.event_name != 'pull_request' }}
-        run: |
-          grafana-bench report \
-            --trigger pr-backend-unit-tests-oss \
-            --report-input go \
-            --report-output log \
-            --grafana-version "$(git rev-parse HEAD)" \
-            --suite-name grafana-oss-unit-tests \
-            /tmp/unit.log || true
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: false
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -31,12 +31,11 @@ jobs:
    if: github.event.pull_request.draft == false
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
+        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-          persist-credentials: false
      - name: Install Actions
        run: npm install --production --prefix ./actions
      - name: Run PR Checks
--- a/.github/workflows/pr-codeql-analysis-go.yml
+++ b/.github/workflows/pr-codeql-analysis-go.yml
@@ -0,0 +1,53 @@
+name: "CodeQL for PR / go"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+    paths:
+      - '**/*.go'
+
+permissions:
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    if: github.repository == 'grafana/grafana'
+
+    steps:
+    - name: "Generate token"
+      id: generate_token
+      continue-on-error: true
+      uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+      with:
+        app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+        private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+        token: ${{ steps.generate_token.outputs.token }}
+
+    - name: Set go version
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: go.mod
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: "go"
+
+    - name: Build go files
+      run: |
+        go mod verify
+        make build-go
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/pr-codeql-analysis-javascript.yml
+++ b/.github/workflows/pr-codeql-analysis-javascript.yml
@@ -25,13 +25,12 @@ jobs:
        # We must fetch at least the immediate parents so that if this is
        # a pull request then we can checkout the head.
        fetch-depth: 2
-        persist-credentials: false

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
      with:
        languages: "javascript"

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/pr-codeql-analysis-python.yml
+++ b/.github/workflows/pr-codeql-analysis-python.yml
@@ -23,13 +23,12 @@ jobs:
        # We must fetch at least the immediate parents so that if this is
        # a pull request then we can checkout the head.
        fetch-depth: 2
-        persist-credentials: false

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v2
      with:
        languages: "python"

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/pr-commands.yml
+++ b/.github/workflows/pr-commands.yml
@@ -30,12 +30,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
-        uses: actions/checkout@v4 # v4.2.2
+        uses: actions/checkout@v4
        with:
          repository: "grafana/grafana-github-actions"
          path: ./actions
          ref: main
-          persist-credentials: false
      - name: Install Actions
        run: npm install --production --prefix ./actions
      - name: "Generate token"
--- a/.github/workflows/pr-dependabot-update-go-workspace.yml
+++ b/.github/workflows/pr-dependabot-update-go-workspace.yml
@@ -1,69 +0,0 @@
-name: "Update Go Workspace for Dependabot PRs"
-on:
-  pull_request:
-    branches: [main]
-    paths:
-      - .github/workflows/pr-dependabot-update-go-workspace.yml
-      - go.mod
-      - go.sum
-      - go.work
-      - go.work.sum
-      - '**/go.mod'
-      - '**/go.sum'
-      - '**.go'
-permissions:
-  contents: write
-  id-token: write
-jobs:
-  update:
-    runs-on: "ubuntu-latest"
-    if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
-    continue-on-error: true
-    steps:
-    - name: Retrieve GitHub App secrets
-      id: get-secrets
-      uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.0.1 # zizmor: ignore[unpinned-uses]
-      with:
-        repo_secrets: |
-          APP_ID=grafana-go-workspace-bot:app-id
-          APP_INSTALLATION_ID=grafana-go-workspace-bot:app-installation-id
-          PRIVATE_KEY=grafana-go-workspace-bot:private-key
-
-    - name: Generate GitHub App token
-      id: generate_token
-      uses: actions/create-github-app-token@v1
-      with:
-        app-id: ${{ env.APP_ID }}
-        private-key: ${{ env.PRIVATE_KEY }}
-
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        repository: ${{ github.event.pull_request.head.repo.full_name }}
-        ref: ${{ github.event.pull_request.head.ref }}
-        token: ${{ steps.generate_token.outputs.token }}
-        persist-credentials: false
-
-    - name: Set go version
-      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
-      with:
-        go-version-file: go.mod
-
-    - name: Configure Git
-      run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-          git config --local --add --bool push.autoSetupRemote true
-
-    - name: Update workspace
-      run: make update-workspace
-
-    - name: Commit and push workspace changes
-      env:
-        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
-      run: |
-        if ! git diff --exit-code --quiet; then
-          echo "Committing and pushing workspace changes"
-          git commit -a -m "update workspace"
-          git push origin $BRANCH_NAME
-        fi
--- a/.github/workflows/pr-e2e-tests.yml
+++ b/.github/workflows/pr-e2e-tests.yml
@@ -1,72 +0,0 @@
-name: End-to-end tests
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-jobs:
-  build-grafana:
-    name: Build & Package Grafana
-    runs-on: ubuntu-latest-16-cores
-    outputs:
-      artifact: ${{ steps.artifact.outputs.artifact }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          repository: 'grafana/grafana-build'
-          ref: 'main'
-          persist-credentials: false
-      - uses: actions/checkout@v4
-        with:
-          path: ./grafana
-      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
-      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          verb: run
-          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
-      - run: mv $(cat out.txt) grafana.tar.gz
-      - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
-        id: artifact
-      - uses: actions/upload-artifact@v4
-        id: upload
-        with:
-          retention-days: 1
-          name: ${{ steps.artifact.outputs.artifact }}
-          path: grafana.tar.gz
-  e2e-matrix:
-    name: ${{ matrix.suite }}
-    strategy:
-      matrix:
-        suite:
-          - various-suite
-          - dashboards-suite
-          - smoke-tests-suite
-          - panels-suite
-    needs:
-      - build-grafana
-    uses: ./.github/workflows/run-e2e-suite.yml
-    with:
-      package: ${{ needs.build-grafana.outputs.artifact }}
-      suite: ${{ matrix.suite }}
-  e2e-matrix-old-arch:
-    name: ${{ matrix.suite }} (old arch)
-    strategy:
-      matrix:
-        suite:
-          - old-arch/various-suite
-          - old-arch/dashboards-suite
-          - old-arch/smoke-tests-suite
-          - old-arch/panels-suite
-    needs:
-      - build-grafana
-    uses: ./.github/workflows/run-e2e-suite.yml
-    with:
-      package: ${{ needs.build-grafana.outputs.artifact }}
-      suite: ${{ matrix.suite }}
--- a/.github/workflows/pr-frontend-unit-tests.yml
+++ b/.github/workflows/pr-frontend-unit-tests.yml
@@ -1,69 +0,0 @@
-name: Frontend tests
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-permissions: {}
-
-jobs:
-  frontend-unit-tests:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `frontend-unit-tests-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
-    runs-on: ubuntu-latest-8-cores
-    name: "Unit tests (${{ matrix.chunk }} / 8)"
-    strategy:
-      fail-fast: false
-      matrix:
-        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run test:ci
-      env:
-        TEST_MAX_WORKERS: 2
-        TEST_SHARD: ${{ matrix.chunk }}
-        TEST_SHARD_TOTAL: 8
-
-  frontend-unit-tests-enterprise:
-    permissions:
-      contents: read
-      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
-    runs-on: ubuntu-latest-8-cores
-    name: "Unit tests (${{ matrix.chunk }} / 8)"
-    strategy:
-      fail-fast: false
-      matrix:
-        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version-file: '.nvmrc'
-        cache: 'yarn'
-        cache-dependency-path: 'yarn.lock'
-    - name: Setup Enterprise
-      uses: ./.github/actions/setup-enterprise
-      with:
-        github-app-name: 'grafana-ci-bot'
-    - run: yarn install --immutable --check-cache
-    - run: yarn run test:ci
-      env:
-        TEST_MAX_WORKERS: 2
-        TEST_SHARD: ${{ matrix.chunk }}
-        TEST_SHARD_TOTAL: 8
--- a/.github/workflows/pr-go-workspace-check.yml
+++ b/.github/workflows/pr-go-workspace-check.yml
@@ -4,15 +4,6 @@ on:
  workflow_dispatch:
  pull_request:
    branches: [main]
-    paths:
-      - .github/workflows/pr-go-workspace-check.yml
-      - go.mod
-      - go.sum
-      - go.work
-      - go.work.sum
-      - '**/go.mod'
-      - '**/go.sum'
-      - '**.go'

 jobs:
  check:
@@ -22,13 +13,10 @@ jobs:
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
-      with:
-        persist-credentials: false

    - name: Set go version
-      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+      uses: actions/setup-go@v4
      with:
-        cache: false
        go-version-file: go.mod

    - name: Update workspace
@@ -44,4 +32,4 @@ jobs:
          exit 1
        fi
    - name: Ensure Dockerfile contains submodule COPY commands
-      run: ./scripts/go-workspace/validate-dockerfile.sh
+      run: ./scripts/go-workspace/validate-dockerfile.sh
--- a/.github/workflows/pr-k8s-codegen-check.yml
+++ b/.github/workflows/pr-k8s-codegen-check.yml
@@ -9,7 +9,6 @@ on:
      - "pkg/aggregator/apis/**"
      - "pkg/apimachinery/apis/**"
      - "hack/**"
-      - "apps/**"
      - "*.sum"

 jobs:
@@ -20,11 +19,9 @@ jobs:
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
-      with:
-        persist-credentials: false

