Release: 12.0.2+security-01 (#108267 )

* Update changelog * Update version to 12.0.2+security-01 * Update CHANGELOG.md --------- Co-authored-by: grafana-delivery-bot[bot] <grafana-delivery-bot[bot]@users.noreply.github.com> Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>
apply 444-202506261140 manually
2025-07-17 15:13:05 -04:00 · 2025-07-02 17:42:20 +02:00 · 2025-06-17 15:38:51 +00:00
874 changed files with 22105 additions and 30080 deletions
--- a/.betterer.results
+++ b/.betterer.results
@@ -3397,7 +3397,8 @@ exports[`better eslint`] = {
      [0, 0, 0, "Unexpected any. Specify a different type.", "15"],
      [0, 0, 0, "Unexpected any. Specify a different type.", "16"],
      [0, 0, 0, "Unexpected any. Specify a different type.", "17"],
-      [0, 0, 0, "Unexpected any. Specify a different type.", "18"]
+      [0, 0, 0, "Unexpected any. Specify a different type.", "18"],
+      [0, 0, 0, "Unexpected any. Specify a different type.", "19"]
    ],
    "public/app/plugins/datasource/graphite/gfunc.ts:5381": [
      [0, 0, 0, "Do not use any type assertions.", "0"],
--- a/.citools/bra/go.mod
+++ b/.citools/bra/go.mod
@@ -1,6 +1,6 @@
 module bra

-go 1.24.5
+go 1.24.4

 tool github.com/unknwon/bra

--- a/.citools/cog/go.mod
+++ b/.citools/cog/go.mod
@@ -1,6 +1,6 @@
 module cog

-go 1.24.5
+go 1.24.4

 tool github.com/grafana/cog/cmd/cli

@@ -40,11 +40,11 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/yalue/merged_fs v1.3.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/.citools/cog/go.sum
+++ b/.citools/cog/go.sum
@@ -85,20 +85,20 @@ github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4d
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/yalue/merged_fs v1.3.0 h1:qCeh9tMPNy/i8cwDsQTJ5bLr6IRxbs6meakNE5O+wyY=
 github.com/yalue/merged_fs v1.3.0/go.mod h1:WqqchfVYQyclV2tnR7wtRhBddzBvLVR83Cjw9BKQw0M=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/.citools/cue/go.mod
+++ b/.citools/cue/go.mod
@@ -1,6 +1,6 @@
 module cue

-go 1.24.5
+go 1.24.4

 tool cuelang.org/go/cmd/cue

@@ -25,13 +25,13 @@ require (
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/testify v1.10.0 // indirect
 	github.com/tetratelabs/wazero v1.6.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/oauth2 v0.26.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/.citools/cue/go.sum
+++ b/.citools/cue/go.sum
@@ -53,20 +53,20 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tetratelabs/wazero v1.6.0 h1:z0H1iikCdP8t+q341xqepY4EWvHEw8Es7tlqiVzlP3g=
 github.com/tetratelabs/wazero v1.6.0/go.mod h1:0U0G41+ochRKoPKCJlh0jMg1CHkyfK8kDqiirMmKY8A=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
 golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/.citools/golangci-lint/go.mod
+++ b/.citools/golangci-lint/go.mod
@@ -1,6 +1,6 @@
 module golangci-lint

-go 1.24.5
+go 1.24.4

 tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint

@@ -65,7 +65,7 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
@@ -187,11 +187,11 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/.citools/golangci-lint/go.sum
+++ b/.citools/golangci-lint/go.sum
@@ -142,8 +142,8 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v1.1.3 h1:t8Ey3Uy7jDSEisW2K3somuMKIpzktkWptA0iFCnRUWY=
 github.com/go-xmlfmt/xmlfmt v1.1.3/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
@@ -470,8 +470,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -487,8 +487,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -498,8 +498,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -541,8 +541,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200324003944-a576cf524670/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
@@ -561,8 +561,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/.citools/jb/go.mod
+++ b/.citools/jb/go.mod
@@ -1,6 +1,6 @@
 module jb

-go 1.24.5
+go 1.24.4

 tool github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb

--- a/.citools/lefthook/go.mod
+++ b/.citools/lefthook/go.mod
@@ -1,6 +1,6 @@
 module lefthook

-go 1.24.5
+go 1.24.4

 tool github.com/evilmartians/lefthook

@@ -18,7 +18,7 @@ require (
 	github.com/evilmartians/lefthook v1.4.8 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -45,8 +45,7 @@ require (
 	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/.citools/lefthook/go.sum
+++ b/.citools/lefthook/go.sum
@@ -29,8 +29,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -95,10 +95,10 @@ golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 h1:8ajkpB4hXVftY5ko905id+dOnmorcS2CHNxxHLLDcFM=
 gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61/go.mod h1:IfMagxm39Ys4ybJrDb7W3Ob8RwxftP0Yy+or/NVz1O8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/.citools/swagger/go.mod
+++ b/.citools/swagger/go.mod
@@ -1,6 +1,6 @@
 module swagger

-go 1.24.5
+go 1.24.4

 tool github.com/go-swagger/go-swagger/cmd/swagger

@@ -24,7 +24,7 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
@@ -51,12 +51,12 @@ require (
 	github.com/toqueteos/webbrowser v1.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.16.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/.citools/swagger/go.sum
+++ b/.citools/swagger/go.sum
@@ -41,8 +41,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37 h1:KFcZmKdZmapAog2+eL1buervAYrYolBZk7fMecPPDmo=
 github.com/go-swagger/go-swagger v0.30.6-0.20240310114303-db51e79a0e37/go.mod h1:i1/E+d8iPNReSE7y04FaVu5OPKB3il5cn+T1Egogg3I=
-github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
+github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -101,19 +101,19 @@ go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4
 go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
--- a/.drone.star
+++ b/.drone.star
@@ -12,6 +12,7 @@ load("scripts/drone/events/main.star", "main_pipelines")
 load("scripts/drone/events/pr.star", "pr_pipelines")
 load(
    "scripts/drone/events/release.star",
+    "integration_test_pipelines",
    "publish_artifacts_pipelines",
    "publish_npm_pipelines",
    "publish_packages_pipeline",
@@ -37,6 +38,7 @@ def main(_ctx):
        publish_npm_pipelines() +
        publish_packages_pipeline() +
        rgm() +
+        integration_test_pipelines() +
        cronjobs() +
        secrets()
    )
--- a/.drone.yml
+++ b/.drone.yml
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -48,10 +48,7 @@

 /docs/sources/developers/plugins/                                                 @grafana/plugins-platform-frontend @grafana/plugins-platform-backend

-/docs/sources/dashboards/share-dashboards-panels/_index.md                        @imatwawana @jtvdez
-/docs/sources/dashboards/share-dashboards-panels/shared-dashboards/index.md       @jtvdez
 /docs/sources/panels-visualizations/query-transform-data/transform-data/index.md  @imatwawana @baldm0mma
-/docs/sources/panels-visualizations/query-transform-data/sql-expressions/index.md  @lwandz13 @irenerl24
 # END Technical documentation

 # Backend code
@@ -136,12 +133,13 @@
 /pkg/services/apikey/ @grafana/identity-squad
 /pkg/services/cleanup/ @grafana/grafana-backend-group
 /pkg/services/contexthandler/ @grafana/grafana-backend-group @grafana/grafana-app-platform-squad
-/pkg/services/correlations/ @grafana/datapro
+/pkg/services/correlations/ @grafana/dataviz-squad
 /pkg/services/dashboardimport/ @grafana/grafana-backend-group
 /pkg/services/dashboards/ @grafana/grafana-app-platform-squad
 /pkg/services/dashboardversion/ @grafana/grafana-backend-group
 /pkg/services/encryption/ @grafana/grafana-operator-experience-squad
 /pkg/services/folder/ @grafana/grafana-search-and-storage
+/pkg/services/frontend/ @grafana/grafana-frontend-platform
 /pkg/services/apiserver @grafana/grafana-app-platform-squad
 /pkg/services/hooks/ @grafana/grafana-backend-group
 /pkg/services/kmsproviders/ @grafana/grafana-operator-experience-squad
@@ -168,6 +166,7 @@
 /pkg/services/tag/ @grafana/grafana-search-and-storage
 /pkg/services/team/ @grafana/access-squad
 /pkg/services/temp_user/ @grafana/grafana-backend-group
+/pkg/services/updatechecker/ @grafana/grafana-backend-group
 /pkg/services/user/ @grafana/access-squad
 /pkg/services/validations/ @grafana/grafana-backend-group
 /pkg/setting/ @grafana/grafana-backend-services-squad
@@ -175,7 +174,7 @@
 /pkg/tests/apis/ @grafana/grafana-app-platform-squad
 /pkg/tests/apis/query @grafana/grafana-datasources-core-services
 /pkg/tests/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
-/pkg/tests/api/correlations/ @grafana/datapro
+/pkg/tests/api/correlations/ @grafana/dataviz-squad
 /pkg/tsdb/grafanads/ @grafana/grafana-backend-group
 /pkg/tsdb/opentsdb/ @grafana/partner-datasources
 /pkg/util/ @grafana/grafana-backend-group
@@ -189,8 +188,8 @@
 /devenv/docker/blocks/auth/ @grafana/identity-access-team

 # Logs code, developers environment
-/devenv/docker/blocks/loki* @grafana/oss-big-tent
-/devenv/docker/blocks/elastic* @grafana/partner-datasources
+/devenv/docker/blocks/loki* @grafana/observability-logs
+/devenv/docker/blocks/elastic* @grafana/aws-datasources
 /devenv/docker/blocks/self-instrumentation* @grafana/oss-big-tent

 /devenv/bulk-dashboards/ @grafana/dashboards-squad
@@ -227,7 +226,7 @@
 /devenv/dev-dashboards/dashboards.go @grafana/dataviz-squad
 /devenv/dev-dashboards/home.json @grafana/dataviz-squad

-/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/partner-datasources
+/devenv/dev-dashboards/datasource-elasticsearch/ @grafana/aws-datasources
 /devenv/dev-dashboards/datasource-opentsdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-influxdb/ @grafana/partner-datasources
 /devenv/dev-dashboards/datasource-mssql/ @grafana/partner-datasources
@@ -257,6 +256,7 @@
 /devenv/docker/blocks/etcd @grafana/grafana-app-platform-squad
 /devenv/docker/blocks/grafana/ @grafana/grafana-as-code
 /devenv/docker/blocks/graphite/ @grafana/partner-datasources
+/devenv/docker/blocks/graphite09/ @grafana/partner-datasources
 /devenv/docker/blocks/graphite1/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb/ @grafana/partner-datasources
 /devenv/docker/blocks/influxdb1/ @grafana/partner-datasources
@@ -330,8 +330,8 @@

 # Observability backend code
 /pkg/tsdb/prometheus/ @grafana/oss-big-tent
-/pkg/tsdb/elasticsearch/ @grafana/partner-datasources
-/pkg/tsdb/loki/ @grafana/oss-big-tent
+/pkg/tsdb/elasticsearch/ @grafana/aws-datasources
+/pkg/tsdb/loki/ @grafana/observability-logs
 /pkg/tsdb/tempo/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/grafana-pyroscope-datasource/ @grafana/observability-traces-and-profiling
 /pkg/tsdb/parca/ @grafana/oss-big-tent
@@ -368,8 +368,8 @@
 /public/app/features/gops/ @grafana/alerting-frontend

 # Library Services
-/pkg/services/libraryelements/ @grafana/sharing-squad
-/pkg/services/librarypanels/ @grafana/sharing-squad
+/pkg/services/libraryelements/ @grafana/dashboards-squad
+/pkg/services/librarypanels/ @grafana/dashboards-squad

 # Plugins
 /pkg/api/pluginproxy/ @grafana/plugins-platform-backend
@@ -395,11 +395,13 @@
 /public/app/core/internationalization/ @grafana/grafana-frontend-platform
 /e2e/ @grafana/grafana-frontend-platform
 /e2e/cloud-plugins-suite/ @grafana/partner-datasources
+/e2e/plugin-e2e/plugin-e2e-api-tests/ @grafana/plugins-platform-frontend
+/e2e/test-plugins/grafana-extensionstest-app/ @grafana/plugins-platform-frontend

 # Packages
 /packages/ @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend
 /packages/grafana-data/src/**/*logs* @grafana/observability-logs
-/packages/grafana-data/src/transformations/ @grafana/datapro
+/packages/grafana-data/src/transformations/ @grafana/dataviz-squad
 /packages/grafana-e2e-selectors/ @grafana/grafana-frontend-platform
 /packages/grafana-flamegraph/ @grafana/observability-traces-and-profiling
 /packages/grafana-o11y-ds-frontend/ @grafana/observability-logs
@@ -435,6 +437,7 @@
 /packages/grafana-ui/src/graveyard/GraphNG/ @grafana/dataviz-squad
 /packages/grafana-ui/src/graveyard/TimeSeries/ @grafana/dataviz-squad
 /packages/grafana-ui/src/utils/storybook/ @grafana/grafana-frontend-platform
+/packages/grafana-alerting/ @grafana/alerting-frontend

 # root files, mostly frontend
 /.browserslistrc @grafana/frontend-ops
@@ -478,6 +481,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/core/components/Form/ @grafana/grafana-frontend-platform
 /public/app/core/components/OptionsUI/ @grafana/dashboards-squad @grafana/dataviz-squad

+
 /public/app/core/history/ @grafana/observability-traces-and-profiling
 /public/app/features/admin/ @grafana/identity-access-team

@@ -487,29 +491,32 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/actions/ @grafana/dataviz-squad
 /public/app/features/auth-config/ @grafana/identity-squad
 /public/app/features/annotations/ @grafana/dashboards-squad
+/public/app/features/api-keys/ @grafana/identity-squad
 /public/app/features/canvas/ @grafana/dataviz-squad
 /public/app/features/geo/ @grafana/dataviz-squad
 /public/app/features/visualization/data-hover/ @grafana/dataviz-squad
-/public/app/features/commandPalette/ @grafana/grafana-search-navigate-organise
+/public/app/features/commandPalette/ @grafana/grafana-frontend-platform
 /public/app/features/connections/ @grafana/plugins-platform-frontend
-/public/app/features/correlations/ @grafana/datapro
+/public/app/features/correlations/ @grafana/dataviz-squad
 /public/app/features/dashboard/ @grafana/dashboards-squad
-/public/app/features/dashboard/components/TransformationsEditor/ @grafana/datapro
+/public/app/features/dashboard/components/TransformationsEditor/ @grafana/dataviz-squad
 /public/app/features/dashboard-scene/ @grafana/dashboards-squad
-/public/app/features/scopes/ @grafana/grafana-operator-experience-squad
+/public/app/features/scopes/ @grafana/dashboards-squad
 /public/app/features/datasources/ @grafana/plugins-platform-frontend
 /public/app/features/dimensions/ @grafana/dataviz-squad
 /public/app/features/dataframe-import/ @grafana/dataviz-squad
 /public/app/features/explore/ @grafana/observability-traces-and-profiling
 /public/app/features/expressions/ @grafana/grafana-datasources-core-services
-/public/app/features/folders/ @grafana/grafana-search-navigate-organise
+/public/app/features/folders/ @grafana/grafana-frontend-platform
 /public/app/features/inspector/ @grafana/dashboards-squad
+/public/app/features/invites/ @grafana/grafana-frontend-platform
+/public/app/features/library-panels/ @grafana/dashboards-squad
 /public/app/features/logs/ @grafana/observability-logs
 /public/app/features/live/ @grafana/dashboards-squad
 /public/app/features/apiserver/ @grafana/grafana-app-platform-squad
 /public/app/features/manage-dashboards/ @grafana/dashboards-squad
-/public/app/features/notifications/ @grafana/grafana-search-navigate-organise
-/public/app/features/org/ @grafana/grafana-search-navigate-organise
+/public/app/features/notifications/ @grafana/grafana-frontend-platform
+/public/app/features/org/ @grafana/grafana-frontend-platform
 /public/app/features/panel/ @grafana/dashboards-squad
 /public/app/features/playlist/ @grafana/dashboards-squad
 /public/app/features/plugins/ @grafana/plugins-platform-frontend
@@ -517,27 +524,27 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/runtime/ @ryantxu
 /public/app/features/query/ @grafana/dashboards-squad
 /public/app/features/sandbox/ @grafana/grafana-frontend-platform
-/public/app/features/browse-dashboards/ @grafana/grafana-search-navigate-organise
-/public/app/features/search/ @grafana/grafana-search-navigate-organise
+/public/app/features/browse-dashboards/ @grafana/grafana-frontend-platform
+/public/app/features/search/ @grafana/grafana-frontend-platform
 /public/app/features/serviceaccounts/ @grafana/identity-squad
 /public/app/features/teams/ @grafana/access-squad
 /public/app/features/templating/ @grafana/dashboards-squad
 /public/app/features/trails/ @grafana/observability-metrics
-/public/app/features/transformers/ @grafana/datapro
+/public/app/features/transformers/ @grafana/dataviz-squad
 /public/app/features/transformers/timeSeriesTable/ @grafana/dataviz-squad @grafana/app-o11y-visualizations
 /public/app/features/users/ @grafana/access-squad
 /public/app/features/variables/ @grafana/dashboards-squad
 /public/app/features/preferences/ @grafana/grafana-frontend-platform
-/public/app/features/bookmarks/ @grafana/grafana-search-navigate-organise
+/public/app/features/bookmarks/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/alertlist/ @grafana/alerting-frontend
-/public/app/plugins/panel/annolist/ @grafana/dashboards-squad
+/public/app/plugins/panel/annolist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/barchart/ @grafana/dataviz-squad
 /public/app/plugins/panel/bargauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/dashlist/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/dashlist/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/debug/ @ryantxu
 /public/app/plugins/panel/datagrid/ @grafana/dataviz-squad
 /public/app/plugins/panel/gauge/ @grafana/dataviz-squad
-/public/app/plugins/panel/gettingstarted/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/gettingstarted/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/heatmap/ @grafana/dataviz-squad
 /public/app/plugins/panel/histogram/ @grafana/dataviz-squad
 /public/app/plugins/panel/logs/ @grafana/observability-logs
@@ -556,12 +563,12 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/plugins/panel/canvas/ @grafana/dataviz-squad
 /public/app/plugins/panel/candlestick/ @grafana/dataviz-squad
 /public/app/plugins/panel/live/ @grafana/dashboards-squad
-/public/app/plugins/panel/news/ @grafana/dataviz-squad
+/public/app/plugins/panel/news/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/stat/ @grafana/dataviz-squad
-/public/app/plugins/panel/text/ @grafana/dataviz-squad
-/public/app/plugins/panel/welcome/ @grafana/grafana-search-navigate-organise
+/public/app/plugins/panel/text/ @grafana/grafana-frontend-platform
+/public/app/plugins/panel/welcome/ @grafana/grafana-frontend-platform
 /public/app/plugins/panel/xychart/ @grafana/dataviz-squad
-/public/app/routes/ @grafana/grafana-search-navigate-organise
+/public/app/routes/ @grafana/grafana-frontend-platform
 /public/app/store/ @grafana/grafana-frontend-platform
 /public/app/types/ @grafana/grafana-frontend-platform
 /public/app/types/alerting.ts @grafana/alerting-frontend
@@ -589,6 +596,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /public/app/features/explore/NodeGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/FlameGraph/ @grafana/observability-traces-and-profiling
 /public/app/features/explore/TraceView/ @grafana/observability-traces-and-profiling
+/public/app/features/explore/QueryLibrary/ @grafana/grafana-frontend-platform

 /public/api-merged.json @grafana/grafana-backend-group
 /public/api-enterprise-spec.json @grafana/grafana-backend-group
@@ -606,7 +614,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/circle-* @grafana/grafana-developer-enablement-squad
 /scripts/publish-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
 /scripts/validate-npm-packages.sh @grafana/grafana-developer-enablement-squad @grafana/plugins-platform-frontend
-/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad @grafana/datapro
+/scripts/ci-frontend-metrics.sh @grafana/grafana-frontend-platform @grafana/plugins-platform-frontend @grafana/dataviz-squad
 /scripts/cli/ @grafana/grafana-frontend-platform
 /scripts/clean-git-or-error.sh @grafana/grafana-as-code
 /scripts/grafana-server/ @grafana/grafana-frontend-platform
@@ -630,9 +638,11 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /scripts/levitate-show-affected-plugins.js @grafana/plugins-platform-frontend
 /scripts/codemods/explicit-barrel-imports.cjs @grafana/frontend-ops

-/scripts/**/generate-transformations* @grafana/datapro
+/scripts/**/generate-transformations* @grafana/dataviz-squad
 /scripts/webpack/ @grafana/frontend-ops
 /scripts/generate-a11y-report.sh @grafana/grafana-frontend-platform
+.pa11yci.conf.js @grafana/grafana-frontend-platform
+.pa11yci-pr.conf.js @grafana/grafana-frontend-platform
 .betterer.results @grafanabot
 .betterer.ts @grafana/grafana-frontend-platform

@@ -642,14 +652,14 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Core datasources
 /public/app/plugins/datasource/dashboard/ @grafana/dashboards-squad
 /public/app/plugins/datasource/cloudwatch/ @grafana/aws-datasources
-/public/app/plugins/datasource/elasticsearch/ @grafana/partner-datasources
+/public/app/plugins/datasource/elasticsearch/ @grafana/aws-datasources
 /public/app/plugins/datasource/grafana/ @grafana/grafana-frontend-platform
 /public/app/plugins/datasource/grafana-testdata-datasource/ @grafana/plugins-platform-frontend
 /public/app/plugins/datasource/azuremonitor/ @grafana/partner-datasources
 /public/app/plugins/datasource/graphite/ @grafana/partner-datasources
 /public/app/plugins/datasource/influxdb/ @grafana/partner-datasources
 /public/app/plugins/datasource/jaeger/ @grafana/oss-big-tent
-/public/app/plugins/datasource/loki/ @grafana/oss-big-tent @grafana/observability-logs
+/public/app/plugins/datasource/loki/ @grafana/observability-logs
 /public/app/plugins/datasource/mixed/ @grafana/dashboards-squad
 /public/app/plugins/datasource/mssql/ @grafana/partner-datasources
 /public/app/plugins/datasource/mysql/ @grafana/oss-big-tent
@@ -666,23 +676,13 @@ playwright.config.ts @grafana/plugins-platform-frontend
 # Grafana Sharing Squad
 /public/app/features/dashboard-scene/sharing/ @grafana/sharing-squad
 /public/app/features/dashboard/components/ShareModal/ @grafana/sharing-squad
+/public/app/features/manage-dashboards/components/PublicDashboardListTable/ @grafana/sharing-squad
+/public/app/features/dashboard/containers/PublicDashboardPage.tsx @grafana/sharing-squad
 /public/app/features/manage-dashboards/components/SnapshotListTable.tsx @grafana/sharing-squad
+/pkg/api/render.go @grafana/sharing-squad
 /pkg/services/dashboardsnapshots/ @grafana/sharing-squad
-/public/app/features/explore/QueryLibrary/ @grafana/sharing-squad
-/public/app/features/library-panels/ @grafana/sharing-squad
-/public/app/features/invites/ @grafana/sharing-squad
-
-# Grafana Enterprise: Public Dashboards & Image Renderer
-/pkg/api/render.go @grafana/grafana-operator-experience-squad
-/pkg/services/publicdashboards/ @grafana/grafana-operator-experience-squad
-/pkg/services/rendering/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/containers/PublicDashboardPage* @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/PublicDashboard/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/PublicDashboardNotAvailable/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard/components/ShareModal/SharePublicDashboard/ @grafana/grafana-operator-experience-squad
-/public/app/features/dashboard-scene/sharing/public-dashboards/ @grafana/grafana-operator-experience-squad
-/public/app/features/manage-dashboards/components/PublicDashboardListTable/ @grafana/grafana-operator-experience-squad
-/public/app/features/manage-dashboards/PublicDashboardListPage.tsx* @grafana/grafana-operator-experience-squad
+/pkg/services/publicdashboards/ @grafana/sharing-squad
+/pkg/services/rendering/ @grafana/sharing-squad