    - name: Set go version
-      uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
+      uses: actions/setup-go@v4
      with:
        go-version-file: go.mod

@@ -38,4 +35,4 @@ jobs:
          git diff
          echo "Please run './hack/update-codegen.sh' and commit the changes."
          exit 1
-        fi
+        fi
--- a/.github/workflows/pr-patch-check-event.yml
+++ b/.github/workflows/pr-patch-check-event.yml
@@ -1,63 +0,0 @@
-# Owned by grafana-delivery-squad
-# Intended to be dropped into the base repo Ex: grafana/grafana
-name: Dispatch check for patch conflicts
-run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
-on:
-  pull_request_target:
-    types:
-      - opened
-      - reopened
-      - synchronize
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-permissions: {}
-
-# Since this is run on a pull request, we want to apply the patches intended for the
-# target branch onto the source branch, to verify compatibility before merging.
-jobs:
-  dispatch-job:
-    permissions:
-      id-token: write
-      contents: read
-      actions: write
-    env:
-      HEAD_REF: ${{ github.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-      REPO: ${{ github.repository }}
-      SENDER: ${{ github.event.sender.login }}
-      SHA: ${{ github.sha }}
-      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-      - name: "Dispatch job"
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'security-patch-actions',
-                workflow_id: 'test-patches-event.yml',
-                ref: 'main',
-                inputs: {
-                  src_repo: REPO,
-                  src_ref: HEAD_REF,
-                  src_merge_sha: SHA,
-                  src_pr_commit_sha: PR_COMMIT_SHA,
-                  patch_repo: REPO + '-security-patches',
-                  patch_ref: BASE_REF,
-                  triggering_github_handle: SENDER
-                }
-            })
--- a/.github/workflows/pr-patch-check.yml
+++ b/.github/workflows/pr-patch-check.yml
@@ -0,0 +1,27 @@
+# Owned by grafana-release-guild
+# Intended to be dropped into the base repo Ex: grafana/grafana
+name: Check for patch conflicts
+run-name: check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# Since this is run on a pull request, we want to apply the patches intended for the
+# target branch onto the source branch, to verify compatibility before merging.
+jobs:
+  trigger_downstream_patch_check:
+    uses: grafana/security-patch-actions/.github/workflows/test-patches.yml@main
+    if: github.repository == 'grafana/grafana'
+    with:
+      src_repo: "${{ github.repository }}"
+      src_ref: "${{ github.head_ref }}" # this is the source branch name, Ex: "feature/newthing"
+      patch_repo: "${{ github.repository }}-security-patches"
+      patch_ref: "${{ github.base_ref }}" # this is the target branch name, Ex: "main"
+    secrets: inherit
--- a/.github/workflows/pr-test-integration.yml
+++ b/.github/workflows/pr-test-integration.yml
@@ -1,89 +0,0 @@
-name: Integration Tests
-
-on:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-jobs:
-  sqlite:
-    name: Sqlite
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-      - run: |
-          make gen-go
-          go test -tags=sqlite -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
-  mysql:
-    name: MySQL
-    runs-on: ubuntu-latest-8-cores
-    env:
-      GRAFANA_TEST_DB: mysql
-      MYSQL_HOST: 127.0.0.1
-    services:
-      mysql:
-        image: mysql:8.0.32
-        env:
-          MYSQL_ROOT_PASSWORD: rootpass
-          MYSQL_DATABASE: grafana_tests
-          MYSQL_USER: grafana
-          MYSQL_PASSWORD: password
-        options: --health-cmd="mysqladmin ping --silent" --health-interval=10s --health-timeout=5s --health-retries=3
-        ports:
-          - 3306:3306
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-      - run: |
-          sudo apt-get update -yq && sudo apt-get install mariadb-client
-          cat devenv/docker/blocks/mysql_tests/setup.sql | mariadb -h 127.0.0.1 -P 3306 -u root -prootpass --disable-ssl-verify-server-cert
-          make gen-go
-          go test -tags=mysql -p=1 -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
-  postgres:
-    name: Postgres
-    runs-on: ubuntu-latest-8-cores
-    services:
-      postgres:
-        image: postgres:12.3-alpine
-        env:
-          POSTGRES_USER: grafanatest
-          POSTGRES_PASSWORD: grafanatest
-          POSTGRES_DB: grafanatest
-        ports:
-          - 5432:5432
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: true
-      - env:
-          GRAFANA_TEST_DB: postgres
-          PGPASSWORD: grafanatest
-          POSTGRES_HOST: 127.0.0.1
-        run: |
-          sudo apt-get update -yq && sudo apt-get install postgresql-client
-          psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
-          make gen-go
-          go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' $(find ./pkg -type f -name '*_test.go' -exec grep -l '^func TestIntegration' '{}' '+' | grep -o '\(.*\)/' | sort -u)
--- a/.github/workflows/publish-kinds-next.yml
+++ b/.github/workflows/publish-kinds-next.yml
@@ -32,10 +32,9 @@ jobs:
        uses: "actions/checkout@v4"
        with:
          fetch-depth: 0
-          persist-credentials: false

      - name: "Setup Go"
-        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
+        uses: "actions/setup-go@v4"
        with:
          go-version-file: go.mod

--- a/.github/workflows/publish-kinds-release.yml
+++ b/.github/workflows/publish-kinds-release.yml
@@ -35,10 +35,9 @@ jobs:
        with:
          # required for the `grafana/grafana-github-actions/has-matching-release-tag` action to work
          fetch-depth: 0
-          persist-credentials: false

      - name: "Setup Go"
-        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
+        uses: "actions/setup-go@v4"
        with:
          go-version-file: go.mod

--- a/.github/workflows/publish-technical-documentation-next.yml
+++ b/.github/workflows/publish-technical-documentation-next.yml
@@ -16,6 +16,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
+      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1
        with:
          website_directory: content/docs/grafana/next
--- a/.github/workflows/publish-technical-documentation-release.yml
+++ b/.github/workflows/publish-technical-documentation-release.yml
@@ -20,8 +20,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          persist-credentials: false
-      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2 # zizmor: ignore[unpinned-uses]
+      - uses: grafana/writers-toolkit/publish-technical-documentation-release@publish-technical-documentation-release/v2
        with:
          release_tag_regexp: "^v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
          release_branch_regexp: "^release-(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"
--- a/.github/workflows/release-comms.yml
+++ b/.github/workflows/release-comms.yml
@@ -30,16 +30,18 @@ jobs:
      release_branch: ${{ steps.output.outputs.release_branch }}
      dry_run: ${{ steps.output.outputs.dry_run }}
      latest: ${{ steps.output.outputs.latest }}
-    env:
-      HEAD_REF: ${{ github.head_ref }}
-      DRY_RUN: ${{ inputs.dry_run }}
-      LATEST: ${{ inputs.latest && '1' || '0' }}
-      VERSION: ${{ inputs.version }}
    runs-on: ubuntu-latest
    steps:
+      # The github-release action expects a `LATEST` value of a string of either '1' or '0'
+    - if: ${{ github.event_name == 'workflow_dispatch' }}
+      run: |
+        echo setting up GITHUB_ENV for ${{ github.event_name }}
+        echo "VERSION=${{ inputs.version }}" >> $GITHUB_ENV
+        echo "DRY_RUN=${{ inputs.dry_run }}" >> $GITHUB_ENV
+        echo "LATEST=${{ inputs.latest && '1' || '0' }}" >> $GITHUB_ENV
    - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
      run: |
-        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
+        echo "VERSION=$(echo ${{ github.head_ref }} | sed -e 's/release\/.*\///g')" >> $GITHUB_ENV
        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
    - id: output
@@ -118,10 +120,7 @@ jobs:
  post_on_slack:
    needs: setup
    runs-on: ubuntu-latest
-    env:
-      DRY_RUN: ${{ needs.setup.outputs.dry_run }}
-      VERSION: ${{ needs.setup.outputs.version }}
    steps:
    - run: |
-        echo announce on slack that $VERSION has been released
-        echo dry run: $DRY_RUN
+        echo announce on slack that ${{ needs.setup.outputs.version }} has been released
+        echo dry run: ${{ needs.setup.outputs.dry_run }}
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -33,13 +33,12 @@ on:
        default: false
        type: boolean

-permissions: {}
+permissions:
+  contents: write
+  pull-requests: write

 jobs:
  push-changelog-to-main:
-    permissions:
-      contents: write
-      pull-requests: write
    name: Create PR to main to update the changelog
    uses: ./.github/workflows/changelog.yml
    with:
@@ -51,33 +50,30 @@ jobs:
    secrets:
      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
  create-prs:
-    permissions:
-      contents: write
-      pull-requests: write
    name: Create Release PR
    runs-on: ubuntu-latest
    if: github.repository == 'grafana/grafana'
-    env:
-      VERSION: ${{ inputs.version }}
-      LATEST: ${{ inputs.latest }}
-      DRY_RUN: ${{ inputs.dry_run }}
    steps:
+      - name: Generate bot token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Get release branch
        id: branch
-        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
+        uses: grafana/grafana-github-actions-go/latest-release-branch@main
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ steps.generate_token.outputs.token }}
          ownerRepo: 'grafana/grafana'
          pattern: ${{ inputs.target }}
      - name: Checkout Grafana
        uses: actions/checkout@v4
        with:
          ref: ${{ steps.branch.outputs.branch }}
+          fetch-depth: 0
          fetch-tags: true
-          token: ${{ secrets.GITHUB_TOKEN }}
-          persist-credentials: false
      - name: Checkout Grafana (main)
        uses: actions/checkout@v4
        with:
@@ -85,8 +81,6 @@ jobs:
          fetch-depth: '0'
          fetch-tags: 'false'
          path: .grafana-main
-          token: ${{ secrets.GITHUB_TOKEN }}
-          persist-credentials: false
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
@@ -98,43 +92,37 @@ jobs:
          git config --local --add --bool push.autoSetupRemote true

      - name: Create branch
-        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
-      - name: Generate changelog token
-        id: generate_changelog_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
-          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+        run: git checkout -b "release/${{ github.run_id }}/${{ inputs.version }}"
      - name: Generate changelog
        id: changelog
-        uses: ./.grafana-main/.github/actions/changelog
+        uses: ./.grafana-main/.github/workflows/actions/changelog
        with:
-          github_token: ${{ steps.generate_changelog_token.outputs.token }}
-          target: v${{ env.VERSION }}
+          github_token: ${{ steps.generate_token.outputs.token }}
+          target: v${{ inputs.version }}
          output_file: changelog_items.md
      - name: Patch CHANGELOG.md
        run: |
          # Prepare CHANGELOG.md content with version delimiters
          (
            echo
-            echo "# $VERSION ($(date '+%F'))"
+            echo "# ${{ inputs.version}} ($(date '+%F'))"
            echo
            cat changelog_items.md
          ) > CHANGELOG.part

          # Check if a version exists in the changelog
-          if grep -q "<!-- $VERSION START" CHANGELOG.md ; then
+          if grep -q "<!-- ${{ inputs.version}} START" CHANGELOG.md ; then
            # Replace the content between START and END delimiters
-            echo "Version $VERSION is found in the CHANGELOG.md, patching contents..."
-            sed -i -e "/$VERSION START/,/$VERSION END/{//!d;}" \
-                   -e "/$VERSION START/r CHANGELOG.part" CHANGELOG.md
+            echo "Version ${{ inputs.version }} is found in the CHANGELOG.md, patching contents..."
+            sed -i -e '/${{ inputs.version }} START/,/${{ inputs.version }} END/{//!d;}' \
+                   -e '/${{ inputs.version }} START/r CHANGELOG.part' CHANGELOG.md
          else
            # Prepend changelog part to the main changelog file
-            echo "Version $VERSION not found in the CHANGELOG.md"
+            echo "Version ${{ inputs.version }} not found in the CHANGELOG.md"
            (
-              echo "<!-- $VERSION START -->"
+              echo "<!-- ${{ inputs.version }} START -->"
              cat CHANGELOG.part
-              echo "<!-- $VERSION END -->"
+              echo "<!-- ${{ inputs.version }} END -->"
              cat CHANGELOG.md
            ) > CHANGELOG.tmp
            mv CHANGELOG.tmp CHANGELOG.md
@@ -156,46 +144,35 @@ jobs:
      - name: Add package.json changes
        run: |
          git add package.json lerna.json yarn.lock packages public
-          test -e e2e/test-plugins && git add e2e/test-plugins
-          git commit -m "Update version to $VERSION"
+          git commit -m "Update version to ${{ inputs.version }}"

      - name: Git push
        if: ${{ inputs.dry_run }} != true
-        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
+        run: git push --set-upstream origin release/${{ github.run_id }}/${{ inputs.version }}

      - name: Create PR without backports
        if: "${{ inputs.backport == '' }}"
+        run: >
+          gh pr create \
+            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
+            -l "no-changelog" \
+            --dry-run=${{ inputs.dry_run }} \
+            -B "${{ steps.branch.outputs.branch }}" \
+            --title "Release: ${{ inputs.version }}" \
+            --body "These code changes must be merged after a release is complete"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: ${{ steps.branch.outputs.branch }}
-        run: |
-          LATEST_FLAG=""
-          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG='-l "release/latest"'
-          fi
-          gh pr create \
-            $LATEST_FLAG \
-            -l "no-changelog" \
-            --dry-run="$DRY_RUN" \
-            -B "$BRANCH" \
-            --title "Release: $VERSION" \
-            --body "These code changes must be merged after a release is complete"