 # SSE - Server Side Expressions
 /pkg/expr/ @grafana/grafana-datasources-core-services
@@ -700,6 +700,7 @@ playwright.config.ts @grafana/plugins-platform-frontend
 /pkg/services/signingkeys/ @grafana/identity-squad
 /pkg/services/dashboards/accesscontrol.go @grafana/access-squad
 /pkg/services/datasources/guardian/ @grafana/access-squad
+/pkg/services/guardian/ @grafana/access-squad
 /pkg/services/ldap/ @grafana/identity-squad
 /pkg/services/login/ @grafana/identity-squad
 /pkg/services/loginattempt/ @grafana/identity-squad
@@ -732,7 +733,7 @@ embed.go @grafana/grafana-as-code
 /pkg/kinds/ @grafana/grafana-as-code
 /pkg/registry/ @grafana/grafana-as-code
 /pkg/registry/apis/ @grafana/grafana-app-platform-squad
-/pkg/registry/apis/folders @grafana/grafana-search-and-storage
+/pkg/registry/apis/alerting @grafana/grafana-app-platform-squad @grafana/alerting-backend
 /pkg/registry/apis/query @grafana/grafana-datasources-core-services
 /pkg/registry/apis/secret @grafana/grafana-operator-experience-squad
 /pkg/registry/apis/userstorage @grafana/grafana-app-platform-squad @grafana/plugins-platform-backend
@@ -752,16 +753,13 @@ embed.go @grafana/grafana-as-code
 /.github/commands.json @torkelo
 /.github/dependabot.yml @grafana/frontend-ops
 /.github/issue-opened.json @grafana/grafana-community-support
+/.github/metrics-collector.json @torkelo
 /.github/pr-checks.json @tolzhabayev
 /.github/pr-commands.json @tolzhabayev
 /.github/renovate.json5 @grafana/frontend-ops
-/.github/actions/check-jobs/action.yml @grafana/grafana-frontend-platform
 /.github/actions/setup-enterprise/action.yml @grafana/grafana-backend-group
+/.github/actions/test-coverage-processor/action.yml @grafana/grafana-backend-group
 /.github/actions/setup-grafana-bench/ @Proximyst
-/.github/actions/build-package @grafana/grafana-developer-enablement-squad
-/.github/actions/change-detection @grafana/grafana-developer-enablement-squad
-/.github/workflows/actionlint-format.txt @grafana/grafana-developer-enablement-squad
-/.github/workflows/actionlint.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/add-to-whats-new.yml @grafana/docs-tooling
 /.github/workflows/auto-triager/ @grafana/plugins-platform-frontend
 /.github/workflows/alerting-swagger-gen.yml @grafana/alerting-backend
@@ -769,8 +767,7 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/auto-milestone.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/backend-code-checks.yml @grafana/grafana-backend-group
 /.github/workflows/backend-unit-tests.yml @grafana/grafana-backend-group
-/.github/workflows/backport-trigger.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/backport-workflow.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/backport.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/bump-version.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-pr.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/release-comms.yml @grafana/grafana-developer-enablement-squad
@@ -788,22 +785,20 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/github-release.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/issue-opened.yml @grafana/grafana-community-support
 /.github/workflows/lint-build-docs.yml @grafana/docs-tooling
+/.github/workflows/metrics-collector.yml @torkelo
 /.github/workflows/pr-checks.yml @tolzhabayev
 /.github/workflows/pr-codeql-analysis-javascript.yml @DanCech
 /.github/workflows/pr-codeql-analysis-python.yml @DanCech
 /.github/workflows/pr-commands.yml @tolzhabayev
-/.github/workflows/pr-external-labelling.yml @Proximyst
 /.github/workflows/pr-patch-check-event.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/pr-patch-check.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/pr-test-integration.yml @grafana/grafana-backend-group
-/.github/workflows/reject-gh-secrets.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/pr-backend-coverage.yml @grafana/grafana-backend-group
 /.github/workflows/sync-mirror-event.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/publish-technical-documentation-next.yml @grafana/docs-tooling
 /.github/workflows/publish-technical-documentation-release.yml @grafana/docs-tooling
 /.github/workflows/scripts/json-file-to-job-output.js @grafana/plugins-platform-frontend
 /.github/workflows/stale.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/storybook-verification.yml @grafana/grafana-frontend-platform
-/.github/workflows/storybook-verification-playwright.yml @grafana/grafana-frontend-platform
 /.github/workflows/update-make-docs.yml @grafana/docs-tooling
 /.github/workflows/scripts/kinds/verify-kinds.go @grafana/platform-monitoring
 /.github/workflows/scripts/create-security-branch/create-security-branch.sh @grafana/grafana-developer-enablement-squad
@@ -812,38 +807,29 @@ embed.go @grafana/grafana-as-code
 /.github/workflows/verify-kinds.yml @grafana/platform-monitoring
 /.github/workflows/dashboards-issue-add-label.yml @grafana/dashboards-squad
 /.github/workflows/run-schema-v2-e2e.yml  @grafana/dashboards-squad
-/.github/workflows/e2e-dashboard-new-layouts.yml  @grafana/dashboards-squad
 /.github/workflows/run-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
 /.github/workflows/trigger-dashboard-search-e2e.yml  @grafana/grafana-search-and-storage
-/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-operator-experience-squad
+/.github/workflows/ephemeral-instances-pr-comment.yml @grafana/grafana-backend-services-squad
 /.github/workflows/create-security-patch-from-security-mirror.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/core-plugins-build-and-release.yml @grafana/plugins-platform-frontend @grafana/plugins-platform-backend
 /.github/workflows/i18n-crowdin-upload.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-download.yml @grafana/grafana-frontend-platform
 /.github/workflows/i18n-crowdin-create-tasks.yml @grafana/grafana-frontend-platform
-/.github/workflows/i18n-verify.yml @grafana/grafana-frontend-platform
-/.github/workflows/deploy-storybook-preview.yml @grafana/grafana-frontend-platform
-/.github/workflows/scripts/crowdin/create-tasks.ts @grafana/grafana-frontend-platform
+/.github/workflows/scripts/crowdin/create-tasks.js @grafana/grafana-frontend-platform
 /.github/workflows/pr-go-workspace-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-dependabot-update-go-workspace.yml @grafana/grafana-app-platform-squad
 /.github/workflows/pr-k8s-codegen-check.yml @grafana/grafana-app-platform-squad
 /.github/workflows/go-lint.yml @grafana/grafana-backend-services-squad
 /.github/workflows/trivy-scan.yml @grafana/grafana-backend-services-squad
-/.github/workflows/trufflehog.yml @Proximyst
 /.github/workflows/changelog.yml @zserge
-/.github/workflows/shellcheck.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/release-build.yml @grafana/grafana-developer-enablement-squad
-/.github/workflows/publish-artifact.yml @grafana/grafana-developer-enablement-squad
 /.github/actions/changelog @zserge
-/.github/workflows/swagger-gen.yml @grafana/grafana-backend-group
 /.github/workflows/pr-frontend-unit-tests.yml @grafana/grafana-frontend-platform
 /.github/workflows/frontend-lint.yml @grafana/grafana-frontend-platform
 /.github/workflows/analytics-events-report.yml @grafana/grafana-frontend-platform
 /.github/workflows/pr-e2e-tests.yml @grafana/grafana-developer-enablement-squad
+/.github/workflows/run-e2e-suite.yml @grafana/grafana-developer-enablement-squad
 /.github/workflows/skye-add-to-project.yml @grafana/grafana-frontend-platform
 /.github/zizmor.yml @grafana/grafana-developer-enablement-squad
-/.github/license_finder.yaml @bergquist
-/.github/actionlint.yaml @grafana/grafana-developer-enablement-squad

 # Generated files not requiring owner approval
 /packages/grafana-data/src/types/featureToggles.gen.ts @grafanabot
@@ -863,6 +849,3 @@ embed.go @grafana/grafana-as-code
 /conf/provisioning/datasources/ @grafana/plugins-platform-backend
 /conf/provisioning/plugins/ @grafana/plugins-platform-backend
 /conf/provisioning/sample/ @grafana/grafana-git-ui-sync-team
-
-# Security
-/.github/workflows/relyance-scan.yml @grafana/security-team
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -1,8 +0,0 @@
-# These are just aliases to github-hosted runners
-self-hosted-runner:
-  labels:
-    - github-hosted-ubuntu-arm64
-    - github-hosted-ubuntu-arm64-large
-    - github-hosted-ubuntu-x64-small
-    - github-hosted-ubuntu-x64-large
-    - github-hosted-windows-x64-large
--- a/.github/actions/build-package/action.yml
+++ b/.github/actions/build-package/action.yml
@@ -1,153 +0,0 @@
-name: Build and Package Grafana Enterprise / Pro
-description: Creates Grafana artifacts using Dagger & `pkg/build/daggerbuild`
-inputs:
-  artifacts:
-    description: |
-      Comma-delimited list of artifacts to build and package.
-      Artifacts follow a specific format of `{package-type}:{grafana-edition}:{architecture}`.
-      Not every combination of `package-type`, `grafana-edition`, and `architecture` are supported.
-      Examples:
-        * `grafana:linux/amd64:targz`, `grafana:linux/amd64:deb`
-        * `enterprise:linux/arm64:rpm, enterprise:linux/amd64:docker`
-        * `pro:docker:llinux/amd64`
-    required: true
-    type: string
-  grafana-path:
-    description: Path to a clone of the 'grafana' repo
-    default: grafana
-    type: string
-  grafana-enterprise-path:
-    description: Path to a clone of the 'grafana-enterprise' repo
-    default: grafana-enterprise
-    type: string
-  github-token:
-    type: string
-    required: true
-  version:
-    type: string
-    description: The version to embed in the grafana binary, example `v1.2.3`. If not provided, then the value in Grafana's package.json will be used
-    required: true
-  build-id:
-    type: string
-    description: an identifier number which can be traced back to the workflow run.
-    default: ${{github.run_id}}
-    required: false
-  patches-repo:
-    type: string
-    description: Repository to load for patches repo. If empty, patches won't be applied. Must be an HTTPS git URL.
-    required: false
-    default: ""
-  patches-ref:
-    type: string
-    description: git ref in the patches repo to check out.
-    required: false
-    default: main
-  patches-path:
-    type: string
-    description: Path in the repository where `.patch` files can be found.
-    required: false
-    default: main
-  checksum:
-    type: boolean
-    description: If true, then checksums will be produced for each file (with a '.sha256' extension)
-    required: false
-    default: false
-  verify:
-    type: boolean
-    description: If true, then the e2e smoke tests will run to verify the produced artifacts (--verify)
-    required: false
-    default: false
-  output:
-    type: string
-    description: Filename to redirect stdout to. Contains list of packages that were produced
-    default: packages.txt
-    required: false
-  docker-tag-format:
-    type: string
-    default: "{{ .version }}-{{ .arch }}"
-    description: Go template of Docker image tag
-    required: false
-  docker-tag-format-ubuntu:
-    type: string
-    default: "{{ .version }}-ubuntu-{{ .arch }}"
-    description: Go template of Docker image tag
-    required: false
-  docker-org:
-    type: string
-    description: Docker org of produced images
-    default: grafana
-    required: false
-  docker-registry:
-    type: string
-    description: Docker registry of produced images
-    default: docker.io
-    required: false
-  ubuntu-base:
-    type: string
-    default: 'ubuntu:22.04'
-    required: false
-  alpine-base:
-    type: string
-    default: 'alpine:3.22'
-    required: false
-outputs:
-  dist-dir:
-    description: Directory where artifacts are placed
-    value: ${{ steps.output.outputs.dist_dir }}
-  file:
-    description: Path to file containing list of artifacts produced
-    value: ${{ steps.output.outputs.file }}
-  grafana-commit:
-    description: Commit hash of the HEAD of the grafana repository used to build grafana.
-    value: ${{ steps.output.outputs.grafana_commit }}
-  enterprise-commit:
-    description: Commit hash of the HEAD of the grafana-enterprise repository used to build grafana.
-    value: ${{ steps.output.outputs.enterprise_commit }}
-  version:
-    description: The `grafana` version that was embedded in the binary
-    value: ${{ steps.output.outputs.version }}
-runs:
-  using: "composite"
-  steps:
-    - shell: bash
-      run: | # zizmor: ignore[github-env]
-        echo "GRAFANA_PATH=${{ github.workspace }}/${GRAFANA_DIR}" >> "$GITHUB_ENV"
-        echo "ENTERPRISE_PATH=${{ github.workspace }}/${ENTERPRISE_DIR}" >> "$GITHUB_ENV"
-      env:
-        GB_PATH: ${{ inputs.path }}
-        GRAFANA_DIR: ${{ inputs.grafana-path }}
-        ENTERPRISE_DIR: ${{ inputs.enterprise-path }}
-    - name: Build Grafana Enterprise packages
-      uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-      env:
-        VERSION: ${{ inputs.version }}
-        ARTIFACTS: ${{ inputs.artifacts }}
-        GITHUB_TOKEN: ${{ inputs.github-token }}
-        PATCHES_REPO: ${{ inputs.patches-repo }}
-        PATCHES_REF: ${{ inputs.patches-ref }}
-        PATCHES_PATH: ${{ inputs.patches-path }}
-        BUILD_ID: ${{ inputs.build-id }}
-        OUTFILE: ${{ inputs.output }}
-        DOCKER_ORG: ${{ inputs.docker-org }}
-        DOCKER_REGISTRY: ${{ inputs.docker-registry }}
-        TAG_FORMAT: ${{ inputs.docker-tag-format }}
-        UBUNTU_TAG_FORMAT: ${{ inputs.docker-tag-format-ubuntu }}
-        CHECKSUM: ${{ inputs.checksum }}
-        VERIFY: ${{ inputs.verify }}
-        ALPINE_BASE: ${{ inputs.alpine-base }}
-        UBUNTU_BASE: ${{ inputs.ubuntu-base }}
-      with:
-        verb: run
-        dagger-flags: --verbose=0
-        version: 0.18.8
-        args: go run -C ${GRAFANA_PATH} ./pkg/build/cmd artifacts --artifacts ${ARTIFACTS} --grafana-dir=${GRAFANA_PATH} --alpine-base=${ALPINE_BASE} --ubuntu-base=${UBUNTU_BASE} --enterprise-dir=${ENTERPRISE_PATH} --version=${VERSION} --patches-repo=${PATCHES_REPO} --patches-ref=${PATCHES_REF} --patches-path=${PATCHES_PATH} --build-id=${BUILD_ID} --tag-format="${TAG_FORMAT}" --ubuntu-tag-format="${UBUNTU_TAG_FORMAT}" --org=${DOCKER_ORG} --registry=${DOCKER_REGISTRY} --checksum=${CHECKSUM} --verify=${VERIFY} > $OUTFILE
-    - id: output
-      shell: bash
-      env:
-        OUTFILE: ${{ inputs.output }}
-      run: |
-        echo "dist_dir=dist" | tee -a $GITHUB_OUTPUT
-        echo "file=${OUTFILE}" | tee -a $GITHUB_OUTPUT
-        echo "grafana_commit=$(git -C ${GRAFANA_PATH} rev-parse HEAD)" | tee -a $GITHUB_OUTPUT
-        echo "enterprise_commit=$(git -C ${ENTERPRISE_PATH} rev-parse HEAD)" | tee -a $GITHUB_OUTPUT
-        echo "version=$(cat ${GRAFANA_BUILD_PATH}/dist/VERSION)" | tee -a $GITHUB_OUTPUT
--- a/.github/actions/change-detection/action.yml
+++ b/.github/actions/change-detection/action.yml
@@ -1,141 +0,0 @@
-name: Detect changed files
-description: Detects whether any matching files have changed in the current PR
-inputs:
-  self:
-    description: The path to the calling workflow (e.g. .github/workflows/backend-unit-tests.yml). It is regarded as any category.
-    required: true
-outputs:
-  self:
-    description: Whether the calling workflow has changed in any way
-    value: ${{ steps.changed-files.outputs.self_any_changed || 'true' }}
-  backend:
-    description: Whether the backend or self have changed in any way
-    value: ${{ steps.changed-files.outputs.backend_any_changed || 'true' }}
-  frontend:
-    description: Whether the frontend or self has changed in any way
-    value: ${{ steps.changed-files.outputs.frontend_any_changed || 'true' }}
-  e2e:
-    description: Whether the e2e tests or self have changed in any way
-    value: ${{ steps.changed-files.outputs.e2e_any_changed == 'true' ||
-      steps.changed-files.outputs.backend_any_changed == 'true' ||
-      steps.changed-files.outputs.frontend_any_changed == 'true' || 'true' }}
-  dev-tooling:
-    description: Whether the dev tooling or self have changed in any way
-    value: ${{ steps.changed-files.outputs.dev_tooling_any_changed || 'true' }}
-  docs:
-    description: Whether the docs or self have changed in any way
-    value: ${{ steps.changed-files.outputs.docs_any_changed || 'true' }}
-runs:
-  using: composite
-  steps:
-    # Assumption: We've done a checkout with the actions/checkout action.
-    # It must persist credentials to allow the changed-files action to get more history.
-    - name: Detect changes
-      id: changed-files
-      if: github.event_name == 'pull_request'
-      uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46
-      with:
-        files_yaml: |
-          self:
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-          backend:
-            - '!*.md'
-            - '!docs/**'
-            - '!.github/**'
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - '**/go.mod'
-            - '**/go.sum'
-            - '**.go'
-            - 'pkg/**'
-            - '!pkg/**.md'
-            - 'apps/**'
-            - '!apps/**.md'
-            - 'build.sh'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - 'devenv/docker/blocks/*_tests/**'
-            - 'kindsv2/**'
-            - '${{ inputs.self }}'
-          frontend:
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - 'public/**'
-            - '**.js'
-            - '**.jsx'
-            - '**.ts'
-            - '**.tsx'
-            - '**.css'
-            - '**.mjs'
-            - 'yarn.lock'
-            - 'package.json'
-            - '!**.md'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - '.prettier*'
-            - '.betterer*'
-            - '.yarnrc.yml'
-            - 'eslint.config.js'
-            - 'jest.config.js'
-            - 'nx.json'
-            - 'tsconfig.json'
-            - '.yarn/**'
-            - '${{ inputs.self }}'
-          e2e:
-            - 'e2e/**'
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - 'emails/**'
-            - 'pkg/**'
-            - 'proto/**'
-            - '**/Makefile'
-            - 'scripts/**'
-            - '!scripts/drone/**'
-            - '!**.md'
-            - '.github/actions/change-detection/**'
-            - '**.cue'
-            - 'conf/**'
-            - 'cypress.config.js'
-            - '${{ inputs.self }}'
-          dev_tooling:
-            - '.github/actions/setup-enterprise/**'
-            - '.github/actions/checkout/**'
-            - '**.sh'
-            - '.trivyignore'
-            - '.prettierrc.js'
-            - '**/Makefile'
-            - 'proto/**.yaml'
-            - 'pkg/build/**'
-            - 'pkg/wire/**'
-            - 'scripts/**'
-            - '!**.md'
-            - '.citools/**'
-            - '.bingo/**'
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-          docs:
-            - 'contribute/**'
-            - 'docs/**'
-            - '**.md'
-            - 'LICENSE'
-            - '.vale.ini'
-            - '.github/actions/change-detection/**'
-            - '${{ inputs.self }}'
-    - name: Print all change groups
-      shell: bash
-      run: |
-        echo "Self: ${{ steps.changed-files.outputs.self_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.self_all_changed_files }}"
-        echo "Backend: ${{ steps.changed-files.outputs.backend_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.backend_all_changed_files }}"
-        echo "Frontend: ${{ steps.changed-files.outputs.frontend_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.frontend_all_changed_files }}"
-        echo "E2E: ${{ steps.changed-files.outputs.e2e_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.e2e_all_changed_files }}"
-        echo " --> ${{ steps.changed-files.outputs.backend_all_changed_files }}"
-        echo " --> ${{ steps.changed-files.outputs.frontend_all_changed_files }}"
-        echo "Dev Tooling: ${{ steps.changed-files.outputs.dev_tooling_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.dev_tooling_all_changed_files }}"
-        echo "Docs: ${{ steps.changed-files.outputs.docs_any_changed || 'true' }}"
-        echo " --> ${{ steps.changed-files.outputs.docs_all_changed_files }}"
--- a/.github/actions/changelog/index.js
+++ b/.github/actions/changelog/index.js
@@ -1,7 +1,6 @@
-import {appendFileSync, writeFileSync} from 'fs';
-import {exec as execCallback} from 'node:child_process';
-import {promisify} from 'node:util';
-import {findPreviousVersion, semverParse} from "./semver.js";
+import { appendFileSync, writeFileSync } from 'fs';
+import { exec as execCallback } from 'node:child_process';
+import { promisify } from 'node:util';

 //
 // Github Action core utils: logging (notice + debug log levels), must escape
@@ -10,6 +9,35 @@ import {findPreviousVersion, semverParse} from "./semver.js";
 const escapeData = (s) => s.replace(/%/g, '%25').replace(/\r/g, '%0D').replace(/\n/g, '%0A');
 const LOG = (msg) => console.log(`::notice::${escapeData(msg)}`);

+//
+// Semver utils: parse, compare, sort etc (using official regexp)
+// https://regex101.com/r/Ly7O1x/3/
+//
+const semverRegExp =
+  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
+
+const semverParse = (tag) => {
+  const m = tag.match(semverRegExp);
+  if (!m) {
+    return;
+  }
+  const [_, major, minor, patch, prerelease] = m;
+  return [+major, +minor, +patch, prerelease, tag];
+};
+
+// semverCompare takes two parsed semver tags and comparest them more or less
+// according to the semver specs
+const semverCompare = (a, b) => {
+  for (let i = 0; i < 3; i++) {
+    if (a[i] !== b[i]) {
+      return a[i] < b[i] ? 1 : -1;
+    }
+  }
+  if (a[3] !== b[3]) {
+    return a[3] < b[3] ? 1 : -1;
+  }
+  return 0;
+};

 // Using `git tag -l` output find the tag (version) that goes semantically
 // right before the given version. This might not work correctly with some
@@ -17,32 +45,29 @@ const LOG = (msg) => console.log(`::notice::${escapeData(msg)}`);
 // into this action explicitly to avoid this step.
 const getPreviousVersion = async (version) => {
  const exec = promisify(execCallback);
-  const {stdout} = await exec('git for-each-ref --sort=-creatordate --format \'%(refname:short)\' refs/tags');
-
-  const parsedTags = stdout
+  const { stdout } = await exec('git tag -l');
+  const prev = stdout
    .split('\n')
    .map(semverParse)
-    .filter(Boolean);
-
-  const parsedVersion = semverParse(version);
-  const prev = findPreviousVersion(parsedTags, parsedVersion);
+    .filter((tag) => tag)
+    .sort(semverCompare)
+    .find((tag) => semverCompare(tag, semverParse(version)) > 0);
  if (!prev) {
    throw `Could not find previous git tag for ${version}`;
  }
-  return prev[5];
+  return prev[4];
 };

-
 // A helper for Github GraphQL API endpoint
 const graphql = async (ghtoken, query, variables) => {
-  const {env} = process;
+  const { env } = process;
  const results = await fetch('https://api.github.com/graphql', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      Authorization: `Bearer ${ghtoken}`,
    },
-    body: JSON.stringify({query, variables}),
+    body: JSON.stringify({ query, variables }),
  });

  const res = await results.json();
@@ -75,7 +100,7 @@ const getCommitishDate = async (name, owner, target) => {
        }
      }
    `,
-    {name, owner, target}
+    { name, owner, target }
  );
  return result.repository.object.committedDate;
 };
@@ -135,7 +160,7 @@ const getHistory = async (name, owner, from, to) => {

  let cursor;
  let nodes = [];
-  for (; ;) {
+  for (;;) {
    const result = await graphql(ghtoken, query, {
      name,
      owner,
@@ -145,7 +170,7 @@ const getHistory = async (name, owner, from, to) => {
    });
    LOG(`GraphQL: ${JSON.stringify(result)}`);
    nodes = [...nodes, ...result.repository.ref.compare.commits.nodes];
-    const {hasNextPage, endCursor} = result.repository.ref.compare.commits.pageInfo;
+    const { hasNextPage, endCursor } = result.repository.ref.compare.commits.pageInfo;
    if (!hasNextPage) {
      break;
    }
@@ -161,7 +186,7 @@ const getHistory = async (name, owner, from, to) => {
 // PR grouping relies on Github labels only, not on the PR contents.
 const getChangeLogItems = async (name, owner, from, to) => {
  // check if a node contains a certain label
-  const hasLabel = ({labels}, label) => labels.nodes.some(({name}) => name === label);
+  const hasLabel = ({ labels }, label) => labels.nodes.some(({ name }) => name === label);
  // get all the PRs between the two "commitish" items
  const history = await getHistory(name, owner, from, to);