      - name: Create PR with backports
        if: "${{ inputs.backport != '' }}"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH: ${{ steps.branch.outputs.branch }}
-        run: |
-          LATEST_FLAG=""
-          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG='-l "release/latest"'
-          fi
+        run: >
          gh pr create \
-            $LATEST_FLAG \
+            $( [ "x${{ inputs.latest }}" == "xtrue" ] && printf %s '-l "release/latest"') \
            -l "product-approved" \
            -l "no-changelog" \
-            --dry-run="$DRY_RUN" \
-            -B "$BRANCH" \
-            --title "Release: $VERSION" \
+            --dry-run=${{ inputs.dry_run }} \
+            -B "${{ steps.branch.outputs.branch }}" \
+            --title "Release: ${{ inputs.version }}" \
            --body "These code changes must be merged after a release is complete"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/remove-milestone.yml
+++ b/.github/workflows/remove-milestone.yml
@@ -0,0 +1,60 @@
+name: Remove milestone
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: Needs to match, exactly, the name of a milestone
+  workflow_call:
+    inputs:
+      version_call:
+        description: Needs to match, exactly, the name of a milestone
+        required: true
+        type: string
+
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    permissions:
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Remove milestone from open issues (manually invoked)
+        if: ${{ github.event.inputs.version != '' }}
+        uses: ./actions/remove-milestone
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Remove milestone from open issues (workflow invoked)
+        if: ${{ inputs.version_call != '' }}
+        uses: ./actions/remove-milestone
+        with:
+          version_call: ${{ inputs.version_call }}
+          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/run-dashboard-search-e2e.yml
+++ b/.github/workflows/run-dashboard-search-e2e.yml
@@ -1,130 +0,0 @@
-name: run-dashboard-search-e2e
-
-on:
-  workflow_run:
-    workflows: 
-      - trigger-dashboard-search-e2e
-    types:
-      - completed
-  workflow_dispatch:
-
-env:
-  ARCH: linux-amd64
-
-permissions: {}
-
-jobs:
-  setup:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    outputs:
-      ini_files: ${{ steps.get_files.outputs.ini_files }}
-
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Pin Go version to mod file
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-          cache: true
-      - run: go version
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'yarn'
-      - name: Cache Node Modules
-        id: cache-node-modules
-        uses: actions/cache@v3
-        with:
-          path: |
-            node_modules
-            /home/runner/.cache/Cypress
-          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
-      - name: Install dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        run: yarn install --immutable
-      - name: Install Cypress dependencies
-        if: steps.cache-node-modules.outputs.cache-hit != 'true'
-        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
-        with:
-          runTests: false
-      - name: Cache Grafana Build and Dependencies
-        id: cache-grafana
-        uses: actions/cache@v3
-        with:
-          path: |
-            bin/
-            scripts/grafana-server/
-            tools/
-            public/
-            conf/
-            e2e/test-plugins/
-            devenv/
-          key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
-      # only rebuild grafana if search files have changed ( or dependencies )
-      - name: Build Grafana (Runs Only If Not Cached)
-        if: steps.cache-grafana.outputs.cache-hit != 'true'
-        run: make build
-
-      - name: Get list of .ini files
-        id: get_files
-        run: |
-          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
-          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
-        shell: bash
-
-  run_tests:
-      needs: setup
-      runs-on: ubuntu-latest
-      continue-on-error: true
-      if: github.event.pull_request.draft == false
-      strategy:
-        matrix:
-          ini_file: ${{ fromJson(needs.setup.outputs.ini_files) }}
-
-      permissions:
-        contents: read
-        id-token: write
-
-      steps:
-        - name: Checkout repository
-          uses: actions/checkout@v4
-        - name: Restore Cached Node Modules
-          uses: actions/cache@v3
-          with:
-            path: |
-              node_modules
-              /home/runner/.cache/Cypress
-            key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
-
-        - name: Restore Cached Grafana Build and Dependencies
-          uses: actions/cache@v3
-          with:
-            path: |
-              bin/
-              scripts/grafana-server/
-              tools/
-              public/
-              conf/
-              e2e/test-plugins/
-              devenv/
-            key: ${{ runner.os }}-grafana-${{ hashFiles('go.mod', 'package-lock.json', 'Makefile', 'pkg/storage/**/*.go', 'public/app/features/search/**/*.ts', 'public/app/features/search/**/*.tsx') }}
-        - name: Set the step name
-          id: set_file_name
-          env:
-            INI_NAME: ${{ matrix.ini_file }}
-          run: |
-            FILE_NAME=$(basename "$env.INI_NAME" .ini)
-            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
-        - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
-          env:
-            INI_NAME: ${{ matrix.ini_file }}
-          run: |
-            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
-            yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"
--- a/.github/workflows/run-e2e-suite.yml
+++ b/.github/workflows/run-e2e-suite.yml
@@ -1,39 +0,0 @@
-name: e2e suite
-
-on:
-  workflow_call:
-    inputs:
-      package:
-        type: string
-        required: true
-      suite:
-        type: string
-        required: true
-
-jobs:
-  main:
-    runs-on: ubuntu-latest-8-cores
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ inputs.package }}
-      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          verb: run
-          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
-      - name: Set suite name
-        id: set-suite-name
-        if: always()
-        env:
-          SUITE: ${{ inputs.suite }}
-        run: |
-          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
-      - uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
-          path: videos
-          retention-days: 1
--- a/.github/workflows/run-schema-v2-e2e.yml
+++ b/.github/workflows/run-schema-v2-e2e.yml
@@ -1,46 +0,0 @@
-name: Run dashboard schema v2 e2e
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '**' 
-
-env:
-  ARCH: linux-amd64
-
-jobs:
-  dashboard-schema-v2-e2e:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Pin Go version to mod file
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - run: go version
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-          cache: 'yarn'
-      - name: Install dependencies
-        run: yarn install --immutable
-      - name: Build grafana
-        run: make build
-      - name: Install Cypress dependencies
-        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
-        with:
-          runTests: false
-      - name: Run dashboard scenes e2e
-        run: yarn e2e:schema-v2 || echo "Test failed but marking as success since schema V2 is behind a feature flag and should not block PRs"
-      
-      - name: Always succeed # This is a workaround to make the job pass even if the previous step fails
-        if: failure()
-        run: exit 0
--- a/.github/workflows/sbom-report.yml
+++ b/.github/workflows/sbom-report.yml
@@ -0,0 +1,20 @@
+name: syft-sbom-ci
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  syft-sbom:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+        
+    - name: Anchore SBOM Action
+      uses: anchore/sbom-action@v0.14.2
+      with:
+         artifact-name: ${{ github.event.repository.name }}-spdx.json
+
--- a/.github/workflows/scripts/crowdin/create-tasks.js
+++ b/.github/workflows/scripts/crowdin/create-tasks.js
@@ -1,84 +0,0 @@
-const crowdin = require('@crowdin/crowdin-api-client');
-const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
-
-const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
-if (!API_TOKEN) {
-  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
-  process.exit(1);
-}
-
-const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
-if (!PROJECT_ID) {
-  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
-  process.exit(1);
-}
-
-const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
-  token: API_TOKEN,
-  organization: 'grafana'
-});
-
-const languages = await getLanguages();
-const fileIds = await getFileIds();
-console.log('Languages: ', languages);
-console.log('File IDs: ', fileIds);
-
-// for (const language of languages) {
-//   const { name, id } = language;
-//   await createTask(`Translate to ${name}`, id, fileIds);
-// }
-
-async function getLanguages() {
-  try {
-    const project = await projectsGroupsApi.getProject(PROJECT_ID);
-    const languages = project.data.targetLanguages;
-    return languages;
-  } catch (error) {
-    console.error('Failed to fetch languages: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getFileIds() {
-  try {
-    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
-    const files = response.data;
-    const fileIds = files.map(file => file.data.id);
-    return fileIds;
-  } catch (error) {
-    console.error('Failed to fetch file IDs: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function createTask(title, languageId, fileIds) {
-  try {
-    const taskParams = {
-      title,
-      description: TRANSLATED_CONNECTOR_DESCRIPTION,
-      languageId,
-      type: 2, // Translation by vendor
-      workflowStepId: 78, // Translation step ID
-      skipAssignedStrings: true,
-      fileIds,
-    };
-
-    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
-
-    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
-    console.log(`Task created successfully! Task ID: ${response.data.id}`);
-    return response.data;
-  } catch (error) {
-    console.error('Failed to create Crowdin task: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
--- a/.github/workflows/scripts/pr-get-job-link.js
+++ b/.github/workflows/scripts/pr-get-job-link.js
@@ -0,0 +1,9 @@
+
+module.exports = async ({ name, github, context, core }) => {
+    const { owner, repo } = context.repo;
+    const url = `https://api.github.com/repos/${owner}/${repo}/actions/runs/${context.runId}/jobs`
+    const result = await github.request(url);
+    const job = result.data.jobs.find(j => j.name === name);
+    
+    core.setOutput('link', `${job.html_url}?check_suite_focus=true`);
+}
--- a/.github/workflows/skye-add-to-project.yml
+++ b/.github/workflows/skye-add-to-project.yml
@@ -1,106 +0,0 @@
-name: Add issues and PRs to Skye project board
-on:
-  workflow_dispatch:
-    inputs:
-      manual_issue_number:
-        description: 'Issue/PR number to add to project'
-        required: false
-        type: number
-  issues:
-    types: [opened]
-  pull_request:
-    types: [opened]
-
-permissions:
-  contents: read
-  id-token: write
-
-env:
-  ORGANIZATION: grafana
-  REPO: grafana
-  PROJECT_ID: "PVT_kwDOAG3Mbc4AxfcI" # Retrieved manually from GitHub GraphQL Explorer
-
-concurrency:
-  group: skye-add-to-project-${{ github.event.number }}
-
-jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
-        with:
-          # Vault secret paths:
-          # - ci/repo/grafana/grafana/grafana_pr_automation_app
-          # - ci/repo/grafana/grafana/frontend_platform_skye_usernames (comma separated list of usernames)
-          repo_secrets: |
-            GH_APP_ID=grafana_pr_automation_app:app_id
-            GH_APP_PEM=grafana_pr_automation_app:app_pem
-            ALLOWED_USERS=frontend_platform_skye_usernames:allowed_users
-
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ env.GH_APP_ID }}
-          private_key: ${{ env.GH_APP_PEM }}
-
-      # Check if the user is in the list from the secret
-      - name: Check if user is allowed
-        id: check_user
-        env:
-          ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
-          USERNAME: ${{ github.event.sender.login }}
-        run: |
-          # Convert the comma-separated list to an array
-          IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"
-
-          # Check if user is in the allowed list
-          for allowed_user in "${ALLOWED_USERS[@]}"; do
-            if [ "$allowed_user" = "$USERNAME" ]; then
-              echo "user_allowed=true" >> $GITHUB_OUTPUT
-              exit 0
-            fi
-          done
-          echo "user_allowed=false" >> $GITHUB_OUTPUT
-
-      # Convert the issue/PR number to a node ID for the GraphQL API
-      - name: Get node ID for item
-        if: steps.check_user.outputs.user_allowed == 'true'
-        id: get_node_id
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
-        with:
-          query: |
-            query getNodeId($owner: String!, $repo: String!, $number: Int!) {
-              repository(owner: $owner, name: $repo) {
-                issueOrPullRequest(number: $number) {
-                  ... on Issue { id }
-                  ... on PullRequest { id }
-                }
-              }
-            }
-          variables: |
-            owner: ${{ env.ORGANIZATION }}
-            repo: ${{ env.REPO }}
-            number: ${{ github.event.number || github.event.inputs.manual_issue_number }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-      # Finally, add the issue/PR to the project board
-      - name: Add to project board
-        if: steps.check_user.outputs.user_allowed == 'true'
-        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
-        with:
-          query: |
-            mutation addItem($projectid: ID!, $itemid: ID!) {
-              addProjectV2ItemById(input: {projectId: $projectid, contentId: $itemid}) {
-                item { id }
-              }
-            }
-          variables: |
-            projectid: ${{ env.PROJECT_ID }}
-            itemid: ${{ fromJSON(steps.get_node_id.outputs.data).repository.issueOrPullRequest.id }}
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/storybook-verification.yml
+++ b/.github/workflows/storybook-verification.yml
@@ -1,48 +0,0 @@
-name: Verify Storybook
-
-on:
-  pull_request:
-    paths:
-      - 'packages/grafana-ui/**'
-      - '!docs/**'
-      - '!*.md'
-  push:
-    branches:
-      - main
-    paths:
-      - 'packages/grafana-ui/**'
-      - '!docs/**'
-      - '!*.md'
-
-jobs:
-  verify-storybook:
-    name: Verify Storybook
-    runs-on: ubuntu-latest
-    
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: 'package.json'
-          cache: 'yarn'
-      
-      - name: Install dependencies
-        run: yarn install --immutable
-      
-      - name: Run Storybook and E2E tests
-        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
-        with:
-          browser: chrome
-          start: yarn storybook --quiet
-          wait-on: 'http://localhost:9001'
-          wait-on-timeout: 60
-          command: yarn e2e:storybook
-          install: false
-        env:
-          HOST: localhost
-          PORT: 9001
--- a/.github/workflows/sync-mirror-event.yml
+++ b/.github/workflows/sync-mirror-event.yml
@@ -1,63 +0,0 @@
-# Owned by grafana-delivery-squad
-# Intended to be dropped into the base repo, Ex: grafana/grafana
-name: Dispatch sync to mirror
-run-name: dispatch-sync-to-mirror-${{ github.ref_name }}
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - "main"
-      - "v*.*.*"
-      - "release-*"
-
-permissions: {}
-
-# This is run after the pull request has been merged, so we'll run against the target branch
-jobs:
-  dispatch-job:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-      actions: write
-    env:
-      REF_NAME: ${{ github.ref_name }}
-      REPO: ${{ github.repository }}
-      SHA: ${{ github.sha }}
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-
-      - uses: actions/github-script@v7
-        if: github.repository == 'grafana/grafana'
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {REF_NAME, REPO, SHA} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'security-patch-actions',
-                workflow_id: 'mirror-branch-and-apply-patches-event.yml',
-                ref: 'main',
-                inputs: {
-                  src_ref: REF_NAME,
-                  src_repo: REPO,
-                  src_sha: SHA,
-                  dest_repo: REPO + "-security-mirror",
-                  patch_repo: REPO + "-security-patches"
-                }
-            })
--- a/.github/workflows/sync-mirror.yml
+++ b/.github/workflows/sync-mirror.yml
@@ -0,0 +1,25 @@
+# Owned by grafana-release-guild
+# Intended to be dropped into the base repo, Ex: grafana/grafana
+name: Sync to mirror
+run-name: sync-to-mirror-${{ github.ref_name }}
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "v*.*.*"
+      - "release-*"
+
+# This is run after the pull request has been merged, so we'll run against the target branch
+jobs:
+  trigger_downstream_patch_mirror:
+    concurrency: patch-mirror-${{ github.ref_name }}
+    uses: grafana/security-patch-actions/.github/workflows/mirror-branch-and-apply-patches.yml@main
+    if: github.repository == 'grafana/grafana'
+    with:
+      ref: "${{ github.ref_name }}" # this is the target branch name, Ex: "main"
+      src_repo: "${{ github.repository }}"
+      dest_repo: "${{ github.repository }}-security-mirror"
+      patch_repo: "${{ github.repository }}-security-patches"
+    secrets: inherit
+
--- a/.github/workflows/trigger-dashboard-search-e2e.yml
+++ b/.github/workflows/trigger-dashboard-search-e2e.yml
@@ -1,28 +0,0 @@
-name: trigger-dashboard-search-e2e
-# triggers the dashboard search e2e tests which runs async 
-# doesn't block prs, allows setting up notifications from grafana
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - public/app/features/search/**/*.ts
-      - public/app/features/search/**/*.tsx
-      - pkg/storage/**/*.go
-  pull_request:
-    branches:
-      - main
-    paths:
-      - public/app/features/search/**/*.ts
-      - public/app/features/search/**/*.tsx
-      - pkg/storage/**/*.go
-env:
-  ARCH: linux-amd64
-
-jobs:
-  trigger-search-e2e:
-    runs-on: ubuntu-latest
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: Trigger Dashboard Search E2E
-        run: echo "Triggered Dashboard Search e2e..."
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -4,64 +4,48 @@ on:
    # only run on PRs where go.mod/go.sum/etc have been updated
    paths:
      - go.*
-      - .github/workflows/trivy-scan.yml
  push:
    branches:
      - main
    paths:
      - go.*
-      - .github/workflows/trivy-scan.yml