@@ -172,17 +197,17 @@ const getChangeLogItems = async (name, owner, from, to) => {
      return [];
    }
    const item = changes[0];
-    const {number, url, labels} = item;
+    const { number, url, labels } = item;
    const title = item.title.replace(/^\[[^\]]+\]:?\s*/, '');
    // for changelog PRs try to find a suitable category.
    // Note that we can not detect "deprecation notices" like that
    // as there is no suitable label yet.
-    const isBug = /fix/i.test(title) || hasLabel({labels}, 'type/bug');
-    const isBreaking = hasLabel({labels}, 'breaking change');
+    const isBug = /fix/i.test(title) || hasLabel({ labels }, 'type/bug');
+    const isBreaking = hasLabel({ labels }, 'breaking change');
    const isPlugin =
-      hasLabel({labels}, 'area/grafana/ui') ||
-      hasLabel({labels}, 'area/grafana/toolkit') ||
-      hasLabel({labels}, 'area/grafana/runtime');
+      hasLabel({ labels }, 'area/grafana/ui') ||
+      hasLabel({ labels }, 'area/grafana/toolkit') ||
+      hasLabel({ labels }, 'area/grafana/runtime');
    const author = item.commits.nodes[0].commit.author.user?.login;
    return {
      repo: name,
@@ -202,7 +227,7 @@ const getChangeLogItems = async (name, owner, from, to) => {
 // ======================================================

 LOG(`Changelog action started`);
-console.log(process.argv);
+
 const ghtoken = process.env.GITHUB_TOKEN || process.env.INPUT_GITHUB_TOKEN;
 if (!ghtoken) {
  throw 'GITHUB_TOKEN is not set and "github_token" input is empty';
@@ -261,15 +286,15 @@ const markdown = (changelog) => {
      : `### ${title}

 ${items
-        .map(
-          (item) =>
-            `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
-              item.repo === 'grafana-enterprise'
-                ? '(Enterprise)'
-                : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
-            }`
-        )
-        .join('\n')}
+  .map(
+    (item) =>
+      `- ${item.title.replace(/^([^:]*:)/gm, '**$1**')} ${
+        item.repo === 'grafana-enterprise'
+          ? '(Enterprise)'
+          : `${pullRequestLink(item.number)}${item.author ? ', ' + userLink(item.author) : ''}`
+      }`
+  )
+  .join('\n')}
  `;

  // Render all present sections for the given changelog
--- a/.github/actions/changelog/semver.js
+++ b/.github/actions/changelog/semver.js
@@ -1,92 +0,0 @@
-//
-// Semver utils: parse, compare, sort etc (using official regexp)
-// https://regex101.com/r/Ly7O1x/3/
-//
-const semverRegExp =
-  /^v?(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
-
-export function semverParse(tag) {
-  const m = tag.match(semverRegExp);
-  if (!m) {
-    return;
-  }
-  const [_, major, minor, patch, prerelease, build] = m;
-  return [+major, +minor, +patch, prerelease, build, tag];
-};
-
-// semverCompare takes two parsed semver tags and comparest them more or less
-// according to the semver specs
-export function semverCompare(a, b) {
-  for (let i = 0; i < 3; i++) {
-    if (a[i] !== b[i]) {
-      return a[i] < b[i] ? 1 : -1;
-    }
-  }
-  if (a[3] !== b[3]) {
-    return a[3] < b[3] ? 1 : -1;
-  }
-  return 0;
-};
-
-
-// Finds the highest version that is lower than the target version.
-//
-// This function relies on the following invariant: versions are sorted by the release date.
-// It will produce wrong result if invariant doesn't hold.
-export const findPreviousVersion = (versionByDate, target) => {
-  let prev = null;
-
-  for (let i = 0; i < versionByDate.length; i++) {
-    const version = versionByDate[i];
-
-    // version is greater than the target
-    if (semverCompare(target, version) > 0) {
-      continue;
-    }
-
-    // we came across the target version, all versions seen previously have greater release date.
-    if (semverCompare(target, version) === 0 && target[4] === version[4]) {
-      prev = null;
-      continue;
-    }
-
-    if (prev == null) {
-      prev = version;
-      continue;
-    }
-
-    if (semverCompare(prev, version) > 0) {
-      prev = version;
-    }
-  }
-
-  return prev;
-};
-
-
-const versionsByDate = [
-  "v10.4.19", "v12.0.1", "v11.6.2", "v11.5.5", "v11.4.5", "v11.3.7", "v11.2.10", "v12.0.0+security-01", "v11.2.9+security-01", "v11.3.6+security-01",
-  "v11.6.1+security-01", "v11.4.4+security-01", "v11.5.4+security-01", "v10.4.18+security-01", "v12.0.0", "v11.6.1",
-  "v11.5.4", "v11.4.4", "v11.3.6", "v11.2.9", "v10.4.18", "v11.6.0+security-01", "v11.5.3+security-01", "v11.4.3+security-01",
-  "v11.3.5+security-01", "v11.2.8+security-01", "v10.4.17+security-01", "v11.2.8", "v11.6.0", "v11.5.2", "v11.4.2",
-  "v11.3.4", "v11.2.7", "v11.1.12", "v11.0.11", "v10.4.16", "v11.5.1", "v11.5.0", "v11.3.3", "v11.1.11", "v11.2.6",
-  "v11.0.10", "v10.4.15", "v11.4.1", "v11.4.0", "v11.3.2", "v11.2.5", "v11.1.10", "v11.0.9", "v10.4.14", "v11.3.1",
-  "v11.2.4", "v11.1.9", "v11.0.8", "v10.4.13", "v11.0.2", "v10.4.6", "v10.3.8", "v10.2.9", "v11.1.0", "v11.0.1",
-  "v10.4.5", "v10.3.7", "v10.2.8", "v9.5.20", "v10.4.4", "v9.5.19", "v10.1.10", "v10.2.7", "v10.3.6", "v10.4.3",
-  "v11.0.0", "v10.4.2", "v11.0.0-preview", "v10.1.9", "v10.0.13", "v9.2.0", "v9.1.8",
-].map(semverParse);
-
-function test(version, expected) {
-  const v1 = semverParse(version);
-  const prev = findPreviousVersion(versionsByDate, v1);
-
-  const failureMessage = `FAIILED. Expected ${expected}, but was ${prev[5]}`;
-
-  console.log(`Test ${version}, ${prev[5] === expected ? 'PASSED' : failureMessage}`);
-}
-
-test("v11.5.4+security-01", "v11.5.4");
-test("v11.5.4", "v11.5.3+security-01");
-test("v12.0.0", "v11.6.1");
-test("v12.0.0+security-01", "v12.0.0");
-test("v11.0.0", "v11.0.0-preview");
--- a/.github/actions/check-jobs/action.yml
+++ b/.github/actions/check-jobs/action.yml
@@ -1,48 +0,0 @@
-name: Check jobs results
-description: Checks if any jobs have failed and exits with error if failures are found. Use to check the results of matrix test runs.
-inputs:
-  needs:
-    description: JSON string containing the needs context from the workflow
-    required: true
-  failure-message:
-    description: Custom message to display when failures are found
-    required: false
-    default: "One or more jobs have failed"
-  success-message:
-    description: Custom message to display when all jobs pass
-    required: false
-    default: "All jobs passed successfully"
-outputs:
-  any-failed:
-    description: Whether any jobs failed
-    value: ${{ steps.check-jobs.outputs.any-failed }}
-
-runs:
-  using: "composite"
-  steps:
-    - name: Check test suites
-      id: check-jobs
-      shell: bash
-      env:
-        NEEDS: ${{ inputs.needs }}
-        FAILURE_MSG: ${{ inputs.failure-message }}
-        SUCCESS_MSG: ${{ inputs.success-message }}
-      run: |
-        set -euo pipefail
-
-        # Print the needs context, debugging
-        echo "$NEEDS" | jq
-
-        # Extract failures
-        FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-
-        # Check if there are any failures
-        if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-          echo "❌ $FAILURE_MSG"
-          echo "Failed suites:"
-          echo "$FAILURES" | jq -r 'to_entries[] | "- \(.key): \(.value)"'
-          echo "any-failed=true" >> "$GITHUB_OUTPUT"
-          exit 1
-        fi
-
-        echo "✅ $SUCCESS_MSG"
--- a/.github/actions/setup-enterprise/action.yml
+++ b/.github/actions/setup-enterprise/action.yml
@@ -34,9 +34,9 @@ runs:
        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
      run: |
        git clone https://x-access-token:${GH_TOKEN}@github.com/grafana/grafana-enterprise.git ../grafana-enterprise;
-
+        
        cd ../grafana-enterprise
-
+        
        if git checkout ${GITHUB_HEAD_REF}; then
          echo "checked out ${GITHUB_HEAD_REF}"
        elif git checkout ${GITHUB_BASE_REF}; then
@@ -44,5 +44,5 @@ runs:
        else
          git checkout main
        fi
-
-        QUIET=1 ./build.sh
+        
+        ./build.sh
--- a/.github/actions/test-coverage-processor/action.yml
+++ b/.github/actions/test-coverage-processor/action.yml
@@ -0,0 +1,50 @@
+name: 'Go Coverage Processor'
+description: 'Process Go test coverage files and generate reports'
+
+inputs:
+  test-type:
+    description: 'Type of test (e.g., be-unit, be-integration)'
+    required: true
+    type: string
+  coverage-file:
+    description: 'Path to the Go coverage file (.cov)'
+    required: true
+    type: string
+  codecov-token:
+    description: 'Token for CodeCov (required for CodeCov reporting)'
+    required: false
+    default: ''
+  codecov-flag:
+    description: 'Flag to categorize the upload to CodeCov'
+    required: false
+    default: ''
+  codecov-name:
+    description: 'Custom name for the upload to CodeCov'
+    required: false
+    default: ''
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Process Go coverage output
+      shell: bash
+      env:
+        COVERAGE_FILE: ${{ inputs.coverage-file }}
+      run: |
+        # Ensure valid coverage file even if empty
+        if [ ! -s "$COVERAGE_FILE" ]; then
+          echo "Coverage file is empty, creating a minimal valid file"
+          echo "mode: set" > "$COVERAGE_FILE"
+        fi
+
+    - name: Report coverage to CodeCov
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5
+      if: inputs.codecov-token != ''
+      with:
+        files: ${{ inputs.coverage-file }}
+        flags: ${{ inputs.codecov-flag || inputs.test-type }}
+        name: ${{ inputs.codecov-name || inputs.test-type }}
+        slug: grafana/grafana
+        # This URL doesn't use the Google auth, but is much more locked down. As such, it requires OIDC or a CodeCov-provided token to do anything.
+        url: https://codecov-webhook.grafana-dev.net
+        token: ${{ inputs.codecov-token }}
--- a/.github/commands.json
+++ b/.github/commands.json
@@ -128,7 +128,7 @@
    "name": "datasource/Loki",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/457"
+      "url": "https://github.com/orgs/grafana/projects/203"
    }
  },
  {
@@ -160,7 +160,7 @@
    "name": "datasource/Elasticsearch",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/190"
+      "url": "https://github.com/orgs/grafana/projects/97"
    }
  },
  {
@@ -488,23 +488,7 @@
    "name": "area/transformations",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
-    }
-  },
-  {
-    "type": "label",
-    "name": "area/correlations",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
-    }
-  },
-  {
-    "type": "label",
-    "name": "area/expressions/sql",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/908"
+      "url": "https://github.com/orgs/grafana/projects/56"
    }
  },
  {
@@ -664,7 +648,7 @@
    "name": "area/frontend/library-panels",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/482"
+      "url": "https://github.com/orgs/grafana/projects/202"
    }
  },
  {
@@ -896,7 +880,7 @@
    "name": "area/dashboard/library-panel",
    "action": "addToProject",
    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/482"
+      "url": "https://github.com/orgs/grafana/projects/202"
    }
  },
  {
@@ -1210,13 +1194,5 @@
    "addToProject": {
      "url": "https://github.com/orgs/grafana/projects/699"
    }
-  },
-  {
-    "type": "label",
-    "name": "type/docs",
-    "action": "addToProject",
-    "addToProject": {
-      "url": "https://github.com/orgs/grafana/projects/69"
-    }
  }
 ]
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,7 +8,6 @@ updates:
    directories:
      - "/"
      - "/apps/playlist"
-      - "/apps/secret"
      - "/apps/investigations"
      - "/pkg/aggregator"
      - "/pkg/apimachinery"
--- a/.github/license_finder.yaml
+++ b/.github/license_finder.yaml
@@ -1,128 +0,0 @@
---
- - :permit
-  - MIT
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:11:50.696368005 Z
- - :permit
-  - Apache 2.0
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
- - :permit
-  - New BSD
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
- - :permit
-  - Simplified BSD
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
- - :permit
-  - Mozilla Public License 2.0
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 Z
- - :permit
-  - ISC
-  - :who: Carl Bergquist
-    :why: Compatible license
-    :versions: []
-    :when: 2021-03-25 11:12:09.344787957 
- - :license
-  - github.com/grafana/alerting
-  - GNU Affero GPL
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/advisor
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/alerting/notifications
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/dashboard
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/folder
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/investigations
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/apps/playlist
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/aggregator
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/apimachinery
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/apis/secret
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/apiserver
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/promlib
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
- - :license
-  - github.com/grafana/grafana/pkg/semconv
-  - unknown
-  - :who: Carl Bergquist
-    :why: repository is owned by Grafana Labs
-    :versions: []
-    :when: 2025-05-03 13:10:00.000000000 Z
--- a/.github/metrics-collector.json
+++ b/.github/metrics-collector.json
@@ -0,0 +1,32 @@
+{
+  "queries": [
+    {
+      "name": "type_bug",
+      "query": "label:\"type/bug\" is:issue is:open"
+    },
+    {
+      "name": "type_docs",
+      "query": "label:\"type/docs\" is:issue is:open"
+    },
+    {
+      "name": "needs_investigation",
+      "query": "label:\"needs investigation\" is:issue is:open"
+    },
+    {
+      "name": "needs_more_info",
+      "query": "label:\"needs more info\" is:issue is:open"
+    },
+    {
+      "name": "triage_needs_confirmation",
+      "query": "label:\"triage/needs-confirmation\" is:issue is:open"
+    },
+    {
+      "name": "unlabeled",
+      "query": "is:open is:issue no:label"
+    },
+    {
+      "name": "open_prs",
+      "query": "is:open is:pull-request"
+    }
+  ]
+}
--- a/.github/pr-commands.json
+++ b/.github/pr-commands.json
@@ -253,6 +253,38 @@
    "action": "updateLabel",
    "addLabel": "area/alerting"
  },
+  {
+    "type": "label",
+    "name": "area/alerting",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/52"
+    }
+  },
+  {
+    "type": "author",
+    "name": "pr/external",
+    "notMemberOf": {
+      "org": "grafana"
+    },
+    "ignoreList": [
+      "renovate[bot]",
+      "dependabot[bot]",
+      "grafana-delivery-bot[bot]",
+      "grafanabot",
+      "alerting-team[bot]"
+    ],
+    "action": "updateLabel",
+    "addLabel": "pr/external"
+  },
+  {
+    "type": "label",
+    "name": "type/docs",
+    "action": "addToProject",
+    "addToProject": {
+      "url": "https://github.com/orgs/grafana/projects/69"
+    }
+  },
  {
    "type": "changedfiles",
    "matches": [
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -2,15 +2,6 @@
  extends: ["config:recommended"],
  enabledManagers: ["npm"],
  ignoreDeps: [
-    // ignoring these until we can upgrade to react 19
-    // see epic here: https://github.com/grafana/grafana/issues/98813
-    '@types/react',
-    '@types/react-dom',
-    'eslint-plugin-react-hooks',
-    'react',
-    'react-dom',
-    'react-refresh',
-
    "@types/history", // this can be removed entirely when we upgrade history since v5 exposes types directly
    "history", // we should bump this together with react-router-dom (see https://github.com/grafana/grafana/issues/76744)
    "react-router", // we should bump this together with history and react-router-dom
--- a/.github/workflows/actionlint-format.txt
+++ b/.github/workflows/actionlint-format.txt
@@ -1,66 +0,0 @@
-{
-    "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-    "version": "2.1.0",
-    "runs": [
-        {
-            "tool": {
-                "driver": {
-                    "name": "GitHub Actions lint",
-                    "version": {{ getVersion | json }},
-                    "informationUri": "https://github.com/rhysd/actionlint",
-                    "rules": [
-                        {{$first := true}}
-                        {{range $ := allKinds }}
-                            {{if $first}}{{$first = false}}{{else}},{{end}}
-                            {
-                                "id": {{json $.Name}},
-                                "name": {{$.Name | toPascalCase | json}},
-                                "defaultConfiguration": {
-                                    "level": "error"
-                                },
-                                "properties": {
-                                    "description": {{json $.Description}},
-                                    "queryURI": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
-                                },
-                                "fullDescription": {
-                                    "text": {{json $.Description}}
-                                },
-                                "helpUri": "https://github.com/rhysd/actionlint/blob/main/docs/checks.md"
-                            }
-                        {{end}}
-                    ]
-                }
-            },
-            "results": [
-                {{$first := true}}
-                {{range $ := .}}
-                    {{if $first}}{{$first = false}}{{else}},{{end}}
-                    {
-                        "ruleId": {{json $.Kind}},
-                        "message": {
-                            "text": {{json $.Message}}
-                        },
-                        "locations": [
-                            {
-                                "physicalLocation": {
-                                    "artifactLocation": {
-                                        "uri": {{json $.Filepath}},
-                                        "uriBaseId": "%SRCROOT%"
-                                    },
-                                    "region": {
-                                        "startLine": {{$.Line}},
-                                        "startColumn": {{$.Column}},
-                                        "endColumn": {{$.EndColumn}},
-                                        "snippet": {
-                                            "text": {{json $.Snippet}}
-                                        }
-                                    }
-                                }
-                            }
-                        ]
-                    }
-                {{end}}
-            ]
-        }
-    ]
-}
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -1,60 +0,0 @@
-# This workflow depends on the ./actionlint-format.txt file. It is MIT licensed (thanks, rhysd!): https://github.com/rhysd/actionlint/blob/2ab3a12c7848f6c15faca9a92612ef4261d0e370/testdata/format/sarif_template.txt
-name: Actionlint
-
-on:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}
-
-jobs:
-  run-actionlint:
-    name: Lint GitHub Actions files
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # to check out the code
-      actions: read # to read the workflow files
-      security-events: write # for uploading the SARIF report
-
-    env:
-      ACTIONLINT_VERSION: 1.7.7
-      # curl -LXGET https://github.com/rhysd/actionlint/releases/download/v${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION}_checksums.txt | grep linux_amd64
-      CHECKSUM: 023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      # GitHub Actions only runs x86_64. This will break if that assumption changes.
-      - name: Download Actionlint
-        run: |
-          set -euo pipefail
-          curl -OLXGET https://github.com/rhysd/actionlint/releases/download/v"${ACTIONLINT_VERSION}"/actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          echo "${CHECKSUM}  actionlint_${ACTIONLINT_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
-          tar xzf actionlint_"${ACTIONLINT_VERSION}"_linux_amd64.tar.gz
-          test -f actionlint
-          chmod +x actionlint
-
-      - name: Run Actionlint
-        run: ./actionlint -format "$(cat .github/workflows/actionlint-format.txt)" | tee results.sarif
-
-      - name: Upload to GitHub security events
-        if: success() || failure()
-        # If there are security problems, GitHub will automatically comment on the PR for us.
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
-        with:
-          sarif_file: results.sarif
-          category: actionlint
--- a/.github/workflows/alerting-update-module.yml
+++ b/.github/workflows/alerting-update-module.yml
@@ -37,7 +37,7 @@ jobs:
        id: current-commit
        run: |
          FROM_COMMIT=$(go list -m -json github.com/grafana/alerting | jq -r '.Version' | grep -oP '(?<=-)[a-f0-9]+$')
-          echo "from_commit=$FROM_COMMIT" >> "$GITHUB_OUTPUT"
+          echo "from_commit=$FROM_COMMIT" >> $GITHUB_OUTPUT

      - name: Get current branch name
        id: current-branch-name
@@ -47,14 +47,14 @@ jobs:
        id: latest-commit
        env:
          GH_TOKEN: ${{ github.token }}
-          BRANCH: ${{ steps.current-branch-name.outputs.name }}
        run: |
-          TO_COMMIT="$(gh api repos/grafana/alerting/commits/"$BRANCH" --jq '.sha')"
+          BRANCH="${{ steps.current-branch-name.outputs.name }}"
+          TO_COMMIT=$(gh api repos/grafana/alerting/commits/$BRANCH  --jq '.sha')
           if [ -z "$TO_COMMIT" ]; then
            echo "Branch $BRANCH not found in alerting repo, falling back to main branch"
            exit 1
          fi
-          echo "to_commit=$TO_COMMIT" >> "$GITHUB_OUTPUT"
+          echo "to_commit=$TO_COMMIT" >> $GITHUB_OUTPUT

      - name: Compare commit hashes
        run: |
@@ -74,31 +74,26 @@ jobs:
        id: check-commits
        env:
          GH_TOKEN: ${{ github.token }}
-          FROM_COMMIT: ${{ steps.current-commit.outputs.from_commit }}
-          TO_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
        run: |
-          # get all commits that contains 'Alerting:' in the message
-          ALERTING_COMMITS="$(gh api repos/grafana/alerting/compare/"$FROM_COMMIT"..."$TO_COMMIT" \
-            --jq '.commits[].commit.message | split("\n")[0]')" || true
-
+          # get all commits that contains 'Alerting:' in the message          
+          ALERTING_COMMITS=$(gh api repos/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }} \
+            --jq '.commits[].commit.message | split("\n")[0]') || true
+          
          # Use printf instead of echo -e for better multiline handling
          printf "%s\n" "$ALERTING_COMMITS"
-
+          
          # make the list for markdown and replace PR numbers with links
-          ALERTING_COMMITS_FORMATTED="$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)"
-
-          {
-            echo "alerting_commits<<EOF"
-            echo "$ALERTING_COMMITS_FORMATTED"
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          ALERTING_COMMITS_FORMATTED=$(echo "$ALERTING_COMMITS" | while read -r line; do echo "- $line" | sed -E 's/\(#([0-9]+)\)/[#\1](https:\/\/github.com\/grafana\/grafana\/pull\/\1)/g'; done)
+          
+          echo "alerting_commits<<EOF" >> $GITHUB_OUTPUT
+          echo "$ALERTING_COMMITS_FORMATTED" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT

      - name: Update alerting module
        env:
          GOSUMDB: off
-          PINNED_COMMIT: ${{ steps.latest-commit.outputs.to_commit }}
        run: |
-          go get github.com/grafana/alerting@"$PINNED_COMMIT"
+          go get github.com/grafana/alerting@${{ steps.latest-commit.outputs.to_commit }}
          make update-workspace

      - id: get-secrets
@@ -129,7 +124,7 @@ jobs:
            Compare changes: https://github.com/grafana/alerting/compare/${{ steps.current-commit.outputs.from_commit }}...${{ steps.latest-commit.outputs.to_commit }}
            <details>
            <summary>Commits</summary>
-
+            
            ${{ steps.check-commits.outputs.alerting_commits }}

            </details>
@@ -137,10 +132,6 @@ jobs:
            Created by: [GitHub Action Job](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
      - name: Add PR URL to Summary
        if: steps.create-pr.outputs.pull-request-url != ''
-        env:
-          PR_URL: ${{ steps.create-pr.outputs.pull-request-url }}
        run: |
-          {
-            echo "## Pull Request Created"
-            echo "🔗 [View Pull Request]($PR_URL)"
-          } >> "$GITHUB_STEP_SUMMARY"
+          echo "## Pull Request Created" >> $GITHUB_STEP_SUMMARY
+          echo "🔗 [View Pull Request](${{ steps.create-pr.outputs.pull-request-url }})" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/analytics-events-report.yml
+++ b/.github/workflows/analytics-events-report.yml
@@ -3,13 +3,9 @@ name: Analytics Events Report
 on:
  workflow_dispatch:

-permissions: {}
-
 jobs:
  generate-report:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
--- a/.github/workflows/backend-code-checks.yml
+++ b/.github/workflows/backend-code-checks.yml
@@ -9,7 +9,6 @@ on:
  push:
    branches:
      - main
-      - release-*.*.*
    paths-ignore:
      - '*.md'
      - 'docs/**'
--- a/.github/workflows/backend-unit-tests.yml
+++ b/.github/workflows/backend-unit-tests.yml
@@ -2,10 +2,16 @@ name: Backend Unit Tests

 on:
  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
  push:
    branches:
      - main
      - release-*.*.*
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -14,29 +20,10 @@ concurrency:
 permissions: {}