 jobs:
  trivy-scan:
    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
-    - name: Install Trivy
-      uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
-      with:
-        version: v0.56.2
-        cache: true
-    - name: Download Trivy DB
-      run: |
-        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
    - name: Run Trivy vulnerability scanner (table output)
-      # Use the trivy binary rather than the aquasecurity/trivy-action action
-      # to avoid a few bugs.
-      #
-      # We scan the file system rather than building the Docker image to only scan
-      # our direct dependencies. The Docker images are still scanned by
-      # Vulnerability Observability:
-      #   - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
-      #   - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
-      #   (If these links are outdated, just go to the list and find the images manually.)
-      run: |
-        trivy fs \
-          --scanners vuln \
-          --format table \
-          --exit-code 1 \
-          --ignore-unfixed \
-          --pkg-types os,library \
-          --severity CRITICAL,HIGH \
-          --ignorefile .trivyignore \
-          --skip-files yarn.lock,package.json \
-          --skip-db-update \
-          .
+      uses: aquasecurity/trivy-action@0.24.0
+      with:
+        # scan the filesystem, rather than building a Docker image prior - the
+        # downside is we won't catch dependencies that are only installed in the
+        # image, but the upside is we'll only catch vulnerabilities that are
+        # explicitly in the our dependencies
+        scan-type: 'fs'
+        scanners: 'vuln'
+        format: 'table'
+        exit-code: 1
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+        trivyignores: .trivyignore
+        # for the PR check, ignore JS-related issues
+        skip-files: 'yarn.lock,package.json'
    - name: Run Trivy vulnerability scanner (SARIF)
-      # Use the trivy binary rather than the aquasecurity/trivy-action action
-      # to avoid a few bugs
-      run: |
-        trivy fs \
-          --scanners vuln \
-          --format sarif \
-          --output trivy-results.sarif \
-          --ignore-unfixed \
-          --pkg-types os,library \
-          --ignorefile .trivyignore \
-          --skip-db-update \
-          .
+      uses: aquasecurity/trivy-action@0.24.0
+      with:
+        scan-type: 'fs'
+        scanners: 'vuln'
+        # Note: The SARIF format ignores severity and uploads all vulns for
+        # later triage. The table-format step above is used to fail the build
+        # if there are any critical or high vulnerabilities.
+        # See https://github.com/aquasecurity/trivy-action/issues/95
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        trivyignores: .trivyignore
      if: always() && github.repository == 'grafana/grafana'
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
--- a/.github/workflows/update-changelog.yml
+++ b/.github/workflows/update-changelog.yml
@@ -0,0 +1,52 @@
+name: Update changelog
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        description: 'Needs to match, exactly, the name of a milestone. The version to be released please respect: major.minor.patch, major.minor.patch-preview or major.minor.patch-preview<number> format. example: 7.4.3, 7.4.3-preview or 7.4.3-preview1'
+      skip_pr:
+        required: false
+        default: "0"
+      skip_community_post:
+        required: false
+        default: "0"
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&
+                        secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '' &&
+                        secrets.GRAFANA_MISC_STATS_API_KEY != '' &&
+                        secrets.GRAFANABOT_FORUM_KEY != ''
+                        ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: Run update changelog (manually invoked)
+        uses: grafana/grafana-github-actions-go/update-changelog@main
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          version: ${{ inputs.version }}
+          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
+          community_api_username: grafanabot
+          skip_pr: ${{ inputs.skip_pr }}
+          skip_community_post: ${{ inputs.skip_community_post }}
--- a/.github/workflows/update-make-docs.yml
+++ b/.github/workflows/update-make-docs.yml
@@ -9,9 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1 # zizmor: ignore[unpinned-uses]
+      - uses: grafana/writers-toolkit/update-make-docs@update-make-docs/v1
        with:
          pr_options: >
            --label 'backport v10.1.x'
--- a/.github/workflows/verify-kinds.yml
+++ b/.github/workflows/verify-kinds.yml
@@ -14,10 +14,9 @@ jobs:
        uses: "actions/checkout@v4"
        with:
          fetch-depth: 0
-          persist-credentials: false

      - name: "Setup Go"
-        uses: "actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639"
+        uses: "actions/setup-go@v4"
        with:
          go-version-file: go.mod

--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -1,31 +0,0 @@
-rules:
-  unpinned-uses:
-    config:
-      policies:
-        "*": hash-pin
-        actions/*: any
-        github/*: any
-        grafana/*: any
-  forbidden-uses:
-    config:
-      deny:
-        # Policy-banned by our security team due to CVE-2025-30066 & CVE-2025-30154.
-        # https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction
-        # https://nvd.nist.gov/vuln/detail/cve-2025-30066
-        # https://nvd.nist.gov/vuln/detail/cve-2025-30154
-        - reviewdog/*
-  cache-poisoning:
-    ignore:
-      - backend-unit-tests.yml
-      - frontend-lint.yml
-      - pr-frontend-unit-tests.yml
-      - pr-test-integration.yml
-      - publish-kinds-release.yml
-  dangerous-triggers:
-    ignore:
-      - auto-milestone.yml
-      - backport.yml
-      - pr-checks.yml
-      - pr-commands.yml
-      - pr-patch-check-event.yml
-      - run-dashboard-search-e2e.yml
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,21 +1,3 @@
-<!-- 11.3.6 START -->
-
-# 11.3.6 (2025-04-22)
-
-### Features and enhancements
-
- **Chore:** Update libs with CVE in dependencies [#102710](https://github.com/grafana/grafana/pull/102710), [@grambbledook](https://github.com/grambbledook)
- **Go:** Bump to 1.24.2 [#103528](https://github.com/grafana/grafana/pull/103528), [@Proximyst](https://github.com/Proximyst)
- **Go:** Bump to 1.24.2 (Enterprise)
-
-### Bug fixes
-
- **Auth:** Fix SAML user IsExternallySynced not being set correctly [#103101](https://github.com/grafana/grafana/pull/103101), [@volcanonoodle](https://github.com/volcanonoodle)
- **AuthN:** Refetch user on "ErrUserAlreadyExists" [#102983](https://github.com/grafana/grafana/pull/102983), [@kalleep](https://github.com/kalleep)
- **Security:** Fix CVE-2025-3454
- **Security:** Fix CVE-2025-2703
-
-<!-- 11.3.6 END -->
 <!-- 11.3.5 START -->

 # 11.3.5 (2025-03-25)
--- a/2
+++ b/2
@@ -6,7 +6,7 @@
 ARG BASE_IMAGE=alpine:3.21
 ARG JS_IMAGE=node:20-alpine
 ARG JS_PLATFORM=linux/amd64
-ARG GO_IMAGE=golang:1.24.3-alpine
+ARG GO_IMAGE=golang:1.24.2-alpine

 # Default to building locally
 ARG GO_SRC=go-builder
--- a/2
+++ b/2
@@ -8,7 +8,7 @@ WIRE_TAGS = "oss"
 include .bingo/Variables.mk

 GO = go
-GO_VERSION = 1.24.3
+GO_VERSION = 1.24.2
 GO_LINT_FILES ?= $(shell ./scripts/go-workspace/golangci-lint-includes.sh)
 GO_TEST_FILES ?= $(shell ./scripts/go-workspace/test-includes.sh)
 SH_FILES ?= $(shell find ./scripts -name *.sh)
--- a/apps/playlist/go.mod
+++ b/apps/playlist/go.mod
@@ -1,11 +1,11 @@
 module github.com/grafana/grafana/apps/playlist

-go 1.24.3
+go 1.24.2

 require (
 	github.com/grafana/grafana-app-sdk v0.19.0
-	k8s.io/apimachinery v0.32.1
-	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f
+	k8s.io/apimachinery v0.31.1
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
 )

 require (
@@ -18,7 +18,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -29,14 +28,14 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/net v0.40.0 // indirect
-	golang.org/x/text v0.25.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
-	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
--- a/apps/playlist/go.sum
+++ b/apps/playlist/go.sum
@@ -21,8 +21,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -69,8 +69,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -79,8 +79,8 @@ golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
-golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -89,26 +89,29 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U=
+k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
-k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
-sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
+k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
--- a/devenv/docker/blocks/prometheus_high_card/go.mod
+++ b/devenv/docker/blocks/prometheus_high_card/go.mod
@@ -1,6 +1,6 @@
 module high-card

-go 1.24.3
+go 1.24.2

 require (
 	github.com/prometheus/client_golang v1.20.2
@@ -15,6 +15,6 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 )
--- a/devenv/docker/blocks/prometheus_high_card/go.sum
+++ b/devenv/docker/blocks/prometheus_high_card/go.sum
@@ -20,7 +20,7 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++8WpuKPcR5yjLBjvLEA=
 golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
--- a/docs/sources/setup-grafana/set-up-for-high-availability.md
+++ b/docs/sources/setup-grafana/set-up-for-high-availability.md
@@ -19,11 +19,11 @@ weight: 900

 # Set up Grafana for high availability

-{{< admonition type="note" >}}
+{{% admonition type="note" %}}
 To prevent duplicate alerts in Grafana high availability, additional steps are required.

 Please refer to [Alerting high availability](#alerting-high-availability) for more information.
-{{< /admonition >}}
+{{% /admonition %}}

 Grafana uses an embedded sqlite3 database to store users, dashboards, and other persistent data by default. For high availability, you must use a shared database to store this data. This shared database can be either MySQL or Postgres.

@@ -31,12 +31,6 @@ Grafana uses an embedded sqlite3 database to store users, dashboards, and other
  <img src="/static/img/docs/tutorials/grafana-high-availability.png"  max-width= "800px" class="center" />
 </div>

-## Architecture
-
-Your Grafana high availability environment will consist of two or more Grafana servers (cluster nodes) served by a load balancing reverse proxy. The cluster uses an active-active architecture with the load balancer allocating traffic between nodes and re-allocating traffic to surviving nodes should there be failures. You need to configure your load balancer with a listener that responds to a shared cluster hostname. The shared name is the hostname your users use to access Grafana.
-
-For ease of use, we recommend you configure your load balancer to provide SSL termination. The shared Grafana database tracks session information, so your load balancer won't need to provide session affinity services. See your load balancer's documentation for details on its configuration and operations.
-
 ## Before you begin

 Before you complete the following tasks, configure a MySQL or Postgres database to be highly available. Configuring the MySQL or Postgres database for high availability is out of the scope of this guide, but you can find instructions online for each database.
@@ -45,14 +39,6 @@ Before you complete the following tasks, configure a MySQL or Postgres database

 Once you have a Postgres or MySQL database available, you can configure your multiple Grafana instances to use a shared backend database. Grafana has default and custom configuration files, and you can update the database settings by updating your custom configuration file as described in the [[database]](../configure-grafana/#database). Once configured to use a shared database, your multiple Grafana instances will persist all long-term data in that database.

-## Grafana Enterprise only: License your Grafana servers
-
-If you're using Grafana Enterprise:
-
-1. Get a license token in the name of your cluster's shared hostname.
-1. Edit the [`host_url`](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/setup-grafana/configure-grafana/#root_url) setting in each node's `grafana.ini` configuration file to reflect the cluster's shared hostname.
-1. Install the license key as normal. For more information on installing your license key, refer to [Add your license to a Grafana instance](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/enterprise-licensing/#step-2-add-your-license-to-a-grafana-instance).
-
 ## Alerting high availability

 Grafana Alerting provides a high availability mode. It preserves the semantics of legacy dashboard alerting by executing all alerts on every server and by sending notifications only once per alert. Load distribution between servers is not supported at this time.
--- a/docs/sources/setup-grafana/set-up-grafana-monitoring.md
+++ b/docs/sources/setup-grafana/set-up-grafana-monitoring.md
@@ -73,11 +73,11 @@ These instructions assume you have already added Prometheus as a data source in
   ```
   - job_name: 'grafana_metrics'

-     scrape_interval: 15s
-     scrape_timeout: 5s
+      scrape_interval: 15s
+      scrape_timeout: 5s

-     static_configs:
-       - targets: ['localhost:3000']
+      static_configs:
+        - targets: ['localhost:3000']
   ```

 1. Restart Prometheus. Your new job should appear on the Targets tab.
@@ -147,12 +147,12 @@ These instructions assume you have already added Prometheus as a data source in
   ```
   - job_name: 'grafana_github_datasource'

-     scrape_interval: 15s
-     scrape_timeout: 5s
-     metrics_path: /metrics/plugins/grafana-test-datasource
+      scrape_interval: 15s
+      scrape_timeout: 5s
+      metrics_path: /metrics/plugins/grafana-test-datasource

-     static_configs:
-       - targets: ['localhost:3000']
+      static_configs:
+        - targets: ['localhost:3000']
   ```

 1. Restart Prometheus. Your new job should appear on the Targets tab.
--- a/e2e/cloud-plugins-suite/azure-monitor.spec.ts
+++ b/e2e/cloud-plugins-suite/azure-monitor.spec.ts
@@ -124,7 +124,7 @@ const storageAcctName = 'azmonteststorage';
 const logAnalyticsName = 'az-mon-test-logs';
 const applicationInsightsName = 'az-mon-test-ai-a';

-describe.skip('Azure monitor datasource', () => {
+describe('Azure monitor datasource', () => {
  before(() => {
    e2e.flows.login(Cypress.env('USERNAME'), Cypress.env('PASSWORD'));

--- a/e2e/test-plugins/grafana-extensionstest-app/package.json
+++ b/e2e/test-plugins/grafana-extensionstest-app/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@test-plugins/extensions-test-app",
-  "version": "11.3.7",
+  "version": "11.3.6",
  "private": true,
  "scripts": {
    "build": "webpack -c ./webpack.config.ts --env production",
@@ -12,7 +12,7 @@
  "license": "Apache-2.0",
  "devDependencies": {
    "@grafana/eslint-config": "7.0.0",
-    "@grafana/plugin-configs": "11.3.7",
+    "@grafana/plugin-configs": "11.3.6",
    "@types/lodash": "4.17.7",
    "@types/node": "20.14.14",
    "@types/prismjs": "1.26.4",
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/grafana/grafana