 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.backend }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/backend-unit-tests.yml
-
  grafana:
-    # Run this workflow only for PRs from forks
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`, 
    # the `pr-backend-unit-tests-enterprise` workflow will run instead
-    needs: detect-changes
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
    strategy:
      matrix:
        shard: [
@@ -60,18 +47,18 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
+      - name: Generate Go code
+        run: make gen-go
      - name: Run unit tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
-          set -euo pipefail
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
          go test -short -timeout=30m "${PACKAGES[@]}"

  grafana-enterprise:
    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    needs: detect-changes
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
    strategy:
      matrix:
        shard: [
@@ -86,7 +73,6 @@ jobs:
      contents: read
      id-token: write
    steps:
-      # Set up repository clone
      - name: Checkout code
        uses: actions/checkout@v4
        with:
@@ -99,48 +85,11 @@ jobs:
        uses: ./.github/actions/setup-enterprise
        with:
          github-app-name: 'grafana-ci-bot'
-
-      # Prepare what we need to upload test results
-      - run: echo "RESULTS_FILE=$(date --rfc-3339=seconds --utc | sed -s 's/ /-/g')_${SHARD/\//_}.xml" >> "$GITHUB_ENV"
-        env:
-          SHARD: ${{ matrix.shard }}
-      - run: go install github.com/jstemmer/go-junit-report/v2@85bf4716ac1f025f2925510a9f5e9f5bb347c009
-
-      # Run code
+      - name: Generate Go code
+        run: make gen-go
      - name: Run unit tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
-          set -euo pipefail
-
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/shard.sh -N"$SHARD")"
-          # This tee requires pipefail to be set, otherwise `go test`'s exit code is thrown away.
-          # That means having no `-o pipefail` => failing tests => exit code 0, which is wrong.
          go test -short -timeout=30m "${PACKAGES[@]}"
-
-  # This is the job that is actually required by rulesets.
-  # We need to require EITHER the OSS or the Enterprise job to pass.
-  # However, if one is skipped, GitHub won't flat-map the shards,
-  #   so they won't be accepted by a ruleset.
-  required-backend-unit-tests:
-    needs:
-      - grafana
-      - grafana-enterprise
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All backend unit tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"
--- a/.github/workflows/backport-trigger.yml
+++ b/.github/workflows/backport-trigger.yml
@@ -1,47 +0,0 @@
-# We need secrets to backport, but they're not available for actions ran by forks.
-# So this workflow is used as a 'trigger', which the backport-workflow.yml will with
-# via workflow_run
-
-name: Backport (trigger)
-on:
-  pull_request:
-    types:
-      - closed
-      - labeled
-
-permissions: {}
-
-jobs:
-  trigger:
-    # Only run this job if the PR has been merged and has a label containing "backport v"
-    if: |
-      github.repository == 'grafana/grafana' &&
-      github.event.pull_request.merged == true &&
-      contains(join(github.event.pull_request.labels.*.name, ','), 'backport v')
-    runs-on: ubuntu-latest
-    steps:
-      # TODO: save this as job summary instead?
-      - name: Trigger
-        run: |
-          echo "Triggering workflow"
-          echo "See https://github.com/${{ github.repository }}/actions/workflows/workflow_run.yml for progress"
-
-      # Create a JSON artifact with details of this PR to pass to the backport workflow.
-      # The { action: 'labelled', label: 'backport-1.23.x' } can only be determined from this event payload,
-      # and is needed to do a backport after a PR has been merged
-      #
-      # Important that we don't run *anything* from the PR which could modify the backport_data.json file
-      - name: Create action data
-        run: |
-          jq '{
-            action: .action,
-            label: .label.name,
-            pr_number: .number,
-          }' "$GITHUB_EVENT_PATH" > /tmp/pr_info.json
-
-      - name: Upload artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: pr_info
-          path: /tmp/pr_info.json
-          retention-days: 1
--- a/.github/workflows/backport-workflow.yml
+++ b/.github/workflows/backport-workflow.yml
@@ -1,88 +0,0 @@
-# Runs the actual backport, after being triggered by the backport-trigger.yml workflow.
-
-name: Backport (workflow)
-run-name: "Backport for ${{ github.event.workflow_run.head_branch }} #${{ github.event.workflow_run.run_number }}"
-on:
-  workflow_run: # zizmor: ignore[dangerous-triggers] backport-trigger.yml does not run any user code
-    workflows: ["Backport (trigger)"]
-    types:
-      - completed
-
-permissions: {}
-
-jobs:
-  backport:
-    # Only run this job if the triggering workflow was not skipped (and on grafana repo)
-    if: github.repository == 'grafana/grafana' && github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      actions: read
-    steps:
-      - name: Get vault secrets
-        id: secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          export_env: false
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            APP_PEM=delivery-bot-app:PRIVATE_KEY
-
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ fromJSON(steps.secrets.outputs.secrets).APP_PEM }}
-
-      - name: Download PR info artifact
-        uses: actions/download-artifact@v4
-        id: download-pr-info
-        with:
-          github-token: ${{ github.token }}
-          run-id: ${{ github.event.workflow_run.id }}
-          name: pr_info
-
-      - name: Get PR info
-        id: pr-info
-        env:
-          PR_INFO_FILE: ${{ steps.download-pr-info.outputs.download-path }}/pr_info.json
-        # jq-magic to convert the JSON object into a list of key=value pairs for $GITHUB_OUTPUT
-        run:
-          jq -r 'to_entries[] | select(.value | type != "object") | "\(.key)=\(.value)"' "$PR_INFO_FILE" >> "$GITHUB_OUTPUT"
-
-      - name: Print PR info
-        env:
-          PR_ACTION: ${{ steps.pr-info.outputs.action }}
-          PR_LABEL: ${{ steps.pr-info.outputs.label }}
-          PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
-        run: |
-          echo "PR action: $PR_ACTION"
-          echo "PR label: $PR_LABEL"
-          echo "PR number: $PR_NUMBER"
-
-      - name: Checkout Grafana
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-          fetch-depth: 2
-          fetch-tags: false
-          token: ${{ steps.generate_token.outputs.token }}
-          persist-credentials: true
-
-      - name: Configure git user
-        run: |
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "github-actions[bot]@users.noreply.github.com"
-          git config --local --add --bool push.autoSetupRemote true
-
-      - name: Run backport
-        uses: grafana/grafana-github-actions-go/backport@dev
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          # If triggered by being labelled, only backport that label.
-          # Otherwise, the action will backport all labels.
-          pr_label: ${{ steps.pr-info.outputs.action == 'labeled' && steps.pr-info.outputs.label || '' }}
-          pr_number: ${{ steps.pr-info.outputs.pr_number }}
-          repo_owner: ${{ github.repository_owner }}
-          repo_name: ${{ github.event.repository.name }}
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -0,0 +1,32 @@
+name: Backport PR Creator
+on:
+  pull_request_target:
+    types:
+      - closed
+      - labeled
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  main:
+    if: github.repository == 'grafana/grafana'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4 # 4.2.2
+        with:
+          persist-credentials: false
+      - run: git config --local user.name "github-actions[bot]"
+      - run: git config --local user.email "github-actions[bot]@users.noreply.github.com"
+      - run: git config --local --add --bool push.autoSetupRemote true
+      - name: Set remote URL
+        env:
+          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          git remote set-url origin "https://grafana-delivery-bot:$GIT_TOKEN@github.com/grafana/grafana.git"
+      - name: Run backport
+        uses: grafana/grafana-github-actions-go/backport@main # zizmor: ignore[unpinned-uses]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -13,29 +13,17 @@ on:
        required: false

 permissions:
-  id-token: write
-  contents: read
+  contents: write
+  pull-requests: write

 jobs:
  bump-version:
    runs-on: ubuntu-latest
    steps:
-      - uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana"]'
-          permissions: '{"contents": "write", "pull_requests": "write", "workflows": "write"}'
      - name: Checkout Grafana
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
-          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
      - name: Update package.json versions
        uses: ./pkg/build/actions/bump-version
        with:
@@ -47,13 +35,13 @@ jobs:
          DRY_RUN: ${{ inputs.dry_run }}
          REF_NAME: ${{ github.ref_name }}
          RUN_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          git config --local user.name "grafana-delivery-bot[bot]"
-          git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true
          git checkout -b "bump-version/${RUN_ID}/${VERSION}"
          git add .
          git commit -m "bump version ${VERSION}"
          git push
-          gh pr create --dry-run="$DRY_RUN" -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
+          gh pr create --dry-run=$DRY_RUN -l "type/ci" -l "no-changelog" -B "$REF_NAME" --title "Release: Bump version to ${VERSION}" --body "Updated version to ${VERSION}"
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -22,10 +22,11 @@ on:
        required: false
        default: false
        type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true

  workflow_dispatch:
    inputs:
@@ -49,10 +50,6 @@ on:
        required: false
        default: false
        type: boolean
-      work_branch:
-        required: false
-        type: string
-        description: "Use specific branch for changelog"

 permissions: {}

@@ -70,32 +67,25 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
        with:
          ref: main
          sparse-checkout: |
            .github/workflows
-            .github/actions
            CHANGELOG.md
            .nvmrc
            .prettierignore
            .prettierrc.js
          fetch-depth: 0
          fetch-tags: true
+          persist-credentials: false
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
@@ -106,20 +96,7 @@ jobs:
          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true
      - name: "Create branch"
-        run: |
-          if [[ "$WORK_BRANCH" == '' ]]; then
-            git switch -c "changelog/${RUN_ID}/${VERSION}"
-            exit 0
-          fi
-
-          # Checkout the changelog branch if exists, otherwise create a new one
-          if git show-ref --verify --quiet "refs/remotes/origin/$WORK_BRANCH"; then
-            git switch --track "origin/$WORK_BRANCH"
-          else
-            git switch -c "$WORK_BRANCH"
-          fi
-        env:
-          WORK_BRANCH: ${{ inputs.work_branch }}
+        run: git checkout -b "changelog/${RUN_ID}/${VERSION}"
      - name: "Generate changelog"
        id: changelog
        uses: ./.github/actions/changelog
@@ -163,29 +140,16 @@ jobs:
      - name: "Commit changelog changes"
        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
      - name: "git push"
-        if: inputs.dry_run != true
+        if: ${{ inputs.dry_run }} != true
        run: git push
      - name: "Create changelog PR"
-        run: |
-          if gh pr view &>/dev/null; then
-            echo "Changelog pr has already been created"
-          else
-
-            gh pr create \
-              --dry-run="${DRY_RUN}" \
-              --label "no-backport" \
-              --label "no-changelog" \
-              -B "${TARGET}" \
-              --title "Release: update changelog for ${TARGET}" \
-              --body "Changelog changes for release versions:"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: "Add release version to PR description"
-        if: inputs.dry_run != true
-        run: |
-          gh pr view --json body --jq .body > pr_body.md
-          echo " -  ${VERSION}" >> pr_body.md
-          gh pr edit --body-file pr_body.md
+        run: >
+          gh pr create \
+            --dry-run=${DRY_RUN} \
+            --label "no-backport" \
+            --label "no-changelog" \
+            -B "${TARGET}" \
+            --title "Release: update changelog for ${VERSION}" \
+            --body "Changelog changes for release ${VERSION}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/codeowners-validator.yml
+++ b/.github/workflows/codeowners-validator.yml
@@ -2,15 +2,11 @@ name: "Codeowners Validator"

 on:
  pull_request:
-    branches: [ main, release-* ]
-
-permissions: {}
+    branches: [ main ]

 jobs:
  codeowners-validator:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
    steps:
      # Checks-out your repository, which is validated in the next step
      - uses: actions/checkout@v4
@@ -27,7 +23,7 @@ jobs:

          # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing"
          experimental_checks: "notowned,avoid-shadowing"
-
+          
          # The repository path in which CODEOWNERS file should be validated."
          repository_path: "."

@@ -41,4 +37,4 @@ jobs:
          owner_checker_allow_unowned_patterns: "false"

          # Specifies whether only teams are allowed as owners of files.
-          owner_checker_owners_must_be_teams: "false"
+          owner_checker_owners_must_be_teams: "false"          
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -33,9 +33,8 @@ jobs:
      fail-fast: false
      matrix:
        # Override automatic language detection by changing the below list
-        # Supported options are listed here
-        # https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#changing-the-languages-that-are-analyzed
-        language: ['actions', 'javascript', 'go']
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript', 'go', 'python']
        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -24,7 +24,7 @@ jobs:
        id: check
        shell: bash
        run: |
-          if [ "${{ github.repository }}" == "grafana/grafana" ]; then
+          if [ "${{ github.repository }}" == "grafana/grafana" ] && [ -n "${{ secrets.GRAFANA_MISC_STATS_API_KEY }}" ]; then
            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
          fi

@@ -42,15 +42,15 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem

-      - name: Generate token
+      - name: "Generate token"
        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}

      - name: Checkout Actions
        uses: actions/checkout@v4 # v4.2.2
@@ -65,6 +65,6 @@ jobs:
      - name: Run Commands
        uses: ./actions/commands
        with:
-          metricsWriteAPIKey: ""
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
          token: ${{ steps.generate_token.outputs.token }}
          configPath: commands
--- a/.github/workflows/community-release.yml
+++ b/.github/workflows/community-release.yml
@@ -11,6 +11,11 @@ on:
        required: false
        default: false
        description: When enabled, this workflow will print a preview instead of creating an actual post.
+    secrets:
+      GRAFANA_MISC_STATS_API_KEY:
+        required: true
+      GRAFANABOT_FORUM_KEY:
+        required: true
  workflow_dispatch:
    inputs:
      version:
@@ -25,25 +30,17 @@ on:

 permissions:
  contents: read
-  id-token: write

 jobs:
  main:
    runs-on: ubuntu-latest
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana/community_release path in Vault
-          repo_secrets: |
-            GRAFANABOT_FORUM_KEY=community_release:GRAFANABOT_FORUM_KEY
-
      - name: Run community-release (manually invoked)
-        uses: grafana/grafana-github-actions-go/community-release@main
+        uses: grafana/grafana-github-actions-go/community-release@main # zizmor: ignore[unpinned-uses]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
-          community_api_key: ${{ env.GRAFANABOT_FORUM_KEY }}
+          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+          community_api_key: ${{ secrets.GRAFANABOT_FORUM_KEY }}
          community_api_username: grafanabot
          dry_run: ${{ inputs.dry_run }}
--- a/.github/workflows/core-plugins-build-and-release.yml
+++ b/.github/workflows/core-plugins-build-and-release.yml
@@ -48,7 +48,7 @@ jobs:
          persist-credentials: false
      - name: Verify inputs
        run: |
-          if [ -z "$PLUGIN_ID" ]; then echo "Missing plugin ID"; exit 1; fi
+          if [ -z $PLUGIN_ID ]; then echo "Missing plugin ID"; exit 1; fi
      - id: get-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
        with:
@@ -72,13 +72,13 @@ jobs:
        shell: bash
        id: get_dir
        run: |
-          dir="$(dirname \
-            "$(grep -Elir --include=plugin.json --exclude-dir=dist \
-              '"id": "'"${PLUGIN_ID}"'"' \
+          dir=$(dirname \
+            $(egrep -lir --include=plugin.json --exclude-dir=dist \
+              '"id": "${PLUGIN_ID}"' \
              public/app/plugins \
-            )" \
-          )"
-          echo "dir=${dir}" >> "$GITHUB_OUTPUT"
+            ) \
+          )
+          echo "dir=${dir}" >> $GITHUB_OUTPUT
      - name: Install frontend dependencies
        shell: bash
        working-directory: ${{ steps.get_dir.outputs.dir }}
@@ -88,17 +88,17 @@ jobs:
        shell: sh
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
-          mkdir -pv ./bin
-          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v"$GRABPL_VERSION"/grabpl
+          [ ! -d ./bin ] && mkdir -pv ./bin || true
+          curl -fL -o ./bin/grabpl https://grafana-downloads.storage.googleapis.com/grafana-build-pipeline/v$GRABPL_VERSION/grabpl
          chmod 0755 ./bin/grabpl
      - name: Check backend
        id: check_backend
        shell: bash
        run: |
-          if grep -Eqr --include=main.go 'datasource.Manage\('"$PLUGIN_ID" pkg/tsdb; then
-            echo "has_backend=true" >> "$GITHUB_OUTPUT"
+          if egrep -qr --include=main.go 'datasource.Manage\("$PLUGIN_ID"' pkg/tsdb; then
+            echo "has_backend=true" >> $GITHUB_OUTPUT
          else
-            echo "has_backend=false" >> "$GITHUB_OUTPUT"
+            echo "has_backend=false" >> $GITHUB_OUTPUT
          fi
      - name: Setup golang environment
        uses: actions/setup-go@19bb51245e9c80abacb2e91cc42b33fa478b8639
@@ -149,8 +149,6 @@ jobs:
      - name: build:frontend
        shell: bash
        id: build_frontend
-        env:
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
        run: |
          command="plugin:build:commit"
          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
@@ -158,15 +156,15 @@ jobs:
            command="plugin:build"
          fi
          yarn $command --scope="@grafana-plugins/$PLUGIN_ID"
-          version="$(jq -r .info.version "$OUTPUT_DIR"/dist/plugin.json)"
-          echo "version=${version}" >> "$GITHUB_OUTPUT"
+          version=$(cat ${{ steps.get_dir.outputs.dir }}/dist/plugin.json | jq -r .info.version)
+          echo "version=${version}" >> $GITHUB_OUTPUT
      - name: build:backend
        if: steps.check_backend.outputs.has_backend == 'true'
        shell: bash
        env:
          VERSION: ${{ steps.build_frontend.outputs.version }}  
        run: |
-          make build-plugin-go PLUGIN_ID="$PLUGIN_ID"
+          make build-plugin-go PLUGIN_ID=$PLUGIN_ID
      - name: package
        working-directory: ${{ steps.get_dir.outputs.dir }}
        run: |
@@ -179,17 +177,16 @@ jobs:
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCOM_API: ${{ env.GCOM_API }}
        run: |
-          api_res="$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
-            "$GCOM_API/api/plugins/$PLUGIN_ID?version=$VERSION" \
-            -H 'accept: application/json')"
-          api_res_code="$(echo "$api_res" | jq -r .code)"
+          api_res=$(curl -X 'GET' -H "Authorization: Bearer $GCOM_TOKEN" \
+            '${{ env.GCOM_API}}/api/plugins/$PLUGIN_ID?version=$VERSION' \
+            -H 'accept: application/json')
+          api_res_code=$(echo $api_res | jq -r .code)
          if [ "$api_res_code" = "NotFound" ]; then
            echo "No existing release found"
          else
            echo "Expecting a missing release, got:"
-            echo "$api_res"
+            echo $api_res
            exit 1
          fi
      - name: store build artifacts
@@ -200,46 +197,55 @@ jobs:
      - name: Publish release to Google Cloud Storage
        working-directory: ${{ steps.get_dir.outputs.dir }}
        env:
-          VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
+          VERSION: ${{ steps.build_frontend.outputs.version }}  
        run: |
          echo "Publish release to Google Cloud Storage:"
-          set -x
          touch ci/packages/windows ci/packages/darwin ci/packages/linux ci/packages/any
-          gsutil -m cp -r ci/packages/*windows* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/windows"
-          gsutil -m cp -r ci/packages/*linux* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/linux"
-          gsutil -m cp -r ci/packages/*darwin* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/darwin"
-          gsutil -m cp -r ci/packages/*any* "gs://$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any"
+          gsutil -m cp -r ci/packages/*windows* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows
+          gsutil -m cp -r ci/packages/*linux* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux 
+          gsutil -m cp -r ci/packages/*darwin* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin
+          gsutil -m cp -r ci/packages/*any* gs://${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any
      - name: Publish new plugin version on grafana.com
        if: steps.check_backend.outputs.has_backend == 'true'
        working-directory: ${{ steps.get_dir.outputs.dir }}
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}  
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCOM_API: ${{ env.GCOM_API }}
        run: |
          echo "Publish new plugin version on grafana.com:"
          echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          jq -n '{"url": env.OUTPUT_URL}' > body.json
-          osarchs=(linux_amd64 linux_arm64 linux_arm windows_amd64 darwin_amd64 darwin_arm64)
-          for osarch in "${osarchs[@]}"; do
-            echo "Processing $osarch"
-            KEY="${osarch//_/-}" \
-            OSARCH="$osarch" \
-            jq -s '. as $i | .[0] | .download[env.KEY] = {
-              "url": "https://storage.googleapis.com/\(env.GCP_BUCKET)/\(env.PLUGIN_ID)/release/\(env.VERSION)/linux/\(env.PLUGIN_ID)-\(env.VERSION).\(env.OSARCH).zip",
-              "md5": $i[1].plugin.md5
-            }' body.json ci/packages/info-"$osarch".json > tmp.json && mv tmp.json body.json
-          done
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
+            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
+            \"download\": {
+              \"linux-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"linux-arm64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm64.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_arm64.json | jq -r .plugin.md5)\"
+              },
+              \"linux-arm\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/linux/$PLUGIN_ID-${VERSION}.linux_arm.zip\",
+                \"md5\": \"$(cat ci/packages/info-linux_arm.json | jq -r .plugin.md5)\"
+              },
+              \"windows-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/windows/$PLUGIN_ID-${VERSION}.windows_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-windows_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"darwin-amd64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_amd64.zip\",
+                \"md5\": \"$(cat ci/packages/info-darwin_amd64.json | jq -r .plugin.md5)\"
+              },
+              \"darwin-arm64\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/darwin/$PLUGIN_ID-${VERSION}.darwin_arm64.zip\",
+                \"md5\": \"$(cat ci/packages/info-darwin_arm64.json | jq -r .plugin.md5)\"
+              }
+            }
+          }"`
+          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
            echo "Failed to publish plugin version. Got:"
-            echo "$result"
+            echo $result
            exit 1
          fi
      - name: Publish new plugin version on grafana.com (frontend only)
@@ -248,29 +254,20 @@ jobs:
        env:
          GCOM_TOKEN: ${{ env.PLUGINS_GCOM_TOKEN }}
          VERSION: ${{ steps.build_frontend.outputs.version }}
-          GCOM_API: ${{ env.GCOM_API }}
-          OUTPUT_DIR: ${{ steps.get_dir.outputs.dir }}
-          GCP_BUCKET: ${{ env.GCP_BUCKET }}
        run: |
          echo "Publish new plugin version on grafana.com:"
          echo "Plugin version: ${VERSION}"
-
-          OUTPUT_URL="https://github.com/grafana/grafana/tree/$OUTPUT_DIR" \
-          DOWNLOAD_URL="https://storage.googleapis.com/$GCP_BUCKET/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip" \
-          MD5_CHECKSUM="$(jq -r '.plugin.md5' ci/packages/info-any.json)" \
-          jq -rn '{
-            "url": env.OUTPUT_URL,
-            "download": {
-              "any": {
-                "url": env.DOWNLOAD_URL,
-                "md5": env.MD5_CHECKSUM
+          result=`curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" ${{ env.GCOM_API}}/api/plugins -d "{
+            \"url\": \"https://github.com/grafana/grafana/tree/main/${{ steps.get_dir.outputs.dir }}\",
+            \"download\": {
+              \"any\": {
+                \"url\": \"https://storage.googleapis.com/${{ env.GCP_BUCKET }}/$PLUGIN_ID/release/${VERSION}/any/$PLUGIN_ID-${VERSION}.any.zip\",
+                \"md5\": \"$(cat ci/packages/info-any.json | jq -r .plugin.md5)\"
              }
            }
-          }' > body.json
-
-          result="$(curl -H "Authorization: Bearer $GCOM_TOKEN" -H "Content-Type: application/json" "$GCOM_API"/api/plugins --data-binary '@body.json')"
-          if [[ "$(echo "$result" | jq -r .version)" == "null" ]]; then
+          }"`
+          if [[ "$(echo $result | jq -r .version)" == "null" ]]; then
            echo "Failed to publish plugin version. Got:"
-            echo "$result"
+            echo $result
            exit 1
          fi
--- a/.github/workflows/create-next-release-branch.yml
+++ b/.github/workflows/create-next-release-branch.yml
@@ -10,6 +10,11 @@ on:
        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
        type: string
        required: true
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
    outputs:
      branch:
        description: The new branch that was created
@@ -22,32 +27,23 @@ on:
        description: The release branch to increment (eg providing `release-11.2.3` will result in `release-11.2.4` being created)
        type: string
        required: true
-
-permissions:
-  contents: read
-  id-token: write
-
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
 jobs:
  main:
    runs-on: ubuntu-latest
    outputs:
      branch: ${{ steps.branch.outputs.branch }}
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: "[\"grafana\", \"grafana-enterprise\"]"
-          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Create release branch
        id: branch
        uses: grafana/grafana-github-actions-go/bump-release@main # zizmor: ignore[unpinned-uses]
--- a/.github/workflows/dashboards-issue-add-label.yml
+++ b/.github/workflows/dashboards-issue-add-label.yml
@@ -11,7 +11,7 @@ env:
  ORGANIZATION: ${{ github.repository_owner }}
  REPO: ${{ github.event.repository.name }}
  TARGET_PROJECT: 202
-  LABEL_IDS: "LA_kwDOAOaWjc8AAAABT38U-A"
+  LABEL_IDs: "LA_kwDOAOaWjc8AAAABT38U-A"

 concurrency:
  group: issue-label-when-in-project-${{ github.event.number }}
@@ -26,26 +26,25 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem

-      - name: Generate token
+      - name: "Generate token"
        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}
      - name: Check if issue is in target project
        env:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
          ISSUE_NUMBER: ${{ github.event.issue.number }}
          TARGET_PROJECT: ${{ env.TARGET_PROJECT }}
        run: |
-          # shellcheck disable=SC2016 # we don't want the $s to be expanded
          gh api graphql -f query='
-            query($org: String!, $repo: String!, $issueNumber: Int!) {
+            query($org: String!, $repo: String!) {
              repository(name: $repo, owner: $org) {
-                issue (number: $issueNumber) {
+                issue (number: $ISSUE_NUMBER) {
                  id
                  projectItems(first:20) {
                    nodes {
@@ -56,18 +55,15 @@ jobs:
                  }
                }
              }
-            }' -f org="$ORGANIZATION" -f repo="$REPO" -F issueNumber="$ISSUE_NUMBER" > projects_data.json
+            }' -f org=$ORGANIZATION -f repo=$REPO > projects_data.json

-            {
-              echo "IN_TARGET_PROJ=$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json)"
-              echo "ITEM_ID=$(jq '.data.repository.issue.id' projects_data.json)"
-            } >> "$GITHUB_ENV"
+            echo 'IN_TARGET_PROJ='$(jq '.data.repository.issue.projectItems.nodes[] | select(.project.number=='"$TARGET_PROJECT"') | .project != null' projects_data.json) >> $GITHUB_ENV
+            echo 'ITEM_ID='$(jq '.data.repository.issue.id' projects_data.json) >> $GITHUB_ENV
      - name: Set up label array
        if: env.IN_TARGET_PROJ
        env:
          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
-          # shellcheck disable=SC2153 # we define the variable on the line above in 'read'
          IFS=',' read -ra LABEL_IDs <<< "$LABEL_IDS"
          for item in "${LABEL_IDs[@]}"; do
            echo "Item: $item"
@@ -78,7 +74,6 @@ jobs:
          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
          LABEL_IDS: ${{ env.LABEL_IDS }}
        run: |
-          # shellcheck disable=SC2016 # we don't want the $s to be expanded
          gh api graphql -f query='
            mutation ($labelableId: ID!, $labelIds: [ID!]!) {
              addLabelsToLabelable(
@@ -86,4 +81,4 @@ jobs:
              ) {
                  clientMutationId
              }
-            }' -f labelableId="$ITEM_ID" -f labelIds="$LABEL_IDS"
+            }' -f labelableId=$ITEM_ID -f labelIds=$LABEL_IDS
--- a/.github/workflows/deploy-pr-preview.yml
+++ b/.github/workflows/deploy-pr-preview.yml
@@ -9,8 +9,6 @@ on:
    paths:
      - "docs/sources/**"

-permissions: {}
-
 jobs:
  deploy-pr-preview:
    permissions:
--- a/.github/workflows/deploy-storybook-preview.yml
+++ b/.github/workflows/deploy-storybook-preview.yml
@@ -1,93 +0,0 @@
-name: Deploy Storybook preview
-
-on:
-  pull_request:
-    paths:
-      - 'packages/grafana-ui/**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  deploy-storybook-preview:
-    name: Deploy Storybook preview
-    runs-on: ubuntu-latest
-    # Don't run from forks for the moment. If we find this useful we can do the workflow_run dance
-    # to make it work for forks.
-    if: github.event.pull_request.head.repo.fork == false
-    permissions:
-      contents: read
-      id-token: write
-
-    env:
-      BUCKET_NAME: grafana-storybook-previews
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-
-      - name: Cache node_modules
-        uses: actions/cache@v4
-        with:
-          path: |
-            node_modules
-          key: node_modules-${{ hashFiles('yarn.lock') }}
-          restore-keys: |
-            node_modules-
-
-      - name: Install dependencies
-        env:
-          # If the PR isn't from a fork then don't use the slower yarn checks
-          YARN_ENABLE_HARDENED_MODE: ${{ github.event.pull_request.head.repo.fork == false && '1' || '0' }}
-        run: yarn install --immutable
-
-      - name: Build storybook
-        run: yarn storybook:build
-
-      # Create the GCS folder name for the preview. Creates a consistent name for all deploys for the PR.
-      # Matches format of `pr_<PR_NUMBER>_<SANITIZED_BRANCH>`.
-      # Where `SANITIZED_BRANCH` is the branch name with only alphanumeric and hyphens, limited to 30 characters.
-      - name: Create deploy name
-        id: create-deploy-name
-        env:
-          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          # Convert branch name to only contain alphanumeric and hyphens
-          SANITIZED_BRANCH=$(echo "$BRANCH_NAME" | tr -cs "[:alnum:]-" "-" | sed "s/^-//;s/-$//")
-
-          # Check if SANITIZED_BRANCH is empty and fail if it is
-          if [ -z "$SANITIZED_BRANCH" ]; then
-            echo "Error: Branch name resulted in empty string after sanitization"
-            exit 1
-          fi
-
-          echo "deploy-name=pr_${PR_NUMBER}_${SANITIZED_BRANCH:0:30}" >> "$GITHUB_OUTPUT"
-
-      - name: Upload Storybook
-        uses: grafana/shared-workflows/actions/push-to-gcs@main
-        with:
-          environment: prod
-          bucket: ${{ env.BUCKET_NAME }}
-          bucket_path: ${{ steps.create-deploy-name.outputs.deploy-name }}
-          path: packages/grafana-ui/dist/storybook
-          service_account: github-gf-storybook-preview@grafanalabs-workload-identity.iam.gserviceaccount.com
-          parent: false
-
-      - name: Write summary
-        env:
-          DEPLOY_NAME: ${{ steps.create-deploy-name.outputs.deploy-name }}
-        run: |
-          echo "## Storybook preview deployed! 🚀" >> $GITHUB_STEP_SUMMARY
-          echo "Check it out at https://storage.googleapis.com/${BUCKET_NAME}/${DEPLOY_NAME}/index.html" >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/detect-breaking-changes-levitate.yml
+++ b/.github/workflows/detect-breaking-changes-levitate.yml
@@ -12,8 +12,6 @@ on:
  pull_request:
    paths:
      - 'packages/**'
-      - '.nvmrc'
-      - '.github/workflows/detect-breaking-changes-levitate.yml'
    branches:
      - 'main'

@@ -33,10 +31,9 @@ jobs:
        with:
          path: './pr'
          persist-credentials: false
-
      - uses: actions/setup-node@v4
        with:
-          node-version-file: './pr/.nvmrc'
+          node-version: 22.11.0

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
@@ -84,11 +81,10 @@ jobs:
        with:
          path: './base'
          ref: ${{ github.event.pull_request.base.ref }}
-          persist-credentials: false

      - uses: actions/setup-node@v4
        with:
-          node-version-file: './base/.nvmrc'
+          node-version: 22.11.0

      - name: Get yarn cache directory path
        id: yarn-cache-dir-path
@@ -133,12 +129,9 @@ jobs:

    steps:
      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
      - uses: actions/setup-node@v4
        with:
-          node-version-file: '.nvmrc'
+          node-version: 22.11.0

      - name: Get built packages from pr
        uses: actions/download-artifact@v4
@@ -158,15 +151,13 @@ jobs:

      - id: 'auth'
        uses: 'google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f'
-        if: github.event.pull_request.head.repo.full_name == github.repository
        with:
-          workload_identity_provider: projects/304398677251/locations/global/workloadIdentityPools/github/providers/github-provider
-          service_account: github-plugins-data-levitate@grafanalabs-workload-identity.iam.gserviceaccount.com
+          workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
+          service_account: ${{ secrets.LEVITATE_SA }}
          project_id: 'grafanalabs-global'

      - name: 'Set up Cloud SDK'
        uses: 'google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a'
-        if: github.event.pull_request.head.repo.full_name == github.repository
        with:
          version: '>= 363.0.0'
          project_id: 'grafanalabs-global'
@@ -177,16 +168,11 @@ jobs:
        run: ./scripts/check-breaking-changes.sh
        env:
          FORCE_COLOR: 3
-          IS_FORK: ${{ github.event.pull_request.head.repo.full_name != github.repository }} # used in check-breaking-changes.sh and levitate-parse-json-report.js

      - name: Persisting the check output
        run: |
            mkdir -p ./levitate
-            echo "{ \"exit_code\": ${IS_BREAKING}, \"message\": \"${MESSAGE}\", \"pr_number\": \"${PR_NUMBER}\" }" > ./levitate/result.json
-        env:
-          IS_BREAKING: ${{ steps.breaking-changes.outputs.is_breaking }}
-          MESSAGE: ${{ steps.breaking-changes.outputs.message }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+            echo "{ \"exit_code\": ${{ steps.breaking-changes.outputs.is_breaking }}, \"message\": \"${{ steps.breaking-changes.outputs.message }}\", \"pr_number\": \"${{ github.event.pull_request.number }}\" }" > ./levitate/result.json

      - name: Upload check output as artifact
        uses: actions/upload-artifact@v4
@@ -202,27 +188,16 @@ jobs:
    permissions:
      contents: read
      id-token: write
-    if: github.event.pull_request.head.repo.full_name == github.repository

    steps:
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # get-vault-secrets-v1.1.0
-        with:
-          # Secrets placed in the ci/repo/grafana/grafana in vault
-          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
-
-      - name: Generate token
+      - name: "Generate token"
        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}

      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false

      - name: 'Download artifact'
        uses: actions/download-artifact@v4
@@ -230,7 +205,7 @@ jobs:
          name: levitate

      - name: Parsing levitate result
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        id: levitate-run
        with:
          script: |
@@ -241,7 +216,7 @@ jobs:
      # Check if label exists
      - name: Check if "levitate breaking change" label exists
        id: does-label-exist
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
        with:
@@ -320,7 +295,7 @@ jobs:
                  "fields": [
                    {
                      "type": "mrkdwn",
-                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>\n\nAuthor: ${{ github.event.pull_request.user.login }}"
+                      "text": "*PR:* <${{ github.event.pull_request.html_url }}|#${{ github.event.pull_request.number }}>"
                    },
                    {
                      "type": "mrkdwn",
@@ -334,7 +309,7 @@ jobs:
      # Add the label
      - name: Add "levitate breaking change" label
        if: steps.levitate-run.outputs.exit_code == 1 && steps.does-label-exist.outputs.result == 0
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -350,7 +325,7 @@ jobs:
      # Remove label (no more breaking changes)
      - name: Remove "levitate breaking change" label
        if: steps.levitate-run.outputs.exit_code == 0 && steps.does-label-exist.outputs.result == 1
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -368,7 +343,7 @@ jobs:
      # Related issue: https://github.com/renovatebot/renovate/issues/1908
      - name: Add "grafana/plugins-platform-frontend" as a reviewer
        if: steps.levitate-run.outputs.exit_code == 1
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -385,7 +360,7 @@ jobs:
      # Remove reviewers (no more breaking changes)
      - name: Remove "grafana/plugins-platform-frontend" from the list of reviewers
        if: steps.levitate-run.outputs.exit_code == 0
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          PR_NUMBER: ${{ steps.levitate-run.outputs.pr_number }}
        with:
@@ -401,11 +376,9 @@ jobs:

      - name: Exit
        run: |
-          if [ "${LV_EXIT_CODE}" -ne 0 ]; then
+          if [ "${{ steps.levitate-run.outputs.exit_code }}" -ne 0 ]; then
            echo "Breaking changes detected. Please check the levitate report in your pull request. This workflow won't block merging."
          fi

-          exit "${LV_EXIT_CODE}"
+          exit ${{ steps.levitate-run.outputs.exit_code }}
        shell: bash
-        env:
-          LV_EXIT_CODE: ${{ steps.levitate-run.outputs.exit_code }}
--- a/.github/workflows/documentation-ci.yml
+++ b/.github/workflows/documentation-ci.yml
@@ -1,21 +1,14 @@
 name: Documentation CI
 on:
  pull_request:
-    branches: ["main", "release-*"]
+    branches: ["main"]
    paths: ["docs/sources/**"]
  workflow_dispatch:
-
-permissions: {}
-
 jobs:
  vale:
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      security-events: write
    container:
-      image: grafana/vale:latest # zizmor: ignore[unpinned-images]
+      image: grafana/vale:latest
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/e2e-dashboard-new-layouts.yml
+++ b/.github/workflows/e2e-dashboard-new-layouts.yml
@@ -1,42 +0,0 @@
-name: Run e2e for dashboardNewLayouts
-
-on:
-  pull_request:
-    branches:
-      - '**'
-    paths:
-      - 'e2e/dashboard-new-layouts/**'
-      - 'public/app/features/dashboard-scene/**'
-
-env:
-  ARCH: linux-amd64
-
-jobs:
-  dashboard-new-layouts-e2e:
-    runs-on: ubuntu-latest
-    continue-on-error: true
-    if: github.event.pull_request.draft == false
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Pin Go version to mod file
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: 'go.mod'
-      - run: go version
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'yarn'
-      - name: Install dependencies
-        run: yarn install --immutable
-      - name: Build grafana
-        run: make build
-      - name: Install Cypress dependencies
-        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
-        with:
-          runTests: false
-      - name: Run dashboardNewLayouts e2e
-        run: yarn e2e:dashboard-new-layouts
--- a/.github/workflows/ephemeral-instances-pr-comment.yml
+++ b/.github/workflows/ephemeral-instances-pr-comment.yml
@@ -1,48 +1,47 @@
-name: "Ephemeral instances"
-
+name: 'Ephemeral instances'
 on:
  issue_comment:
    types: [created]
  pull_request:
    types: [closed]
-
-permissions: {}
-
 jobs:
-  handle-ephemeral-instances:
-    if: ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') && github.repository_owner == 'grafana' }}
-    runs-on:
-      labels: ubuntu-latest-16-cores
-    continue-on-error: true
-    permissions:
-      # For commenting.
-      pull-requests: write
-      # No contents permission is needed because we will impersonate an app to create the PR instead.
-      id-token: write # required for vault access
-
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
    steps:
-      - name: Get vault secrets
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in ci/repo/grafana/grafana/
-          repo_secrets: |
-            APP_ID=ephemeral-instances-bot:app-id
-            APP_PEM=ephemeral-instances-bot:app-private-key
-            GCOM_HOST=ephemeral-instances-bot:gcom-host
-            GCOM_TOKEN=ephemeral-instances-bot:gcom-token
-            REGISTRY=ephemeral-instances-bot:registry
-            GCP_SA_ACCOUNT_KEY_BASE64=ephemeral-instances-bot:sa-key
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.EI_APP_ID != '' &&
+                        secrets.EI_APP_PRIVATE_KEY != '' &&
+                        secrets.EI_GCOM_HOST != '' &&
+                        secrets.EI_GCOM_TOKEN != '' &&
+                        secrets.EI_EPHEMERAL_INSTANCES_REGISTRY != '' &&
+                        secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 != '' &&
+                        secrets.EI_EPHEMERAL_ORG_ID != ''
+                        ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi

+  handle-pull-request-event:
+    needs: config
+    if: needs.config.outputs.has-secrets &&
+        ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') }}
+    runs-on:
+      labels: ubuntu-latest-8-cores
+    continue-on-error: true
+    steps:
      - name: Generate a GitHub app installation token
        id: generate_token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ env.APP_ID }}
-          private_key: ${{ env.APP_PEM }}
+          app_id: ${{ secrets.EI_APP_ID }}
+          private_key: ${{ secrets.EI_APP_PRIVATE_KEY }}

      - name: Checkout ephemeral instances repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@v4
        with:
          repository: grafana/ephemeral-grafana-instances-github-action
          token: ${{ steps.generate_token.outputs.token }}
@@ -53,11 +52,11 @@ jobs:
      - name: build and deploy ephemeral instance
        uses: ./ephemeral
        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          gcom-host: ${{ env.GCOM_HOST }}
-          gcom-token: ${{ env.GCOM_TOKEN }}
-          registry: "${{ env.REGISTRY }}"
-          gcp-service-account-key: ${{ env.GCP_SA_ACCOUNT_KEY_BASE64 }}
-          ephemeral-org-id: ephemeral
+          github-token:  ${{ steps.generate_token.outputs.token }}
+          gcom-host: ${{ secrets.EI_GCOM_HOST }}
+          gcom-token: ${{ secrets.EI_GCOM_TOKEN }}
+          registry: "${{ secrets.EI_EPHEMERAL_INSTANCES_REGISTRY }}"
+          gcp-service-account-key: "${{ secrets.EI_GCP_SERVICE_ACCOUNT_KEY_BASE64 }}"
+          ephemeral-org-id: "${{ secrets.EI_EPHEMERAL_ORG_ID }}"
          oss-or-enterprise: oss
          verbose: true
--- a/.github/workflows/feature-toggles-ci.yml
+++ b/.github/workflows/feature-toggles-ci.yml
@@ -7,15 +7,9 @@ on:
      - 'pkg/services/featuremgmt/registry.go'
      - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md'

-permissions: {}
-
 jobs:
  test:
    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/frontend-lint.yml
+++ b/.github/workflows/frontend-lint.yml
@@ -9,35 +9,12 @@ on:
 permissions: {}

 jobs:
-  detect-changes:
-    name: Detect whether code changed
+  lint-frontend-verify-i18n:
+    name: Verify i18n
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.frontend }}
-      prettier: ${{ steps.detect-changes.outputs.frontend == 'true' || steps.detect-changes.outputs.docs == 'true' }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/frontend-lint.yml
-
-  lint-frontend-prettier:
-    needs: detect-changes
    permissions:
      contents: read
      id-token: write
-    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
-    # the `lint-frontend-prettier-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.prettier == 'true'
-    name: Lint
-    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
@@ -48,21 +25,46 @@ jobs:
        cache: 'yarn'
        cache-dependency-path: 'yarn.lock'
    - run: yarn install --immutable --check-cache
-    - run: yarn run prettier:check
-    - run: yarn run lint
-  lint-frontend-prettier-enterprise:
-    needs: detect-changes
+    - run: |
+        extract_error_message='::error::Extraction failed. Make sure that you have no dynamic translation phrases, such as "t(`preferences.theme.{themeID}`, themeName)" and that no translation key is used twice. Search the output for '[warning]' to find the offending file.'
+        make i18n-extract || (echo "${extract_error_message}" && false)
+    - run: |
+        uncommited_error_message="::error::Translation extraction has not been committed. Please run 'make i18n-extract', commit the changes and push again."
+        file_diff=$(git diff --dirstat public/locales)
+        if [ -n "$file_diff" ]; then
+            echo $file_diff
+            echo "${uncommited_error_message}"
+            exit 1
+        fi
+  lint-frontend-prettier:
    permissions:
      contents: read
      id-token: write
-    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.prettier == 'true'
+    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
+    # the `lint-frontend-prettier-enterprise` workflow will run instead
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
    name: Lint
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
      with:
-        persist-credentials: false
+        node-version-file: '.nvmrc'
+        cache: 'yarn'
+        cache-dependency-path: 'yarn.lock'
+    - run: yarn install --immutable --check-cache
+    - run: yarn run prettier:check
+    - run: yarn run lint
+  lint-frontend-prettier-enterprise:
+    permissions:
+      contents: read
+      id-token: write
+    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -76,19 +78,16 @@ jobs:
    - run: yarn run prettier:check
    - run: yarn run lint
  lint-frontend-typecheck:
-    needs: detect-changes
    permissions:
      contents: read
      id-token: write
    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
    # the `lint-frontend-typecheck-enterprise` workflow will run instead
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
    name: Typecheck
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -97,18 +96,15 @@ jobs:
    - run: yarn install --immutable --check-cache
    - run: yarn run typecheck
  lint-frontend-typecheck-enterprise:
-    needs: detect-changes
    permissions:
      contents: read
      id-token: write
    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
    name: Typecheck
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -121,17 +117,13 @@ jobs:
    - run: yarn install --immutable --check-cache
    - run: yarn run typecheck
  lint-frontend-betterer:
-    needs: detect-changes
    permissions:
      contents: read
      id-token: write
-    if: needs.detect-changes.outputs.changed == 'true'
    name: Betterer
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
--- a/.github/workflows/github-release.yml
+++ b/.github/workflows/github-release.yml
@@ -34,7 +34,6 @@ on:
 permissions:
  # contents: write allows the action(s) to create github releases
  contents: write
-  id-token: write

 jobs:
  main:
@@ -45,5 +44,6 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ inputs.version }}
+          metrics_api_key: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
          latest: ${{ inputs.latest }}
          dry_run: ${{ inputs.dry_run }}
--- a/.github/workflows/go-lint.yml
+++ b/.github/workflows/go-lint.yml
@@ -7,7 +7,6 @@ on:
      - go.*
    branches:
      - main
-      - release-*.*.*
  pull_request:

 permissions:
@@ -23,6 +22,7 @@ jobs:
      - uses: actions/setup-go@v5
        with:
          go-version-file: ./go.mod
+      - run: make gen-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@1481404843c368bc19ca9406f87d6e0fc97bdcfd
        with:
--- a/.github/workflows/i18n-crowdin-create-tasks.yml
+++ b/.github/workflows/i18n-crowdin-create-tasks.yml
@@ -1,13 +1,27 @@
-name: Crowdin automatic task management
+name: Crowdin Create Tasks

 on:
  workflow_dispatch:
-  # once a month on the first day of the month at midnight
-  schedule:
-    - cron: "0 0 1 * *"
+  # schedule:
+  #   - cron: "0 0 * * *"

 jobs:
  create-tasks-in-crowdin:
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-create-tasks.yml@main
-    with:
-      crowdin_project_id: 5
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+
+      - name: Create tasks
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+        run: node ./.github/workflows/scripts/crowdin/create-tasks.js
--- a/.github/workflows/i18n-crowdin-download.yml
+++ b/.github/workflows/i18n-crowdin-download.yml
@@ -7,10 +7,153 @@ on:

 jobs:
  download-sources-from-crowdin:
-    if: github.repository == 'grafana/grafana'
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-download.yml@main
-    with:
-      crowdin_project_id: 5
-      pr_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
-      github_board_id: 78 # Frontend Platform project
-      en_paths: public/locales/en-US/grafana.json, public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json, public/app/plugins/datasource/mssql/locales/en-US/mssql.json, packages/grafana-prometheus/src/locales/en-US/grafana-prometheus.json, packages/grafana-sql/src/locales/en-US/grafana-sql.json
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # needed to commit changes into the PR
+      pull-requests: write # needed to update PR description, labels, etc
+      id-token: write # needed to get vault secrets
+
+    steps:
+      - name: Generate token
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
+
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+
+      - name: Download sources
+        id: crowdin-download
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        with:
+          upload_sources: false
+          upload_translations: false
+          download_sources: false
+          download_translations: true
+          export_only_approved: true
+          localization_branch_name: i18n_crowdin_translations
+          create_pull_request: true
+          pull_request_title: 'I18n: Download translations from Crowdin'
+          pull_request_body:  |
+            :robot: Automatic download of translations from Crowdin.
+
+            This runs once per day and will merge automatically if all the required checks pass.
+
+            If there's a conflict, close the pull request and **delete the branch**.
+            You can then either wait for the schedule to trigger a new PR, or rerun the action manually.
+          pull_request_labels: 'area/frontend, area/internationalization, no-changelog, no-backport'
+          pull_request_base_branch_name: 'main'
+          base_url: 'https://grafana.api.crowdin.com'
+          config: 'crowdin.yml'
+          source: 'public/locales/en-US/grafana.json'
+          translation: 'public/locales/%locale%/%original_file_name%'
+          # Magic details of the github-actions bot user, to pass CLA checks
+          github_user_name: "github-actions[bot]"
+          github_user_email: "41898282+github-actions[bot]@users.noreply.github.com"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+
+      - name: Get pull request ID
+        if: steps.crowdin-download.outputs.pull_request_url
+        shell: bash
+        # Crowdin action returns us the URL of the pull request, but we need an ID for the GraphQL API
+        # that looks like 'PR_kwDOAOaWjc5mP_GU'
+        run: |
+          pr_id=$(gh pr view ${{ steps.crowdin-download.outputs.pull_request_url }} --json id -q .id)
+          echo "PULL_REQUEST_ID=$pr_id" >> "$GITHUB_ENV"
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Get project board ID
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        id: get-project-id
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          # Frontend Platform project - https://github.com/orgs/grafana/projects/78
+          org: grafana
+          project_number: 78
+          query: |
+            query getProjectId($org: String!, $project_number: Int!){
+              organization(login: $org) {
+                projectV2(number: $project_number) {
+                  title
+                  id
+                }
+              }
+            }
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Add to project board
+        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          projectid: ${{ fromJson(steps.get-project-id.outputs.data).organization.projectV2.id }}
+          prid: ${{ env.PULL_REQUEST_ID }}
+          query: |
+            mutation addPullRequestToProject($projectid: ID!, $prid: ID!){
+              addProjectV2ItemById(input: {projectId: $projectid, contentId: $prid}) {
+                item {
+                  id
+                }
+              }
+            }
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Run auto-milestone
+        uses: grafana/grafana-github-actions-go/auto-milestone@main # zizmor: ignore[unpinned-uses]
+        if: steps.crowdin-download.outputs.pull_request_url
+        with:
+          pr: ${{ steps.crowdin-download.outputs.pull_request_number }}
+          token: ${{ steps.generate_token.outputs.token }}
+
+      - name: Get vault secrets
+        id: vault-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main # zizmor: ignore[unpinned-uses]
+        with:
+          # Secrets placed in ci/repo/grafana/grafana/grafana-pr-approver
+          repo_secrets: |
+            GRAFANA_PR_APPROVER_APP_ID=grafana-pr-approver:app-id
+            GRAFANA_PR_APPROVER_APP_PEM=grafana-pr-approver:private-key
+
+      - name: Generate approver token
+        if: steps.crowdin-download.outputs.pull_request_url
+        id: generate_approver_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ env.GRAFANA_PR_APPROVER_APP_ID }}
+          private_key: ${{ env.GRAFANA_PR_APPROVER_APP_PEM }}
+
+      - name: Approve and automerge PR
+        if: steps.crowdin-download.outputs.pull_request_url
+        shell: bash
+        # Only approve if:
+        # - the PR does not modify files other than json files under the public/locales/ directory
+        # - the PR does not modify the en-US locale
+        run: |
+          filesChanged=$(gh pr diff --name-only ${{ steps.crowdin-download.outputs.pull_request_url }})
+
+          if [[ $(echo $filesChanged | grep -v 'public/locales/[a-zA-Z\-]*/grafana.json' | wc -l) -ne 0 ]]; then
+            echo "Non-i18n changes detected, not approving"
+            exit 1
+          fi
+
+          if [[ $(echo $filesChanged | grep "public/locales/en-US" | wc -l) -ne 0 ]]; then
+            echo "public/locales/en-US changes detected, not approving"
+            exit 1
+          fi
+
+          echo "Approving and enabling automerge"
+          gh pr review ${{ steps.crowdin-download.outputs.pull_request_url }} --approve
+          gh pr merge --auto --squash ${{ steps.crowdin-download.outputs.pull_request_url }}
+        env:
+          GITHUB_TOKEN: ${{ steps.generate_approver_token.outputs.token }}
--- a/.github/workflows/i18n-crowdin-upload.yml
+++ b/.github/workflows/i18n-crowdin-upload.yml
@@ -5,16 +5,31 @@ on:
  push:
    paths:
      - 'public/locales/en-US/grafana.json'
-      - 'public/app/plugins/datasource/azuremonitor/locales/en-US/grafana-azure-monitor-datasource.json'
-      - 'public/app/plugins/datasource/mssql/locales/en-US/mssql.json'
-      - 'packages/grafana-sql/src/locales/en-US/grafana-sql.json'
-      - 'packages/grafana-prometheus/src/locales/en-US/grafana-prometheus.json'
    branches:
      - main

 jobs:
  upload-sources-to-crowdin:
-    if: github.repository == 'grafana/grafana'
-    uses: grafana/grafana-github-actions/.github/workflows/crowdin-upload.yml@main
-    with:
-      crowdin_project_id: 5
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Upload sources
+        uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2
+        with:
+          upload_sources: true
+          upload_sources_args: '--dest=public/locales/en-US/grafana.json'
+          upload_translations: false
+          download_translations: false
+          create_pull_request: false
+          base_url: 'https://grafana.api.crowdin.com'
+          config: 'crowdin.yml'
+          source: 'public/locales/en-US/grafana.json'
+          translation: 'public/locales/%locale%/%original_file_name%'
+        env:
+          CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
+          CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
--- a/.github/workflows/i18n-verify.yml
+++ b/.github/workflows/i18n-verify.yml
@@ -1,15 +0,0 @@
-name: Verify i18n
-
-permissions:
-  contents: read
-
-on:
-  pull_request:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-jobs:
-  verify-i18n:
-    uses: grafana/grafana-github-actions/.github/workflows/verify-i18n.yml@main
--- a/.github/workflows/issue-opened.yml
+++ b/.github/workflows/issue-opened.yml
@@ -43,19 +43,20 @@ jobs:
        with:
          # Secrets placed in the ci/repo/grafana/grafana/plugins_platform_issue_commands_github_bot path in Vault
          repo_secrets: |
-            GITHUB_APP_ID=grafana_pr_automation_app:app_id
-            GITHUB_APP_PRIVATE_KEY=grafana_pr_automation_app:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem

-      - name: Generate token
+      - name: "Generate token"
        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}

      - name: Run Commands
        uses: ./actions/commands
        with:
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
          token: ${{ steps.generate_token.outputs.token }}
          configPath: "issue-opened"

@@ -76,20 +77,18 @@ jobs:
          repo_secrets: |
            AUTOTRIAGER_OPENAI_API_KEY=plugins_platform_issue_triager:AUTOTRIAGER_OPENAI_API_KEY
            AUTOTRIAGER_SLACK_WEBHOOK_URL=plugins_platform_issue_triager:AUTOTRIAGER_SLACK_WEBHOOK_URL
-            GITHUB_APP_ID=plugins_platform_issue_triager_github_bot:app_id
-            GITHUB_APP_PRIVATE_KEY=plugins_platform_issue_triager_github_bot:app_pem
+            GH_APP_ID=plugins_platform_issue_commands_github_bot:app_id
+            GH_APP_PEM=plugins_platform_issue_commands_github_bot:app_pem

-      - name: Generate token
+      - name: "Generate token"
        id: generate_token
-        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app-id: ${{ env.GITHUB_APP_ID }}
-          private-key: ${{ env.GITHUB_APP_PRIVATE_KEY }}
+          app_id: ${{ env.GH_APP_ID }}
+          private_key: ${{ env.GH_APP_PEM }}

      - name: Checkout
        uses: actions/checkout@v4 # v4.2.2
-        with:
-          persist-credentials: false

      - name: Send issue to the auto triager action
        id: auto_triage
--- a/.github/workflows/lint-build-docs.yml
+++ b/.github/workflows/lint-build-docs.yml
@@ -16,16 +16,10 @@ on:
      - 'packages/**/*.md'
      - 'latest.json'

-permissions: {}
-
 jobs:
  docs:
    name: Build & Verify Docs
    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -35,7 +29,7 @@ jobs:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version-file: '.nvmrc'
+          node-version: '22.11.0'
          cache: 'yarn'

      - name: Install dependencies
@@ -51,18 +45,18 @@ jobs:
        run: |
          # Create and start a container from the docs-base image in detached mode
          docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null
-
+          
          # Create the directory structure inside the container
          docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest
-
+          
          # Create the _index.md file
          docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md"
-
+          
          # Copy the docs sources from the host to the container
          docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/
-
+          
          # Run the make prod command inside the container
          docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings"
-
+          
          # Clean up the container
          docker rm -f docs-builder
--- a/.github/workflows/metrics-collector.yml
+++ b/.github/workflows/metrics-collector.yml
@@ -0,0 +1,54 @@
+#
+# When triggered by the cron job it will also collect metrics for:
+#  * number of issues without label
+#  * number of issues with "needs more info"
+#  * number of issues with "needs investigation"
+#  * number of issues with label type/bug
+#  * number of open issues in current milestone
+#
+# https://github.com/grafana/grafana-github-actions/blob/main/metrics-collector/index.ts
+#
+name: Github issue metrics collection
+on:
+  schedule:
+    - cron: "*/10 * * * *"
+  issues:
+    types: [opened, closed]
+
+permissions:
+  contents: read
+
+jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_MISC_STATS_API_KEY != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
+  main:
+    needs: config
+    if: needs.config.outputs.has-secrets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Actions
+        uses: actions/checkout@v4 # v4.2.2
+        with:
+          repository: "grafana/grafana-github-actions"
+          path: ./actions
+          ref: main
+          persist-credentials: false
+      - name: Install Actions
+        run: npm install --production --prefix ./actions
+      - name: Run metrics collector
+        uses: ./actions/metrics-collector
+        with:
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          token: ${{secrets.GITHUB_TOKEN}}
+          configPath: "metrics-collector"
--- a/.github/workflows/migrate-prs.yml
+++ b/.github/workflows/migrate-prs.yml
@@ -15,6 +15,11 @@ on:
        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
        required: true
        type: string
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true
  workflow_dispatch:
    inputs:
      from:
@@ -29,30 +34,24 @@ on:
        description: Owner/repo of the repository where the branch is created (e.g. 'grafana/grafana')
        required: true
        type: string
-
-permissions:
-  contents: read
-  id-token: write
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID:
+        required: true
+      GRAFANA_DELIVERY_BOT_APP_PEM:
+        required: true

 jobs:
  main:
    runs-on: ubuntu-latest
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Migrate PRs
-        uses: grafana/grafana-github-actions-go/migrate-open-prs@main
+        uses: grafana/grafana-github-actions-go/migrate-open-prs@main # zizmor: ignore[unpinned-uses]
        with:
          token: ${{ steps.generate_token.outputs.token }}
          ownerRepo: ${{ inputs.ownerRepo }}
--- a/.github/workflows/pr-backend-coverage.yml
+++ b/.github/workflows/pr-backend-coverage.yml
@@ -0,0 +1,71 @@
+name: Coverage
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - 'docs/**'
+      - '**/*.md'
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  EDITION: 'oss'
+  WIRE_TAGS: 'oss'
+
+jobs:
+  main:
+    name: Backend Unit Tests
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential shared-mime-info
+          go install github.com/mfridman/tparse@c1754a1f484ac5cd422697b0fec635177ddc8507 # v0.17.0
+      - name: Generate Go code
+        run: make gen-go
+      - name: Run unit tests
+        run: COVER_OPTS="-coverprofile=be-unit.cov -coverpkg=github.com/grafana/grafana/..." GO_TEST_OUTPUT="/tmp/unit.log" make test-go-unit-cov
+      - name: Process and upload coverage
+        uses: ./.github/actions/test-coverage-processor
+        with:
+          test-type: 'be-unit'
+          # Needs to be named 'unit.cov' based on the Makefile command `make test-go-unit`
+          coverage-file: 'unit.cov'
+          codecov-token: ${{ secrets.CODECOV_TOKEN }}
+          codecov-flag: 'be-unit'
+          codecov-name: 'be-unit'
+
+      - name: Install Grafana Bench
+        # We can't allow forks here, as we need secret access.
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: ./.github/actions/setup-grafana-bench
+
+      - name: Process output for Bench
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          grafana-bench report \
+            --trigger pr-backend-unit-tests-oss \
+            --report-input go \
+            --report-output log \
+            --grafana-version "$(git rev-parse HEAD)" \
+            --suite-name grafana-oss-unit-tests \
+            /tmp/unit.log || true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
--- a/.github/workflows/pr-codeql-analysis-javascript.yml
+++ b/.github/workflows/pr-codeql-analysis-javascript.yml
@@ -3,7 +3,7 @@ name: "CodeQL for PR / javascript"
 on:
  workflow_dispatch:
  pull_request:
-    branches: [main, release-*]
+    branches: [main]
    paths:
      - '**/*.js'
      - '**/*.ts'
--- a/.github/workflows/pr-codeql-analysis-python.yml
+++ b/.github/workflows/pr-codeql-analysis-python.yml
@@ -3,7 +3,7 @@ name: "CodeQL for PR / python"
 on:
  workflow_dispatch:
  pull_request:
-    branches: [main, release-*]
+    branches: [main]
    paths:
      - '**/*.py'

@@ -25,24 +25,11 @@ jobs:
        fetch-depth: 2
        persist-credentials: false

-    - name: Check for Python files
-      id: check-python
-      run: |
-        if [ -z "$(find . -name '*.py' -type f)" ]; then
-          echo "No Python files found, skipping analysis"
-          echo "skip=true" >> "$GITHUB_OUTPUT"
-        else
-          echo "Python files found, proceeding with analysis"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-        fi
-
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      if: steps.check-python.outputs.skip != 'true'
      uses: github/codeql-action/init@v3
      with:
        languages: "python"

    - name: Perform CodeQL Analysis
-      if: steps.check-python.outputs.skip != 'true'
      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/pr-commands.yml
+++ b/.github/workflows/pr-commands.yml
@@ -5,14 +5,28 @@ on:
      - labeled
      - opened
      - synchronize
-permissions: {}
 concurrency:
  group: pr-commands-${{ github.event.number }}
 jobs:
+  config:
+    runs-on: "ubuntu-latest"
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_PR_AUTOMATION_APP_ID != '' &&
+                        secrets.GRAFANA_PR_AUTOMATION_APP_PEM != '' &&
+                        secrets.GRAFANA_MISC_STATS_API_KEY != ''
+                        ) || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi
+
  main:
-    permissions:
-      contents: read
-      pull-requests: write
+    needs: config
+    if: needs.config.outputs.has-secrets
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Actions
@@ -24,8 +38,15 @@ jobs:
          persist-credentials: false
      - name: Install Actions
        run: npm install --production --prefix ./actions
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_PR_AUTOMATION_APP_PEM }}
      - name: Run Commands
        uses: ./actions/commands
        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          metricsWriteAPIKey: ${{secrets.GRAFANA_MISC_STATS_API_KEY}}
+          token: ${{ steps.generate_token.outputs.token }}
          configPath: pr-commands
--- a/.github/workflows/pr-dependabot-update-go-workspace.yml
+++ b/.github/workflows/pr-dependabot-update-go-workspace.yml
@@ -1,7 +1,7 @@
 name: "Update Go Workspace for Dependabot PRs"
 on:
  pull_request:
-    branches: [main, release-*]
+    branches: [main]
    paths:
      - .github/workflows/pr-dependabot-update-go-workspace.yml
      - go.mod
@@ -65,5 +65,5 @@ jobs:
        if ! git diff --exit-code --quiet; then
          echo "Committing and pushing workspace changes"
          git commit -a -m "update workspace"
-          git push origin "$BRANCH_NAME"
+          git push origin $BRANCH_NAME
        fi
--- a/.github/workflows/pr-e2e-tests.yml
+++ b/.github/workflows/pr-e2e-tests.yml
@@ -11,47 +11,27 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}

-permissions: {}
-
 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.e2e }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/pr-e2e-tests.yml
-
  build-grafana:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
    name: Build & Package Grafana
    runs-on: ubuntu-latest-16-cores
-    permissions:
-      contents: read
    outputs:
      artifact: ${{ steps.artifact.outputs.artifact }}
    steps:
      - uses: actions/checkout@v4
        with:
-          path: ./grafana
+          repository: 'grafana/grafana-build'
+          ref: 'main'
          persist-credentials: false
+      - uses: actions/checkout@v4
+        with:
+          path: ./grafana
+      - run: echo "GRAFANA_GO_VERSION=$(grep "go 1." grafana/go.work |  cut -d\  -f2)" >> "$GITHUB_ENV"
      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
        with:
-          version: 0.18.8
          verb: run
-          args: go -C grafana run ./pkg/build/cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir="${PWD}/grafana" > out.txt
-      - run: mv "$(cat out.txt)" grafana.tar.gz
+          args: go run ./cmd artifacts -a targz:grafana:linux/amd64 --grafana-dir=grafana --go-version=${GRAFANA_GO_VERSION} > out.txt
+      - run: mv $(cat out.txt) grafana.tar.gz
      - run: echo "artifact=grafana-e2e-${{github.run_number}}" >> "$GITHUB_OUTPUT"
        id: artifact
      - uses: actions/upload-artifact@v4
@@ -60,160 +40,33 @@ jobs:
          retention-days: 1
          name: ${{ steps.artifact.outputs.artifact }}
          path: grafana.tar.gz
-
-  build-e2e-runner:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.changed == 'true'
-    name: Build E2E test runner
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      artifact: ${{ steps.artifact.outputs.artifact }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-          cache: ${{ !github.event.pull_request.head.repo.fork }}
-      - name: Build E2E test runner
-        id: artifact
-        run: |
-          set -euo pipefail
-          # We want a static binary, so we need to set CGO_ENABLED=0
-          CGO_ENABLED=0 go build -o ./e2e-runner ./e2e/
-          echo "artifact=e2e-runner-${{github.run_number}}" >> "$GITHUB_OUTPUT"
-      - uses: actions/upload-artifact@v4
-        id: upload
-        with:
-          retention-days: 1
-          name: ${{ steps.artifact.outputs.artifact }}
-          path: e2e-runner
-
-  run-e2e-tests:
-    needs:
-      - build-grafana
-      - build-e2e-runner
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - suite: various-suite
-            path: e2e/various-suite
-          - suite: dashboards-suite
-            path: e2e/dashboards-suite
-          - suite: smoke-tests-suite
-            path: e2e/smoke-tests-suite
-          - suite: panels-suite
-            path: e2e/panels-suite
-          - suite: various-suite (old arch)
-            path: e2e/old-arch/various-suite
-            flags: --flags="--env DISABLE_SCENES=true"
-          - suite: dashboards-suite (old arch)
-            path: e2e/old-arch/dashboards-suite
-            flags: --flags="--env DISABLE_SCENES=true"
-          - suite: smoke-tests-suite (old arch)
-            path: e2e/old-arch/smoke-tests-suite
-            flags: --flags="--env DISABLE_SCENES=true"
-          - suite: panels-suite (old arch)
-            path: e2e/old-arch/panels-suite
-            flags: --flags="--env DISABLE_SCENES=true"
+  e2e-matrix:
    name: ${{ matrix.suite }}
-    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-grafana.outputs.artifact }}
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-e2e-runner.outputs.artifact }}
-      - name: chmod +x
-        run: chmod +x ./e2e-runner
-      - name: Run E2E tests
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/e2e --package=grafana.tar.gz
-            --suite=${{ matrix.path }}
-            ${{ matrix.flags }}
-      - name: Set suite name
-        id: set-suite-name
-        if: success() || failure()
-        env:
-          SUITE: ${{ matrix.path }}
-        run: |
-          set -euo pipefail
-          echo "suite=$(echo "$SUITE" | sed 's/\//-/g')" >> "$GITHUB_OUTPUT"
-      - uses: actions/upload-artifact@v4
-        if: success() || failure()
-        with:
-          name: ${{ steps.set-suite-name.outputs.suite }}-${{ github.run_number }}
-          path: videos
-          retention-days: 1
-
-  run-a11y-test:
+    strategy:
+      matrix:
+        suite:
+          - various-suite
+          - dashboards-suite
+          - smoke-tests-suite
+          - panels-suite
    needs:
      - build-grafana
-    name: A11y test
-    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.build-grafana.outputs.artifact }}
-      - name: Run PR a11y test
-        if: github.event_name == 'pull_request'
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/a11y --package=grafana.tar.gz
-      - name: Run non-PR a11y test
-        if: github.event_name != 'pull_request'
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run ./pkg/build/a11y --package=grafana.tar.gz --no-threshold-fail
-
-  # This is the job that is actually required by rulesets.
-  # We want to only require one job instead of all the individual tests.
-  # Future work also allows us to start skipping some tests based on changed files.
-  required-e2e-tests:
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}
+  e2e-matrix-old-arch:
+    name: ${{ matrix.suite }} (old arch)
+    strategy:
+      matrix:
+        suite:
+          - old-arch/various-suite
+          - old-arch/dashboards-suite
+          - old-arch/smoke-tests-suite
+          - old-arch/panels-suite
    needs:
-      - run-e2e-tests
-      # a11y test is not listed on purpose: it is not an important E2E test.
-      # It is also totally fine to fail right now.
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All E2E tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"
+      - build-grafana
+    uses: ./.github/workflows/run-e2e-suite.yml
+    with:
+      package: ${{ needs.build-grafana.outputs.artifact }}
+      suite: ${{ matrix.suite }}
--- a/.github/workflows/pr-external-labelling.yml
+++ b/.github/workflows/pr-external-labelling.yml
@@ -1,25 +0,0 @@
-name: External PR labelling
-
-on:
-  # We need "write" permissions on the PR to be able to add a label.
-  pull_request_target: # zizmor: ignore[dangerous-triggers] We need this to have labelling permissions. There are no user inputs here, so we should be fine.
-    types:
-      - opened
-
-permissions: {}
-
-jobs:
-  label-if-external:
-    name: Add 'pr/external' label if the PR is external
-    if: github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write # to write the label
-
-    steps:
-      - name: Add the 'pr/external' label
-        env:
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          echo "Adding 'pr/external' label to the PR"
-          gh pr edit "$PR_NUMBER" --add-label pr/external
--- a/.github/workflows/pr-frontend-unit-tests.yml
+++ b/.github/workflows/pr-frontend-unit-tests.yml
@@ -9,32 +9,13 @@ on:
 permissions: {}

 jobs:
-  detect-changes:
-    name: Detect whether code changed
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    outputs:
-      changed: ${{ steps.detect-changes.outputs.frontend }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          persist-credentials: true # required to get more history in the changed-files action
-          fetch-depth: 2
-      - name: Detect changes
-        id: detect-changes
-        uses: ./.github/actions/change-detection
-        with:
-          self: .github/workflows/pr-frontend-unit-tests.yml
-
  frontend-unit-tests:
    permissions:
      contents: read
      id-token: write
    # Run this workflow only for PRs from forks; if it gets merged into `main` or `release-*`,
    # the `frontend-unit-tests-enterprise` workflow will run instead
-    needs: detect-changes
-    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == true
    runs-on: ubuntu-latest-8-cores
    name: "Unit tests (${{ matrix.chunk }} / 8)"
    strategy:
@@ -62,8 +43,7 @@ jobs:
      contents: read
      id-token: write
    # Run this workflow for non-PR events (like pushes to `main` or `release-*`) OR for internal PRs (PRs not from forks)
-    needs: detect-changes
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false && needs.detect-changes.outputs.changed == 'true'
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
    runs-on: ubuntu-latest-8-cores
    name: "Unit tests (${{ matrix.chunk }} / 8)"
    strategy:
@@ -72,8 +52,6 @@ jobs:
        chunk: [1, 2, 3, 4, 5, 6, 7, 8]
    steps:
    - uses: actions/checkout@v4
-      with:
-        persist-credentials: false
    - uses: actions/setup-node@v4
      with:
        node-version-file: '.nvmrc'
@@ -89,30 +67,3 @@ jobs:
        TEST_MAX_WORKERS: 2
        TEST_SHARD: ${{ matrix.chunk }}
        TEST_SHARD_TOTAL: 8
-
-  # This is the job that is actually required by rulesets.
-  # We need to require EITHER the OSS or the Enterprise job to pass.
-  # However, if one is skipped, GitHub won't flat-map the shards,
-  #   so they won't be accepted by a ruleset.
-  required-frontend-unit-tests:
-    needs:
-      - frontend-unit-tests
-      - frontend-unit-tests-enterprise
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All frontend unit tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"
--- a/.github/workflows/pr-go-workspace-check.yml
+++ b/.github/workflows/pr-go-workspace-check.yml
@@ -3,7 +3,7 @@ name: "Go Workspace Check"
 on:
  workflow_dispatch:
  pull_request:
-    branches: [main, release-*]
+    branches: [main]
    paths:
      - .github/workflows/pr-go-workspace-check.yml
      - go.mod
--- a/.github/workflows/pr-k8s-codegen-check.yml
+++ b/.github/workflows/pr-k8s-codegen-check.yml
@@ -3,7 +3,7 @@ name: "K8s Codegen Check"
 on:
  workflow_dispatch:
  pull_request:
-    branches: [main, release-*]
+    branches: [main]
    paths:
      - "pkg/apis/**"
      - "pkg/aggregator/apis/**"
--- a/.github/workflows/pr-patch-check-event.yml
+++ b/.github/workflows/pr-patch-check-event.yml
@@ -1,27 +1,63 @@
+# Owned by grafana-delivery-squad
+# Intended to be dropped into the base repo Ex: grafana/grafana
 name: Dispatch check for patch conflicts
+run-name: dispatch-check-patch-conflicts-${{ github.base_ref }}-${{ github.head_ref }}
 on:
-  pull_request:
+  pull_request_target:
    types:
      - opened
      - reopened
      - synchronize
    branches:
      - "main"
+      - "v*.*.*"
      - "release-*"