-go 1.24.3
+go 1.24.2

 // contains openapi encoder fixes. remove ASAP
 replace cuelang.org/go => github.com/grafana/cue v0.0.0-20230926092038-971951014e3f // @grafana/grafana-as-code
@@ -13,8 +13,8 @@ replace github.com/prometheus/prometheus => github.com/prometheus/prometheus v0.
 require (
 	buf.build/gen/go/parca-dev/parca/bufbuild/connect-go v1.10.0-20240523185345-933eab74d046.1 // @grafana/observability-traces-and-profiling
 	buf.build/gen/go/parca-dev/parca/protocolbuffers/go v1.34.1-20240523185345-933eab74d046.1 // @grafana/observability-traces-and-profiling
-	cloud.google.com/go/kms v1.20.1 // @grafana/grafana-backend-group
-	cloud.google.com/go/storage v1.49.0 // @grafana/grafana-backend-group
+	cloud.google.com/go/kms v1.18.5 // @grafana/grafana-backend-group
+	cloud.google.com/go/storage v1.43.0 // @grafana/grafana-backend-group
 	cuelang.org/go v0.6.0-0.dev // @grafana/grafana-as-code
 	filippo.io/age v1.2.1 // @grafana/identity-access-team
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // @grafana/partner-datasources
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // @grafana/alerting-backend
 	github.com/go-redis/redis/v8 v8.11.5 // @grafana/grafana-backend-group
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // @grafana/grafana-backend-group
-	github.com/go-sql-driver/mysql v1.9.2 // @grafana/grafana-search-and-storage
+	github.com/go-sql-driver/mysql v1.8.1 // @grafana/grafana-search-and-storage
 	github.com/go-stack/stack v1.8.1 // @grafana/grafana-backend-group
 	github.com/gobwas/glob v0.2.3 // @grafana/grafana-backend-group
 	github.com/gogo/protobuf v1.3.2 // @grafana/alerting-backend
@@ -66,10 +66,10 @@ require (
 	github.com/golang/mock v1.6.0 // @grafana/alerting-backend
 	github.com/golang/protobuf v1.5.4 // @grafana/grafana-backend-group
 	github.com/golang/snappy v0.0.4 // @grafana/alerting-backend
-	github.com/google/go-cmp v0.7.0 // @grafana/grafana-backend-group
+	github.com/google/go-cmp v0.6.0 // @grafana/grafana-backend-group
 	github.com/google/uuid v1.6.0 // @grafana/grafana-backend-group
 	github.com/google/wire v0.6.0 // @grafana/grafana-backend-group
-	github.com/googleapis/gax-go/v2 v2.14.1 // @grafana/grafana-backend-group
+	github.com/googleapis/gax-go/v2 v2.13.0 // @grafana/grafana-backend-group
 	github.com/gorilla/mux v1.8.1 // @grafana/grafana-backend-group
 	github.com/gorilla/websocket v1.5.0 // @grafana/grafana-app-platform-squad
 	github.com/grafana/alerting v0.0.0-20250228212059-bc4a3c128098 // @grafana/alerting-backend
@@ -100,7 +100,7 @@ require (
 	github.com/grafana/pyroscope/api v0.3.0 // @grafana/observability-traces-and-profiling
 	github.com/grafana/tempo v1.5.1-0.20240604192202-01f4bc8ac2d1 // @grafana/observability-traces-and-profiling
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 // @grafana/plugins-platform-backend
-	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.2 // @grafana/grafana-backend-group
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.2.0 // @grafana/grafana-backend-group
 	github.com/hashicorp/go-hclog v1.6.3 // @grafana/plugins-platform-backend
 	github.com/hashicorp/go-multierror v1.1.1 // @grafana/alerting-squad
 	github.com/hashicorp/go-plugin v1.6.1 // @grafana/plugins-platform-backend
@@ -128,21 +128,21 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // @grafana/alerting-backend
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // @grafana/alerting-backend
 	github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f // @grafana/grafana-operator-experience-squad
-	github.com/oapi-codegen/oapi-codegen/v2 v2.4.1 // @grafana/grafana-as-code
+	github.com/oapi-codegen/oapi-codegen/v2 v2.3.0 // @grafana/grafana-as-code
 	github.com/olekukonko/tablewriter v0.0.5 // @grafana/grafana-backend-group
 	github.com/openfga/api/proto v0.0.0-20250127102726-f9709139a369 // @grafana/identity-access-team
-	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20250220223040-ed0cfba54336 // @grafana/identity-access-team
-	github.com/openfga/openfga v1.8.12 // @grafana/identity-access-team
+	github.com/openfga/language/pkg/go v0.2.0-beta.2.0.20250121233318-0eae96a39570 // @grafana/identity-access-team
+	github.com/openfga/openfga v1.8.5 // @grafana/identity-access-team
 	github.com/patrickmn/go-cache v2.1.0+incompatible // @grafana/alerting-backend
 	github.com/prometheus/alertmanager v0.27.0 // @grafana/alerting-backend
-	github.com/prometheus/client_golang v1.22.0 // @grafana/alerting-backend
+	github.com/prometheus/client_golang v1.20.5 // @grafana/alerting-backend
 	github.com/prometheus/client_model v0.6.1 // @grafana/grafana-backend-group
-	github.com/prometheus/common v0.62.0 // @grafana/alerting-backend
+	github.com/prometheus/common v0.55.0 // @grafana/alerting-backend
 	github.com/prometheus/prometheus v1.8.2-0.20221021121301-51a44e6657c3 // @grafana/alerting-backend
-	github.com/redis/go-redis/v9 v9.6.3 // @grafana/alerting-backend
+	github.com/redis/go-redis/v9 v9.1.0 // @grafana/alerting-backend
 	github.com/robfig/cron/v3 v3.0.1 // @grafana/grafana-backend-group
 	github.com/russellhaering/goxmldsig v1.4.0 // @grafana/grafana-backend-group
-	github.com/spf13/cobra v1.9.1 // @grafana/grafana-app-platform-squad
+	github.com/spf13/cobra v1.8.1 // @grafana/grafana-app-platform-squad
 	github.com/spf13/pflag v1.0.6 // @grafana-app-platform-squad
 	github.com/spyzhov/ajson v0.9.0 // @grafana/grafana-app-platform-squad
 	github.com/stretchr/testify v1.10.0 // @grafana/grafana-backend-group
@@ -155,56 +155,56 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // @grafana/grafana-operator-experience-squad
 	github.com/yudai/gojsondiff v1.0.0 // @grafana/grafana-backend-group
 	go.opentelemetry.io/collector/pdata v1.6.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // @grafana/plugins-platform-backend
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // @grafana/plugins-platform-backend
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.55.0 // @grafana/grafana-operator-experience-squad
 	go.opentelemetry.io/contrib/propagators/jaeger v1.29.0 // @grafana/grafana-backend-group
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.23.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/otel v1.35.0 // @grafana/grafana-backend-group
+	go.opentelemetry.io/otel v1.34.0 // @grafana/grafana-backend-group
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/otel/sdk v1.35.0 // @grafana/grafana-backend-group
-	go.opentelemetry.io/otel/trace v1.35.0 // @grafana/grafana-backend-group
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // @grafana/grafana-backend-group
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // @grafana/grafana-backend-group
+	go.opentelemetry.io/otel/sdk v1.34.0 // @grafana/grafana-backend-group
+	go.opentelemetry.io/otel/trace v1.34.0 // @grafana/grafana-backend-group
 	go.uber.org/atomic v1.11.0 // @grafana/alerting-backend
 	go.uber.org/goleak v1.3.0 // @grafana/grafana-search-and-storage
 	gocloud.dev v0.39.0 // @grafana/grafana-app-platform-squad
-	golang.org/x/crypto v0.38.0 // @grafana/grafana-backend-group
-	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // @grafana/alerting-backend
-	golang.org/x/mod v0.24.0 // indirect; @grafana/grafana-backend-group
-	golang.org/x/net v0.40.0 // @grafana/oss-big-tent @grafana/partner-datasources
+	golang.org/x/crypto v0.35.0 // @grafana/grafana-backend-group
+	golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // @grafana/alerting-backend
+	golang.org/x/mod v0.20.0 // indirect; @grafana/grafana-backend-group
+	golang.org/x/net v0.36.0 // @grafana/oss-big-tent @grafana/partner-datasources
 	golang.org/x/oauth2 v0.27.0 // @grafana/identity-access-team
-	golang.org/x/sync v0.14.0 // @grafana/alerting-backend
-	golang.org/x/text v0.25.0 // @grafana/grafana-backend-group
-	golang.org/x/time v0.8.0 // @grafana/grafana-backend-group
-	golang.org/x/tools v0.31.0 // @grafana/grafana-as-code
+	golang.org/x/sync v0.11.0 // @grafana/alerting-backend
+	golang.org/x/text v0.22.0 // @grafana/grafana-backend-group
+	golang.org/x/time v0.6.0 // @grafana/grafana-backend-group
+	golang.org/x/tools v0.24.0 // @grafana/grafana-as-code
 	gonum.org/v1/gonum v0.15.1 // @grafana/observability-metrics
-	google.golang.org/api v0.215.0 // @grafana/grafana-backend-group
-	google.golang.org/grpc v1.72.0 // @grafana/plugins-platform-backend
-	google.golang.org/protobuf v1.36.6 // @grafana/plugins-platform-backend
+	google.golang.org/api v0.191.0 // @grafana/grafana-backend-group
+	google.golang.org/grpc v1.70.0 // @grafana/plugins-platform-backend
+	google.golang.org/protobuf v1.36.4 // @grafana/plugins-platform-backend
 	gopkg.in/ini.v1 v1.67.0 // @grafana/alerting-backend
 	gopkg.in/mail.v2 v2.3.1 // @grafana/grafana-backend-group
 	gopkg.in/yaml.v3 v3.0.1 // @grafana/alerting-backend
-	k8s.io/api v0.32.1 // @grafana/grafana-app-platform-squad
-	k8s.io/apimachinery v0.32.1 // @grafana/grafana-app-platform-squad
+	k8s.io/api v0.31.1 // @grafana/grafana-app-platform-squad
+	k8s.io/apimachinery v0.31.1 // @grafana/grafana-app-platform-squad
 	k8s.io/apiserver v0.31.1 // @grafana/grafana-app-platform-squad
-	k8s.io/client-go v0.32.1 // @grafana/grafana-app-platform-squad
+	k8s.io/client-go v0.31.1 // @grafana/grafana-app-platform-squad
 	k8s.io/component-base v0.31.1 // @grafana/grafana-app-platform-squad
 	k8s.io/klog/v2 v2.130.1 // @grafana/grafana-app-platform-squad
 	k8s.io/kube-aggregator v0.31.1 // @grafana/grafana-app-platform-squad
-	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // @grafana/grafana-app-platform-squad
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // @grafana/partner-datasources
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // @grafana-app-platform-squad
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // @grafana/grafana-app-platform-squad
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // @grafana/partner-datasources
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // @grafana-app-platform-squad
 	xorm.io/builder v0.3.6 // @grafana/grafana-backend-group
 	xorm.io/core v0.7.3 // @grafana/grafana-backend-group
 	xorm.io/xorm v0.8.2 // @grafana/alerting-backend
 )

 require (
-	cloud.google.com/go v0.116.0 // indirect
-	cloud.google.com/go/auth v0.13.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	cloud.google.com/go/iam v1.2.2 // indirect
+	cloud.google.com/go v0.115.0 // indirect
+	cloud.google.com/go/auth v0.8.1 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
+	cloud.google.com/go/iam v1.1.13 // indirect
 	github.com/Azure/azure-pipeline-go v0.2.3 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
@@ -235,12 +235,12 @@ require (
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/bboreham/go-loser v0.0.0-20230920113527-fcc2c21820a3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bits-and-blooms/bitset v1.22.0 // indirect
+	github.com/bits-and-blooms/bitset v1.12.0 // indirect
 	github.com/blevesearch/go-porterstemmer v1.0.3 // indirect
 	github.com/blevesearch/mmap-go v1.0.4 // indirect
 	github.com/blevesearch/segment v0.9.1 // indirect
 	github.com/blevesearch/snowballstem v0.9.0 // indirect
-	github.com/blevesearch/vellum v1.1.0 // indirect
+	github.com/blevesearch/vellum v1.0.10 // indirect
 	github.com/blugelabs/ice v1.0.0 // indirect
 	github.com/bufbuild/protocompile v0.4.0 // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
@@ -254,7 +254,7 @@ require (
 	github.com/cockroachdb/apd/v2 v2.0.2 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dennwc/varint v1.0.0 // indirect
 	github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 // indirect
@@ -265,10 +265,10 @@ require (
 	github.com/elazarl/goproxy v1.7.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emicklei/proto v1.10.0 // indirect
-	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
 	github.com/facette/natsort v0.0.0-20181210072756-2cd4dd1e2dcb // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect; @grafana/grafana-app-platform-squad
@@ -289,32 +289,34 @@ require (
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/cel-go v0.25.0 // indirect
+	github.com/google/cel-go v0.23.2 // indirect
 	github.com/google/flatbuffers v24.3.25+incompatible // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/grafana/grafana/pkg/storage/unified/apistore v0.0.0-20240821183201-2f012860344d // @grafana/grafana-search-and-storage
 	github.com/grafana/grafana/pkg/storage/unified/resource v0.0.0-20240821161612-71f0dae39e9d // @grafana/grafana-search-and-storage
 	github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20191002090509-6af20e3a5340 // indirect; @grafana/plugins-platform-backend
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // @grafana/identity-access-team
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.0 // @grafana/identity-access-team
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-msgpack v0.5.5 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/memberlist v0.5.0 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/invopop/jsonschema v0.12.0 // indirect
+	github.com/invopop/yaml v0.3.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.4 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
@@ -325,16 +327,17 @@ require (
 	github.com/jeremywohl/flatten v1.0.1 // @grafana/grafana-app-platform-squad
 	github.com/jessevdk/go-flags v1.5.0 // indirect
 	github.com/jhump/protoreflect v1.15.1 // indirect
-	github.com/jonboulle/clockwork v0.5.0 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/jszwedko/go-datemath v0.1.1-0.20230526204004-640a500621d6 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattetti/filebuffer v1.0.1 // indirect
@@ -353,7 +356,7 @@ require (
 	github.com/mithrandie/go-file/v2 v2.1.0 // indirect
 	github.com/mithrandie/go-text v1.6.0 // indirect
 	github.com/mithrandie/ternary v1.1.1 // indirect
-	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
@@ -367,23 +370,24 @@ require (
 	github.com/oklog/ulid/v2 v2.1.0 // indirect
 	github.com/opentracing-contrib/go-stdlib v1.0.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
-	github.com/pierrec/lz4/v4 v4.1.22 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/pressly/goose/v3 v3.24.2 // indirect
+	github.com/pressly/goose/v3 v3.24.1 // indirect
 	github.com/prometheus/common/sigv4 v0.1.0 // indirect
 	github.com/prometheus/exporter-toolkit v0.11.0 // indirect
-	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 // indirect
 	github.com/redis/rueidis v1.0.45 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/cors v1.11.1 // @grafana/identity-access-team
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.4.0 // indirect
@@ -393,9 +397,9 @@ require (
 	github.com/shurcooL/httpfs v0.0.0-20230704072500-f1e31cf0ba5c // indirect
 	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/afero v1.12.0 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/viper v1.20.1 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
@@ -417,30 +421,30 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.14 // indirect
 	go.mongodb.org/mongo-driver v1.16.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
-	go.uber.org/mock v0.5.2 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // @grafana/identity-access-team
-	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
-	google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect; @grafana/grafana-backend-group
-	google.golang.org/genproto/googleapis/api v0.0.0-20250428153025-10db94c68c34 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250428153025-10db94c68c34 // indirect
+	google.golang.org/genproto v0.0.0-20240812133136-8ffd90a71988 // indirect; @grafana/grafana-backend-group
+	google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/kms v0.31.1 // indirect
-	modernc.org/libc v1.62.1 // indirect
-	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.9.1 // indirect
-	modernc.org/sqlite v1.37.0 // indirect
+	modernc.org/libc v1.55.3 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.8.0 // indirect
+	modernc.org/sqlite v1.34.5 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
-	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect; @grafana-app-platform-squad
 )

@@ -458,45 +462,27 @@ require (
 )

 require (
-	github.com/getkin/kin-openapi v0.132.0 // @grafana/grafana-app-platform-squad
+	github.com/getkin/kin-openapi v0.127.0 // @grafana/grafana-app-platform-squad
 	github.com/grafana/grafana/apps/playlist v0.0.0-20240917082838-e2bce38a7990 // @grafana/grafana-app-platform-squad
 )

 require github.com/jmespath-community/go-jmespath v1.1.1 // @grafana/identity-access-team

 require (
-	cel.dev/expr v0.23.1 // indirect
-	cloud.google.com/go/longrunning v0.6.2 // indirect
-	cloud.google.com/go/monitoring v1.21.2 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
-	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
-	github.com/Yiling-J/theine-go v0.6.1 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	cloud.google.com/go/longrunning v0.5.12 // indirect
+	github.com/Yiling-J/theine-go v0.6.0 // indirect
 	github.com/at-wat/mqtt-go v0.19.4 // indirect
-	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
 	github.com/dolthub/maphash v0.1.0 // indirect
-	github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/gammazero/deque v0.2.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/grafana/grafana-app-sdk v0.19.0 // indirect
 	github.com/grafana/grafana/pkg/semconv v0.0.0-20240808213237-f4d2e064f435 // indirect
 	github.com/grafana/sqlds/v4 v4.1.0 // indirect
 	github.com/maypok86/otter v1.2.2 // indirect
-	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
-	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/shadowspore/fossil-delta v0.0.0-20240102155221-e3a8590b820b // indirect
-	github.com/speakeasy-api/openapi-overlay v0.9.0 // indirect
-	github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
-	github.com/vmware-labs/yaml-jsonpath v0.3.2 // indirect
-	github.com/zeebo/errs v1.4.0 // indirect
-	go.etcd.io/bbolt v1.4.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
 )

 // Use fork of crewjam/saml with fixes for some issues until changes get merged into upstream
@@ -518,18 +504,4 @@ replace github.com/go-sql-driver/mysql => github.com/go-sql-driver/mysql v1.7.1
 replace github.com/google/cel-go => github.com/google/cel-go v0.22.1

 // Pin the version so ngalert functionality isn't affected.
-replace (
-	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.20.4
-	github.com/prometheus/common => github.com/prometheus/common v0.55.0
-)
-
-// Pin it to match the other K8s dependencies version.
-replace (
-	k8s.io/api => k8s.io/api v0.31.1
-	k8s.io/apimachinery => k8s.io/apimachinery v0.31.1
-	k8s.io/client-go => k8s.io/client-go v0.31.1
-	k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
-	k8s.io/utils => k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
-	sigs.k8s.io/json => sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 => sigs.k8s.io/structured-merge-diff/v4 v4.4.1
-)
+replace github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.20.3
--- a/go.sum
+++ b/go.sum
--- a/Show More
+++ b/Show More