-permissions:
-  id-token: write
-  contents: read
+permissions: {}

 # Since this is run on a pull request, we want to apply the patches intended for the
 # target branch onto the source branch, to verify compatibility before merging.
 jobs:
  dispatch-job:
-    uses: grafana/grafana/.github/workflows/pr-patch-check.yml@main
-    with:
-      head_ref: ${{ github.head_ref }}
-      base_ref: ${{ github.base_ref }}
-      repo: ${{ github.repository }}
-      sender_login: ${{ github.event.sender.login }}
-      sha: ${{ github.sha }}
-      pr_commit_sha: ${{ github.event.pull_request.head.sha }}
+    permissions:
+      id-token: write
+      contents: read
+      actions: write
+    env:
+      HEAD_REF: ${{ github.head_ref }}
+      BASE_REF: ${{ github.base_ref }}
+      REPO: ${{ github.repository }}
+      SENDER: ${{ github.event.sender.login }}
+      SHA: ${{ github.sha }}
+      PR_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Generate token"
+        id: generate_token
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        with:
+          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
+      - name: "Dispatch job"
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.generate_token.outputs.token }}
+          script: |
+            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
+
+            await github.rest.actions.createWorkflowDispatch({
+                owner: 'grafana',
+                repo: 'security-patch-actions',
+                workflow_id: 'test-patches-event.yml',
+                ref: 'main',
+                inputs: {
+                  src_repo: REPO,
+                  src_ref: HEAD_REF,
+                  src_merge_sha: SHA,
+                  src_pr_commit_sha: PR_COMMIT_SHA,
+                  patch_repo: REPO + '-security-patches',
+                  patch_ref: BASE_REF,
+                  triggering_github_handle: SENDER
+                }
+            })
--- a/.github/workflows/pr-patch-check.yml
+++ b/.github/workflows/pr-patch-check.yml
@@ -1,78 +0,0 @@
-name: Dispatch check for patch conflicts
-on:
-  workflow_call:
-    inputs:
-      head_ref:
-        type: string
-        required: true
-      base_ref:
-        type: string
-        required: true
-      repo:
-        type: string
-        required: true
-      sender_login:
-        type: string
-        required: true
-      sha:
-        type: string
-        required: true
-      pr_commit_sha:
-        type: string
-        required: true
-
-permissions:
-  id-token: write
-  contents: read
-
-# Since this is run on a pull request, we want to apply the patches intended for the
-# target branch onto the source branch, to verify compatibility before merging.
-jobs:
-  dispatch-job:
-    env:
-      HEAD_REF: ${{ inputs.head_ref }}
-      BASE_REF: ${{ github.base_ref }}
-      REPO: ${{ inputs.repo }}
-      SENDER: ${{ inputs.sender_login }}
-      SHA: ${{ inputs.sha }}
-      PR_COMMIT_SHA: ${{ inputs.pr_commit_sha }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: "Generate token"
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          permissions: "{\"actions\": \"write\", \"workflows\": \"write\"}"
-          repositories: "[\"security-patch-actions\"]"
-      - name: "Dispatch job"
-        uses: actions/github-script@v7
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {HEAD_REF, BASE_REF, REPO, SENDER, SHA, PR_COMMIT_SHA} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'security-patch-actions',
-                workflow_id: 'test-patches-event.yml',
-                ref: 'main',
-                inputs: {
-                  src_repo: REPO,
-                  src_ref: HEAD_REF,
-                  src_merge_sha: SHA,
-                  src_pr_commit_sha: PR_COMMIT_SHA,
-                  patch_repo: REPO + '-security-patches',
-                  patch_ref: BASE_REF,
-                  triggering_github_handle: SENDER
-                }
-            })
--- a/.github/workflows/pr-test-integration.yml
+++ b/.github/workflows/pr-test-integration.yml
@@ -15,8 +15,6 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }}

-permissions: {}
-
 jobs:
  sqlite:
    strategy:
@@ -29,8 +27,6 @@ jobs:

    name: Sqlite (${{ matrix.shard }})
    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
@@ -41,11 +37,12 @@ jobs:
        with:
          go-version-file: go.mod
          cache: true
+      - name: Generate Go code
+        run: make gen-go
      - name: Run tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
-          set -euo pipefail
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
          go test -tags=sqlite -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
  mysql:
@@ -59,8 +56,6 @@ jobs:

    name: MySQL (${{ matrix.shard }})
    runs-on: ubuntu-latest-8-cores
-    permissions:
-      contents: read
    env:
      GRAFANA_TEST_DB: mysql
      MYSQL_HOST: 127.0.0.1
@@ -78,8 +73,6 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -87,11 +80,12 @@ jobs:
          cache: true
      - name: Setup MySQL devenv
        run: mysql -h 127.0.0.1 -P 3306 -u root -prootpass < devenv/docker/blocks/mysql_tests/setup.sql
+      - name: Generate Go code
+        run: make gen-go
      - name: Run tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
-          set -euo pipefail
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
          go test -p=1 -tags=mysql -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
  postgres:
@@ -123,8 +117,6 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -132,37 +124,11 @@ jobs:
          cache: true
      - name: Setup Postgres devenv
        run: psql -p 5432 -h 127.0.0.1 -U grafanatest -d grafanatest -f devenv/docker/blocks/postgres_tests/setup.sql
+      - name: Generate Go code
+        run: make gen-go
      - name: Run tests
        env:
          SHARD: ${{ matrix.shard }}
        run: |
-          set -euo pipefail
          readarray -t PACKAGES <<< "$(./scripts/ci/backend-tests/pkgs-with-tests-named.sh -b TestIntegration | ./scripts/ci/backend-tests/shard.sh -N"$SHARD" -d-)"
          go test -p=1 -tags=postgres -timeout=5m -run '^TestIntegration' "${PACKAGES[@]}"
-
-  # This is the job that is actually required by rulesets.
-  # We want to only require one job instead of all the individual tests and shards.
-  # Future work also allows us to start skipping some tests based on changed files.
-  required-backend-integration-tests:
-    needs:
-      - mysql
-      - postgres
-      - sqlite
-    # always() is the best function here.
-    # success() || failure() will skip this function if any need is also skipped.
-    # That means conditional test suites will fail the entire requirement check.
-    if: always()
-
-    name: All backend integration tests complete
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check test suites
-        env:
-          NEEDS: ${{ toJson(needs) }}
-        run: |
-          FAILURES="$(echo "$NEEDS" | jq 'with_entries(select(.value.result == "failure")) | map_values(.result)')"
-          echo "$FAILURES"
-          if [ "$(echo "$FAILURES" | jq '. | length')" != "0" ]; then
-            exit 1
-          fi
-          echo "All OK!"
--- a/.github/workflows/publish-artifact.yml
+++ b/.github/workflows/publish-artifact.yml
@@ -1,68 +0,0 @@
-name: Publish artifacts to bucket
-on:
-  workflow_call:
-    inputs:
-      pattern:
-        description: |
-          (From actinos/download-artifact) Glob pattern of artifacts (instead of `name`)
-          Be careful when using this option; the contents of the root of each artifact are coalesced, so ensure that they do not collide.
-        type: string
-        required: false
-      name:
-        description: (From actinos/download-artifact) Name of the GitHub artifact to upload (Ignored if `pattern` is set)
-        type: string
-        required: false
-      bucket:
-        description: Name of the GCS bucket
-        type: string
-        required: true
-      bucket-path:
-        description: Path in the GCS bucket
-        type: string
-        required: false
-        default: "."
-      environment:
-        description: "'prod' or 'dev'"
-        type: string
-        required: false
-        default: dev
-      run-id:
-        type: string
-        required: true
-      service-account:
-        type: string
-        required: false
-        default: github-prerelease-writer@grafanalabs-workload-identity.iam.gserviceaccount.com
-jobs:
-  publish:
-    runs-on: github-hosted-ubuntu-x64-small
-    name: Publish
-    permissions:
-      id-token: write
-    steps:
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: ${{ inputs.name }}
-          pattern: ${{ inputs.pattern }}
-          run-id: ${{ inputs.run-id }}
-          path: ./artifact
-      - name: Log in to GCS
-        id: login-to-gcs
-        uses: grafana/shared-workflows/actions/login-to-gcs@login-to-gcs/v0.2.1
-        with:
-          environment: ${{ inputs.environment }}
-          service_account: ${{ inputs.service-account }}
-      - name: Coalesce artifacts
-        run: |
-          mkdir out
-          find ./artifact -mindepth 2 -maxdepth 2 -exec cp -r {} out/ \;
-          ls -al out
-      - name: Upload artifacts
-        uses: grafana/shared-workflows/actions/push-to-gcs@push-to-gcs-v0.2.0
-        with:
-          bucket: ${{ inputs.bucket }}
-          environment: ${{ inputs.environment }}
-          parent: false
-          path: out
-          bucket_path: ${{ inputs.bucket-path }}
-          service_account: ${{ inputs.service-account }}
--- a/.github/workflows/publish-kinds-next.yml
+++ b/.github/workflows/publish-kinds-next.yml
@@ -8,17 +8,25 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-permissions: {}
-
 jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
+  config:
    runs-on: "ubuntu-latest"
-    permissions:
-      contents: read # cloning repo
-      actions: read # reading .github/workflows/ dir
-      id-token: write # reading vault secrets
+    if: github.repository == 'grafana/grafana'
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' &&secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi

+  main:
+    needs: config
+    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    runs-on: "ubuntu-latest"
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@@ -34,20 +42,12 @@ jobs:
      - name: "Verify kinds"
        run: go run .github/workflows/scripts/kinds/verify-kinds.go

-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        run: "git clone --single-branch --no-tags --depth 1 -b master https://grafana-delivery-bot:${{ steps.generate_token.outputs.token }}@github.com/grafana/website-sync ./.github/actions/website-sync"
--- a/.github/workflows/publish-kinds-release.yml
+++ b/.github/workflows/publish-kinds-release.yml
@@ -10,17 +10,25 @@ on:
      - '**/*.cue'
  workflow_dispatch:

-permissions: {}
-
 jobs:
-  main:
-    if: github.repository == 'grafana/grafana'
+  config:
    runs-on: "ubuntu-latest"
-    permissions:
-      contents: read # cloning repo
-      actions: read # reading .github/workflows/ dir
-      id-token: write # reading vault secrets
+    if: github.repository == 'grafana/grafana'
+    outputs:
+      has-secrets: ${{ steps.check.outputs.has-secrets }}
+    steps:
+      - name: "Check for secrets"
+        id: check
+        shell: bash
+        run: |
+          if [ -n "${{ (secrets.GRAFANA_DELIVERY_BOT_APP_ID != '' && secrets.GRAFANA_DELIVERY_BOT_APP_PEM != '') || '' }}" ]; then
+            echo "has-secrets=1" >> "$GITHUB_OUTPUT"
+          fi

+  main:
+    needs: config
+    if: github.repository == 'grafana/grafana' && needs.config.outputs.has-secrets
+    runs-on: "ubuntu-latest"
    steps:
      - name: "Checkout Grafana repo"
        uses: "actions/checkout@v4"
@@ -42,7 +50,6 @@ jobs:
        with:
          repository: "grafana/grafana-github-actions"
          path: "./actions"
-          persist-credentials: false

      - name: "Install Actions from library"
        run: "npm install --production --prefix ./actions"
@@ -55,20 +62,12 @@ jobs:
          release_tag_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$"
          release_branch_regexp: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.x$"

-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          # Secrets placed in the ci/data/repo/grafana/grafana/delivery-bot-app path in Vault
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
      - name: "Generate token"
        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
        with:
-          # App needs Actions: Read/Write for the grafana/security-patch-actions repo
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}

      - name: "Clone website-sync Action"
        if: "steps.has-matching-release-tag.outputs.bool == 'true'"
--- a/.github/workflows/publish-technical-documentation-next.yml
+++ b/.github/workflows/publish-technical-documentation-next.yml
@@ -16,8 +16,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-        with:
-          persist-credentials: false
      - uses: grafana/writers-toolkit/publish-technical-documentation@publish-technical-documentation/v1 # zizmor: ignore[unpinned-uses]
        with:
          website_directory: content/docs/grafana/next
--- a/.github/workflows/reject-gh-secrets.yml
+++ b/.github/workflows/reject-gh-secrets.yml
@@ -1,31 +0,0 @@
-name: Reject GitHub secrets
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches:
-      - main
-      - release-*.*.*
-
-permissions: {}
-
-jobs:
-  reject-gh-secrets:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          persist-credentials: false
-
-      - name: Grep for secrets accesses
-        run: |
-          if grep -E '\$\{\{\s*secrets\s*\.\s*[a-zA-Z0-9_\-]+\s*\}\}' .github/workflows/*.yml | grep -vF 'secrets.GITHUB_TOKEN' | grep -vF '# nolint:reject-gh-secrets'; then
-            echo "Found secrets access in the codebase. Please remove it in favour of Vault secrets."
-            echo "If you are sure this is correct, add '# nolint:reject-gh-secrets' to the end of the line. Be VERY careful with this."
-            exit 1
-          fi
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -1,346 +0,0 @@
-name: Build Release Packages
-on:
-  workflow_dispatch:
-    inputs:
-      source-event:
-        description: If this workflow was triggered by another workflow, this value should be set to the GITHUB_EVENT_NAME of that source workflow.
-        type: string
-        required: false
-        default: workflow_dispatch
-  schedule:
-    # Every weeknight at midnight
-    # "Scheduled workflows will only run on the default branch." (docs.github.com)
-    - cron: '0 0 * * 1-5'
-  push:
-    branches:
-      - release-*.*.*
-      - main
-
-permissions:
-  contents: read
-
-# Builds the following artifacts:
-#
-# npm:grafana
-# storybook
-# targz:grafana:linux/amd64
-# targz:grafana:linux/arm64
-# targz:grafana:linux/arm/v6
-# targz:grafana:linux/arm/v7
-# deb:grafana:linux/amd64
-# deb:grafana:linux/arm64
-# deb:grafana:linux/arm/v6
-# deb:grafana:linux/arm/v7
-# rpm:grafana:linux/amd64:sign
-# rpm:grafana:linux/arm64:sign
-# docker:grafana:linux/amd64
-# docker:grafana:linux/arm64
-# docker:grafana:linux/arm/v7
-# docker:grafana:linux/amd64:ubuntu
-# docker:grafana:linux/arm64:ubuntu
-# docker:grafana:linux/arm/v7:ubuntu
-# targz:grafana:windows/amd64
-# targz:grafana:windows/arm64
-# targz:grafana:darwin/amd64
-# targz:grafana:darwin/arm64
-# zip:grafana:windows/amd64
-# msi:grafana:windows/amd64
-jobs:
-  setup:
-    name: setup
-    runs-on: github-hosted-ubuntu-x64-small
-    if: (github.repository == 'grafana/grafana') || (github.repository == 'grafana/grafana-security-mirror' && contains(github.ref_name, '+security'))
-    outputs:
-      version: ${{ steps.output.outputs.version }}
-      grafana-commit: ${{ steps.output.outputs.grafana_commit }}
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Set up version (Release Branches)
-        if: startsWith(github.ref_name, 'release-')
-        run: echo "${REF_NAME#release-}" > VERSION
-        env:
-          REF_NAME: ${{ github.ref_name }}
-      - name: Set up version (Non-release branches)
-        if: ${{ !startsWith(github.ref_name, 'release-') }}
-        run: jq -r .version package.json | sed -s "s/pre/${BUILD_ID}/g" > VERSION
-        env:
-          REF_NAME: ${{ github.ref_name }}
-          BUILD_ID: ${{ github.run_id }}
-      - id: output
-        run: |
-          echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
-          echo "grafana_commit=$(git rev-parse HEAD)" | tee -a "$GITHUB_OUTPUT"
-  # Triggers the same workflow in `grafana-enterprise` on the same ref
-  downstream:
-    runs-on: github-hosted-ubuntu-x64-small
-    needs: [setup]
-    permissions:
-      contents: read
-      id-token: write
-    name: Dispatch grafana-enterprise build
-    steps:
-      - id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana-enterprise"]'
-          permissions: '{"actions": "write"}'
-      - uses: actions/github-script@v7
-        env:
-          REF: ${{ github.ref_name }}
-          VERSION: ${{ needs.setup.outputs.version }}
-          BUILD_ID: ${{ github.run_id }}
-          BUCKET: grafana-prerelease
-          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
-          SOURCE_EVENT: ${{ inputs.source-event || github.event_name }}
-          REPO: ${{ github.repository }}
-        with:
-          github-token: ${{ steps.generate_token.outputs.token }}
-          script: |
-            const {REF, VERSION, BUILD_ID, BUCKET, GRAFANA_COMMIT, SOURCE_EVENT, REPO} = process.env;
-
-            await github.rest.actions.createWorkflowDispatch({
-                owner: 'grafana',
-                repo: 'grafana-enterprise',
-                workflow_id: 'release-build.yml',
-                ref:  REF,
-                inputs: {
-                  "version": VERSION,
-                  "build-id": String(BUILD_ID),
-                  "bucket": BUCKET,
-                  "grafana-commit": GRAFANA_COMMIT,
-                  "source-event": SOURCE_EVENT,
-                  "upstream": REPO,
-                }
-            })
-
-  build:
-    runs-on: github-hosted-ubuntu-x64-large
-    needs: [setup]
-    permissions:
-      contents: read
-      id-token: write
-    name: ${{ needs.setup.outputs.version }} / ${{ matrix.name }}
-    strategy:
-      fail-fast: false
-      matrix:
-        # The artifacts in these lists are grouped by their os+arch because the
-        # build process can reuse the binaries for each artifact.
-        # The downside to this is that the frontend will be built for each one when it could be reused for all of them.
-        # This could be a future improvement.
-        include:
-          - name: linux-amd64 # publish-npm relies on this step building npm packages
-            artifacts: targz:grafana:linux/amd64,deb:grafana:linux/amd64,rpm:grafana:linux/amd64,docker:grafana:linux/amd64,docker:grafana:linux/amd64:ubuntu,npm:grafana,storybook
-            verify: true
-          - name: linux-arm64
-            artifacts: targz:grafana:linux/arm64,deb:grafana:linux/arm64,rpm:grafana:linux/arm64,docker:grafana:linux/arm64,docker:grafana:linux/arm64:ubuntu
-            verify: false
-          - name: linux-s390x
-            artifacts: targz:grafana:linux/s390x,deb:grafana:linux/s390x,rpm:grafana:linux/s390x,docker:grafana:linux/s390x,docker:grafana:linux/s390x:ubuntu
-            verify: true
-          - name: linux-armv7
-            artifacts: targz:grafana:linux/arm/v7,deb:grafana:linux/arm/v7,docker:grafana:linux/arm/v7,docker:grafana:linux/arm/v7:ubuntu
-            verify: true
-          - name: linux-armv6
-            artifacts: targz:grafana:linux/arm/v6,deb:grafana:linux/arm/v6
-            verify: true
-          - name: windows-amd64
-            artifacts: targz:grafana:windows/amd64,zip:grafana:windows/amd64,msi:grafana:windows/amd64
-            verify: true
-          - name: windows-arm64
-            artifacts: targz:grafana:windows/arm64,zip:grafana:windows/arm64
-            verify: true
-          - name: darwin-amd64
-            artifacts: targz:grafana:darwin/amd64
-            verify: true
-          - name: darwin-arm64
-            artifacts: targz:grafana:darwin/arm64
-            verify: true
-    steps:
-      - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392
-        with:
-          image: docker.io/tonistiigi/binfmt:qemu-v7.0.0-28
-      - uses: ./.github/actions/build-package
-        id: build
-        with:
-          artifacts: ${{ matrix.artifacts }}
-          checksum: true
-          grafana-path: .
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ needs.setup.outputs.version }}
-          output: artifacts-${{ matrix.name }}.txt
-          verify: ${{ matrix.verify }}
-          build-id: ${{ github.run_id }}
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: artifacts-list-${{ matrix.name }}
-          path: ${{ steps.build.outputs.file }}
-          retention-days: 1
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
-        with:
-          name: artifacts-${{ matrix.name }}
-          path: ${{ steps.build.outputs.dist-dir }}
-          retention-days: 1
-
-  publish-artifacts:
-    name: Upload artifacts
-    uses: grafana/grafana/.github/workflows/publish-artifact.yml@main
-    permissions:
-      id-token: write
-    needs:
-      - setup
-      - build
-    with:
-      bucket: grafana-prerelease
-      pattern: artifacts-*
-      run-id: ${{ github.run_id }}
-      bucket-path: ${{ needs.setup.outputs.version }}_${{ github.run_id }}
-      environment: prod
-
-  publish-dockerhub:
-    if: github.ref_name == 'main'
-    permissions:
-      contents: read
-      id-token: write
-    runs-on: ubuntu-x64-small
-    needs:
-      - setup
-      - build
-    steps:
-      - uses: grafana/shared-workflows/actions/dockerhub-login@dockerhub-login/v1.0.2
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-amd64
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-arm64
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-list-linux-armv7
-          path: .
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-amd64
-          path: dist
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-arm64
-          path: dist
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
-        with:
-          name: artifacts-linux-armv7
-          path: dist
-      - name: Push to Docker Hub
-        env:
-          VERSION: ${{ needs.setup.outputs.version }}
-        run: |
-          # grep can use a wildcard but then it includes the filename as part of the result and that gets complicated.
-          # It's easier to use cat to combine the artifact lists
-          cat artifacts-*.txt > artifacts.txt
-          grep 'grafana_.*docker.tar.gz$' artifacts.txt | xargs -I % docker load -i % | sed 's/Loaded image: //g' | tee docker_images
-          while read -r line; do
-            # This tag will be `grafana/grafana-image-tags:...`
-            docker push "$line"
-          done < docker_images
-
-          docker manifest create grafana/grafana:main "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64"  "grafana/grafana-image-tags:${VERSION}-armv7"
-          docker manifest create grafana/grafana:main-ubuntu "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64"  "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7"
-          docker manifest create "grafana/grafana-dev:${VERSION}" "grafana/grafana-image-tags:${VERSION}-amd64" "grafana/grafana-image-tags:${VERSION}-arm64"  "grafana/grafana-image-tags:${VERSION}-armv7"
-          docker manifest create "grafana/grafana-dev:${VERSION}-ubuntu" "grafana/grafana-image-tags:${VERSION}-ubuntu-amd64" "grafana/grafana-image-tags:${VERSION}-ubuntu-arm64"  "grafana/grafana-image-tags:${VERSION}-ubuntu-armv7"
-
-          docker manifest push grafana/grafana:main
-          docker manifest push grafana/grafana:main-ubuntu
-          docker manifest push "grafana/grafana-dev:${VERSION}"
-          docker manifest push "grafana/grafana-dev:${VERSION}-ubuntu"
-
-  dispatch-npm-canaries:
-    if: github.ref_name == 'main'
-    name: Dispatch publish NPM canaries
-    permissions:
-      actions: write
-      contents: read
-    runs-on: ubuntu-x64-small
-    needs:
-      - setup
-    steps:
-      - name: Dispatch action
-        env:
-          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
-          VERSION: ${{ needs.setup.outputs.version }}
-          BUILD_ID: ${{ github.run_id }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh workflow run release-npm.yml \
-            --repo grafana/grafana \
-            --ref main \
-            --field grafana_commit="$GRAFANA_COMMIT" \
-            --field version="$VERSION" \
-            --field build_id="$BUILD_ID"\
-            --field version_type="canary"
-
-  # notify-pr creates (or updates) a comment in a pull request to link to this workflow where the release artifacts are
-  # being built.
-  notify-pr:
-    runs-on: ubuntu-x64-small
-    permissions:
-      contents: read
-      id-token: write
-    needs:
-      - setup
-    steps:
-      - id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
-        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: '["grafana"]'
-          permissions: '{"issues": "write", "pull_requests": "write", "contents": "read"}'
-      - name: Find PR
-        env:
-          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          GRAFANA_COMMIT: ${{ needs.setup.outputs.grafana-commit }}
-        run: echo "ISSUE_NUMBER=$(gh api "/repos/grafana/grafana/commits/${GRAFANA_COMMIT}/pulls" | jq -r '.[0].number')" >> "$GITHUB_ENV"
-      - name: Find Comment
-        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
-        id: fc
-        with:
-          issue-number: ${{ env.ISSUE_NUMBER }}
-          comment-author: 'grafana-delivery-bot[bot]'
-          body-includes: GitHub Actions Build
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          issue-number: ${{ env.ISSUE_NUMBER }}
-          body: |
-            :rocket: Your submission is now being built and packaged.
-
-            - [GitHub Actions Build](https://github.com/grafana/grafana/actions/runs/${{ github.run_id }})
-            - Version: ${{ needs.setup.outputs.version }}
-          edit-mode: replace
--- a/.github/workflows/release-comms.yml
+++ b/.github/workflows/release-comms.yml
@@ -21,11 +21,6 @@ on:
    - 'main'
    - 'release-*.*.*'

-permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
-
 jobs:
  setup:
    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/')) }}
@@ -35,8 +30,6 @@ jobs:
      release_branch: ${{ steps.output.outputs.release_branch }}
      dry_run: ${{ steps.output.outputs.dry_run }}
      latest: ${{ steps.output.outputs.latest }}
-      private_key: ${{ steps.output.outputs.delivery_bot_pem }}
-      app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
    env:
      HEAD_REF: ${{ github.head_ref }}
      DRY_RUN: ${{ inputs.dry_run }}
@@ -46,34 +39,36 @@ jobs:
    steps:
    - if: ${{ github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/') }}
      run: |
-        {
-        echo "VERSION=$(echo "${HEAD_REF}" | sed -e 's/release\/.*\//v/g')"
-        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}"
-        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}"
-        } >> "$GITHUB_ENV"
+        echo "VERSION=$(echo ${HEAD_REF} | sed -e 's/release\/.*\//v/g')" >> $GITHUB_ENV
+        echo "DRY_RUN=${{ contains(github.event.pull_request.labels.*.name, 'release/dry-run') }}" >> $GITHUB_ENV
+        echo "LATEST=${{ contains(github.event.pull_request.labels.*.name, 'release/latest') && '1' || '0' }}" >> $GITHUB_ENV
    - id: output
      run: |
        echo "dry_run: $DRY_RUN"
        echo "latest: $LATEST"
        echo "version: $VERSION"

-        {
-          echo "release_branch=$(echo "$VERSION" | sed -s 's/^v/release-/g')"
-          echo "dry_run=$DRY_RUN"
-          echo "latest=$LATEST"
-          echo "version=$VERSION"
-        } >> "$GITHUB_OUTPUT"
+        echo "release_branch=$(echo $VERSION | sed -s 's/^v/release-/g')" >> "$GITHUB_OUTPUT"
+        echo "dry_run=$DRY_RUN" >> "$GITHUB_OUTPUT"
+        echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
+        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
  create_next_release_branch_grafana:
    name: Create next release branch (Grafana)
    needs: setup
-    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
    with:
      ownerRepo: 'grafana/grafana'
      source: ${{ needs.setup.outputs.release_branch }}
  create_next_release_branch_enterprise:
    name: Create next release branch (Grafana Enterprise)
    needs: setup
-    uses: grafana/grafana/.github/workflows/create-next-release-branch.yml@main
+    uses: ./.github/workflows/create-next-release-branch.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
    with:
      ownerRepo: 'grafana/grafana-enterprise'
      source: ${{ needs.setup.outputs.release_branch }}
@@ -97,7 +92,10 @@ jobs:
    needs:
      - setup
      - create_next_release_branch_grafana
-    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
    with:
      ownerRepo: 'grafana/grafana'
      from: ${{ needs.setup.outputs.release_branch }}
@@ -106,14 +104,20 @@ jobs:
    needs:
      - setup
      - create_next_release_branch_enterprise
-    uses: grafana/grafana/.github/workflows/migrate-prs.yml@main
+    uses: ./.github/workflows/migrate-prs.yml
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
    with:
      ownerRepo: 'grafana/grafana-enterprise'
      from: ${{ needs.setup.outputs.release_branch }}
      to: ${{ needs.create_next_release_branch_enterprise.outputs.branch }}
  post_changelog_on_forum:
    needs: setup
-    uses: grafana/grafana/.github/workflows/community-release.yml@main
+    uses: ./.github/workflows/community-release.yml
+    secrets:
+      GRAFANA_MISC_STATS_API_KEY: ${{ secrets.GRAFANA_MISC_STATS_API_KEY }}
+      GRAFANABOT_FORUM_KEY: ${{ secrets.GRAFANABOT_FORUM_KEY }}
    with:
      version: ${{ needs.setup.outputs.version }}
      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -122,7 +126,7 @@ jobs:
    # The github-release action retrieves the changelog using the /repos/grafana/grafana/contents/CHANGELOG.md API
    # endpoint.
    needs: setup
-    uses: grafana/grafana/.github/workflows/github-release.yml@main
+    uses: ./.github/workflows/github-release.yml
    with:
      version: ${{ needs.setup.outputs.version }}
      dry_run: ${{ needs.setup.outputs.dry_run == 'true' }}
@@ -135,5 +139,5 @@ jobs:
      VERSION: ${{ needs.setup.outputs.version }}
    steps:
    - run: |
-        echo announce on slack that "$VERSION" has been released
-        echo dry run: "$DRY_RUN"
+        echo announce on slack that $VERSION has been released
+        echo dry run: $DRY_RUN
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -1,147 +0,0 @@
-name: Release NPM packages
-run-name: Publish NPM ${{ inputs.version_type }} ${{ inputs.version }}
-on:
-  workflow_call:
-    inputs:
-      grafana_commit:
-        description: 'Grafana commit SHA to build against'
-        required: true
-        type: string
-      version:
-        description: 'Version to publish as'
-        required: true
-        type: string
-      build_id:
-        description: 'Run ID from the original release-build workflow'
-        required: true
-        type: string
-      version_type:
-        description: 'Version type (canary, nightly, stable)'
-        required: true
-        type: string
-
-  workflow_dispatch:
-    inputs:
-      grafana_commit:
-        description: 'Grafana commit SHA to build against'
-        required: true
-      version:
-        description: 'Version to publish as'
-        required: true
-      build_id:
-        description: 'Run ID from the original release-build workflow'
-        required: true
-      version_type:
-        description: 'Version type (canary, nightly, stable)'
-        required: true
-
-permissions: {}
-
-jobs:
-  # If called with version_type 'canary' or 'stable', build + publish to NPM
-  # If called with version_type 'nightly', just tag the given version with nightly tag. It was already published by the canary build.
-
-  publish:
-    name: Publish NPM packages
-    runs-on: github-hosted-ubuntu-x64-small
-    if: inputs.version_type == 'canary' || inputs.version_type == 'stable'
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - name: Info
-        env:
-          GITHUB_REF: ${{ github.ref }}
-          GRAFANA_COMMIT: ${{ inputs.grafana_commit }}
-        run: |
-          echo "GRAFANA_COMMIT: $GRAFANA_COMMIT"
-          echo "github.ref: $GITHUB_REF"
-
-      - name: Checkout workflow ref
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          fetch-depth: 100
-          fetch-tags: false
-
-      # this will fail with "{commit} is not a valid commit" if the commit is valid but
-      # not in the last 100 commits.
-      - name: Verify commit is in workflow HEAD
-        env:
-          GIT_COMMIT: ${{ inputs.grafana_commit }}
-        run: ./.github/workflows/scripts/validate-commit-in-head.sh
-        shell: bash
-
-      - name: Map version type to NPM tag
-        id: npm-tag
-        env:
-          VERSION: ${{ inputs.version }}
-          VERSION_TYPE: ${{ inputs.version_type }}
-          REFERENCE_PKG: "@grafana/runtime"
-        run: |
-          TAG=$(./.github/workflows/scripts/determine-npm-tag.sh)
-          echo "NPM_TAG=$TAG" >> "$GITHUB_OUTPUT"
-        shell: bash
-
-      - name: Checkout build commit
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          ref: ${{ inputs.grafana_commit }}
-
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
-
-      # Trusted Publishing is only available in npm v11.5.1 and later
-      - name: Update npm
-        run: npm install -g npm@^11.5.1
-
-      - name: Install dependencies
-        run: yarn install --immutable
-
-      - name: Typecheck packages
-        run: yarn run packages:typecheck
-
-      - name: Version, build, and pack packages
-        env:
-          VERSION: ${{ inputs.version }}
-        run: |
-          yarn run packages:build
-          yarn lerna version "$VERSION" \
-            --exact \
-            --no-git-tag-version \
-            --no-push \
-            --force-publish \
-            --yes
-          yarn run packages:pack
-
-      - name: Debug packed files
-        run: tree -a ./npm-artifacts
-
-      - name: Validate packages
-        run: ./scripts/validate-npm-packages.sh
-
-      - name: Debug OIDC Claims
-        uses: github/actions-oidc-debugger@2e9ba5d3f4bebaad1f91a2cede055115738b7ae8
-        with:
-          audience: '${{ github.server_url }}/${{ github.repository_owner }}'
-
-      - name: Publish packages
-        env:
-          NPM_TAG: ${{ steps.npm-tag.outputs.NPM_TAG }}
-        run: ./scripts/publish-npm-packages.sh --dist-tag "$NPM_TAG" --registry 'https://registry.npmjs.org/'
-
-  # TODO: finish this step
-  tag-nightly:
-    name: Tag nightly release
-    runs-on: github-hosted-ubuntu-x64-small
-    if: inputs.version_type == 'nightly'
-
-    steps:
-      - name: Checkout workflow ref
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      # TODO: tag the given release with nightly
-
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -15,19 +15,15 @@ on:
      version:
        required: true
        type: string
-        description: The version of Grafana that is being released (without the `v` prefix)`
+        description: The version of Grafana that is being released
      target:
+        required: true
+        type: string
+        description: The release branch pattern (eg v9.5.x) that these changes are being merged into
+      backport:
        required: false
        type: string
-        description: 'Unused: left here for backwards compatibility'
-      changelog:
-        required: false
-        type: boolean
-        default: true
-      bump:
-        required: false
-        type: boolean
-        default: true
+        description: Branch to backport these changes to
      dry_run:
        required: false
        default: false
@@ -36,63 +32,29 @@ on:
        required: false
        default: false
        type: boolean
-      release_date:
-        required: false
-        type: string
-        description: "Release date in format YYYY-MM-DD"

-permissions:
-  contents: read
+permissions: {}

 jobs:
-  capture-date:
-    runs-on: ubuntu-latest
-    outputs:
-      release_date: ${{ steps.set_release_date.outputs.release_date }}
-    steps:
-      - name: compute_release_date
-        run: |
-          if [ -n "$DATE" ]; then
-            echo "release_date=$DATE" >> "$GITHUB_ENV"
-            exit 0
-          fi
-
-          echo "Fetching workflow run creation date..."
-          created_at=$(gh run view "$GITHUB_RUN_ID" --repo "$GH_REPO" --json createdAt -q .createdAt)
-          formatted_date=$(date -d "$created_at" +%Y-%m-%d)
-          echo "release_date=$formatted_date" >> "$GITHUB_ENV"
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-          DATE: ${{ inputs.release_date }}
-
-      - id: set_release_date
-        run: echo "release_date=$release_date" >> "$GITHUB_OUTPUT"
-
  push-changelog-to-main:
-    needs: capture-date
    permissions:
      contents: write
-      id-token: write
      pull-requests: write
-
    name: Create PR to main to update the changelog
    uses: ./.github/workflows/changelog.yml
-    concurrency:
-      group: grafana-release-pr-update-changelog-main
-      cancel-in-progress: false
    with:
      previous_version: ${{inputs.previous_version}}
      version: ${{ inputs.version }}
      latest: ${{ inputs.latest }}
      dry_run: ${{ inputs.dry_run }}
      target: main
-      work_branch: changelog/update-changelog-${{ needs.capture-date.outputs.release_date }}
+    secrets:
+      GRAFANA_DELIVERY_BOT_APP_ID: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+      GRAFANA_DELIVERY_BOT_APP_PEM: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}

  create-prs:
    permissions:
      contents: write
-      id-token: write
      pull-requests: write
    name: Create Release PR
    runs-on: ubuntu-latest
@@ -102,62 +64,55 @@ jobs:
      LATEST: ${{ inputs.latest }}
      DRY_RUN: ${{ inputs.dry_run }}
    steps:
-      - name: "Get vault secrets"
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      - name: Get release branch
+        id: branch
+        uses: grafana/grafana-github-actions-go/latest-release-branch@main # zizmor: ignore[unpinned-uses]
        with:
-          repo_secrets: |
-            GRAFANA_DELIVERY_BOT_APP_PEM=delivery-bot-app:PRIVATE_KEY
-      - name: Generate token
-        id: generate_changelog_token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        with:
-          app_id: ${{ vars.DELIVERY_BOT_APP_ID }}
-          private_key: ${{ env.GRAFANA_DELIVERY_BOT_APP_PEM }}
-          repositories: "[\"grafana\", \"grafana-enterprise\"]"
-          permissions: "{\"contents\": \"write\", \"pull_requests\": \"write\", \"workflows\":\"write\"}"
-      - run: echo "RELEASE_BRANCH=release-${VERSION}" >> "$GITHUB_ENV"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ownerRepo: 'grafana/grafana'
+          pattern: ${{ inputs.target }}
      - name: Checkout Grafana
        uses: actions/checkout@v4
        with:
-          token: ${{ steps.generate_changelog_token.outputs.token }}
-          ref: ${{ env.RELEASE_BRANCH }}
+          ref: ${{ steps.branch.outputs.branch }}
          fetch-tags: true
-          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
      - name: Checkout Grafana (main)
        uses: actions/checkout@v4
        with:
-          token: ${{ steps.generate_changelog_token.outputs.token }}
          ref: main
          fetch-depth: '0'
+          fetch-tags: 'false'
          path: .grafana-main
-
+          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
      - name: Setup nodejs environment
        uses: actions/setup-node@v4
        with:
          node-version-file: .nvmrc
-      - uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
      - name: Configure git user
        run: |
-          git config --local user.name "grafana-delivery-bot[bot]"
-          git config --local user.email "grafana-delivery-bot[bot]@users.noreply.github.com"
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "github-actions[bot]@users.noreply.github.com"
          git config --local --add --bool push.autoSetupRemote true

      - name: Create branch
-        run: git checkout -b "release/${{ github.run_number }}/$VERSION"
+        run: git checkout -b "release/${{ github.run_id }}/$VERSION"
+      - name: Generate changelog token
+        id: generate_changelog_token
+        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92
+        with:
+          app_id: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_ID }}
+          private_key: ${{ secrets.GRAFANA_DELIVERY_BOT_APP_PEM }}
      - name: Generate changelog
        id: changelog
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        uses: ./.grafana-main/.github/actions/changelog
        with:
-          previous: ${{inputs.previous_version}}
          github_token: ${{ steps.generate_changelog_token.outputs.token }}
          target: v${{ env.VERSION }}
          output_file: changelog_items.md
      - name: Patch CHANGELOG.md
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: |
          # Prepare CHANGELOG.md content with version delimiters
          (
@@ -189,44 +144,58 @@ jobs:

          git diff CHANGELOG.md
      - name: "Prettify CHANGELOG.md"
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: npx prettier --write CHANGELOG.md
      - name: Commit CHANGELOG.md changes
-        if: ${{ inputs.changelog == true || inputs.changelog == 'true' }}
        run: git add CHANGELOG.md && git commit --allow-empty -m "Update changelog" CHANGELOG.md
-      - name: Bump versions
-        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
-        uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
-        with:
-          version: 0.18.8
-          verb: run
-          args: go run -C .grafana-main ./pkg/build/actions/bump-version -version="patch"

-      - name: make gen-cue
-        shell: bash
-        run: make gen-cue
+      - name: Update package.json versions
+        uses: ./.grafana-main/pkg/build/actions/bump-version
+        with:
+          version: 'patch'
+
      - name: Add package.json changes
-        if: ${{ inputs.bump == true || inputs.bump == 'true' }}
        run: |
          git add package.json lerna.json yarn.lock packages public
          test -e e2e/test-plugins && git add e2e/test-plugins
          git commit -m "Update version to $VERSION"

      - name: Git push
-        run: git push
-      - name: Create PR
+        if: ${{ inputs.dry_run }} != true
+        run: git push --set-upstream origin "release/${{ github.run_id }}/$VERSION"
+
+      - name: Create PR without backports
+        if: "${{ inputs.backport == '' }}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DRY_RUN: ${{ inputs.dry_run }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
        run: |
-          LATEST_FLAG=()
+          LATEST_FLAG=""
          if [ "$LATEST" = "true" ]; then
-            LATEST_FLAG=(-l "release/latest")
+            LATEST_FLAG='-l "release/latest"'
          fi
          gh pr create \
-            "${LATEST_FLAG[@]}" \
+            $LATEST_FLAG \
            -l "no-changelog" \
            --dry-run="$DRY_RUN" \
-            -B "${RELEASE_BRANCH}" \
+            -B "$BRANCH" \
+            --title "Release: $VERSION" \
+            --body "These code changes must be merged after a release is complete"
+
+      - name: Create PR with backports
+        if: "${{ inputs.backport != '' }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ steps.branch.outputs.branch }}
+        run: |
+          LATEST_FLAG=""
+          if [ "$LATEST" = "true" ]; then
+            LATEST_FLAG='-l "release/latest"'
+          fi
+          gh pr create \
+            $LATEST_FLAG \
+            -l "product-approved" \
+            -l "no-changelog" \
+            --dry-run="$DRY_RUN" \
+            -B "$BRANCH" \
            --title "Release: $VERSION" \
            --body "These code changes must be merged after a release is complete"
--- a/.github/workflows/relyance-scan.yml
+++ b/.github/workflows/relyance-scan.yml
@@ -1,33 +0,0 @@
-name: Relyance Compliance Inspection
-on:
-  schedule:
-    - cron: '0 0 * * *' # Run daily at 00:00 UTC
-  workflow_dispatch: # Allow for manual trigger
-
-jobs:
-  relyance-compliance-inspector:
-    permissions:
-      contents: read
-      id-token: write # Needed for Vault access
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-
-      - name: Get API key
-        id: vault-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # get-vault-secrets-v1.2.0
-        with:
-          repo_secrets: |
-            API_KEY=relyance:API_KEY
-
-      - name: Run Relyance scan
-        env:
-          API_KEY: "${{ fromJSON(steps.vault-secrets.outputs.secrets).API_KEY }}"
-        run: |
-          docker pull gcr.io/relyance-ext/compliance_inspector:release && \
-          docker run --rm -v ${{ github.workspace }}:/repo --env "API_KEY=${{ env.API_KEY }}" gcr.io/relyance-ext/compliance_inspector:release
--- a/.github/workflows/run-dashboard-search-e2e.yml
+++ b/.github/workflows/run-dashboard-search-e2e.yml
@@ -2,7 +2,7 @@ name: run-dashboard-search-e2e

 on:
  workflow_run:
-    workflows:
+    workflows: 
      - trigger-dashboard-search-e2e
    types:
      - completed
@@ -36,11 +36,11 @@ jobs:
      - run: go version
      - uses: actions/setup-node@v4
        with:
-          node-version-file: '.nvmrc'
+          node-version: 20
          cache: 'yarn'
      - name: Cache Node Modules
        id: cache-node-modules
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: |
            node_modules
@@ -56,7 +56,7 @@ jobs:
          runTests: false
      - name: Cache Grafana Build and Dependencies
        id: cache-grafana
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: |
            bin/
@@ -74,11 +74,9 @@ jobs:

      - name: Get list of .ini files
        id: get_files
-        env:
-          WORKSPACE: ${{ github.workspace }}
        run: |
-          INI_FILES="$(find "$WORKSPACE"/e2e/dashboards-search-suite/ -type f -name '*.ini' | jq -R -s -c 'split("\n")[:-1]')"
-          echo "ini_files=$INI_FILES" >> "$GITHUB_OUTPUT"
+          INI_FILES=$(ls ${{ github.workspace }}/e2e/dashboards-search-suite/*.ini | jq -R -s -c 'split("\n")[:-1]')
+          echo "ini_files=$INI_FILES" >> $GITHUB_OUTPUT
        shell: bash

  run_tests:
@@ -97,10 +95,8 @@ jobs:
      steps:
        - name: Checkout repository
          uses: actions/checkout@v4
-          with:
-            persist-credentials: false
        - name: Restore Cached Node Modules
-          uses: actions/cache@v4
+          uses: actions/cache@v3
          with:
            path: |
              node_modules
@@ -108,7 +104,7 @@ jobs:
            key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}

        - name: Restore Cached Grafana Build and Dependencies
-          uses: actions/cache@v4
+          uses: actions/cache@v3
          with:
            path: |
              bin/
@@ -124,12 +120,11 @@ jobs:
          env:
            INI_NAME: ${{ matrix.ini_file }}
          run: |
-            FILE_NAME="$(basename "$INI_NAME" .ini)"
-            echo "FILE_NAME=$FILE_NAME" >> "$GITHUB_OUTPUT"
+            FILE_NAME=$(basename "$env.INI_NAME" .ini)
+            echo "FILE_NAME=$FILE_NAME" >> $GITHUB_OUTPUT
        - name: Run tests for ${{ steps.set_file_name.outputs.FILE_NAME }}
          env:
            INI_NAME: ${{ matrix.ini_file }}
-            WORKSPACE: ${{ github.workspace }}
          run: |
-            cp -rf "$INI_NAME" "$WORKSPACE"/scripts/grafana-server/custom.ini
+            cp -rf $INI_NAME ${{ github.workspace }}/scripts/grafana-server/custom.ini
            yarn e2e:dashboards-search || echo "Test failed but marking as success since unified search is behind a feature flag and should not block PRs"
--- a/.github/workflows/run-e2e-suite.yml
+++ b/.github/workflows/run-e2e-suite.yml
@@ -0,0 +1,39 @@
+name: e2e suite
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        type: string
+        required: true
+      suite:
+        type: string
+        required: true
+
+jobs:
+  main:
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: ${{ inputs.package }}
+      - uses: dagger/dagger-for-github@e47aba410ef9bb9ed81a4d2a97df31061e5e842e
+        with:
+          verb: run
+          args: go run ./pkg/build/e2e --package=grafana.tar.gz --suite=${{ inputs.suite }}
+      - name: Set suite name
+        id: set-suite-name
+        if: always()
+        env:
+          SUITE: ${{ inputs.suite }}
+        run: |
+          echo "suite=$(echo $SUITE | sed 's/\//-/g')" >> $GITHUB_OUTPUT
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: e2e-${{ steps.set-suite-name.outputs.suite }}-${{github.run_number}}
+          path: videos
+          retention-days: 1
--- a/.github/workflows/run-schema-v2-e2e.yml
+++ b/.github/workflows/run-schema-v2-e2e.yml
@@ -4,10 +4,9 @@ on:
  push:
    branches:
      - main
-      - release-*.*.*
  pull_request:
    branches:
-      - '**'
+      - '**' 

 env:
  ARCH: linux-amd64
@@ -29,7 +28,7 @@ jobs:
      - run: go version
      - uses: actions/setup-node@v4
        with:
-          node-version-file: '.nvmrc'
+          node-version: 20
          cache: 'yarn'
      - name: Install dependencies
        run: yarn install --immutable
@@ -41,7 +40,7 @@ jobs:
          runTests: false
      - name: Run dashboard scenes e2e
        run: yarn e2e:schema-v2 || echo "Test failed but marking as success since schema V2 is behind a feature flag and should not block PRs"
-
+      
      - name: Always succeed # This is a workaround to make the job pass even if the previous step fails
        if: failure()
        run: exit 0
--- a/.github/workflows/scripts/crowdin/create-tasks.js
+++ b/.github/workflows/scripts/crowdin/create-tasks.js
@@ -0,0 +1,84 @@
+const crowdin = require('@crowdin/crowdin-api-client');
+const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
+
+const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
+if (!API_TOKEN) {
+  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
+  process.exit(1);
+}
+
+const PROJECT_ID = process.env.CROWDIN_PROJECT_ID;
+if (!PROJECT_ID) {
+  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
+  process.exit(1);
+}
+
+const { tasksApi, projectsGroupsApi, sourceFilesApi } = new crowdin.default({
+  token: API_TOKEN,
+  organization: 'grafana'
+});
+
+const languages = await getLanguages();
+const fileIds = await getFileIds();
+console.log('Languages: ', languages);
+console.log('File IDs: ', fileIds);
+
+// for (const language of languages) {
+//   const { name, id } = language;
+//   await createTask(`Translate to ${name}`, id, fileIds);
+// }
+
+async function getLanguages() {
+  try {
+    const project = await projectsGroupsApi.getProject(PROJECT_ID);
+    const languages = project.data.targetLanguages;
+    return languages;
+  } catch (error) {
+    console.error('Failed to fetch languages: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function getFileIds() {
+  try {
+    const response = await sourceFilesApi.listProjectFiles(PROJECT_ID);
+    const files = response.data;
+    const fileIds = files.map(file => file.data.id);
+    return fileIds;
+  } catch (error) {
+    console.error('Failed to fetch file IDs: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
+
+async function createTask(title, languageId, fileIds) {
+  try {
+    const taskParams = {
+      title,
+      description: TRANSLATED_CONNECTOR_DESCRIPTION,
+      languageId,
+      type: 2, // Translation by vendor
+      workflowStepId: 78, // Translation step ID
+      skipAssignedStrings: true,
+      fileIds,
+    };
+
+    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
+
+    const response = await tasksApi.addTask(PROJECT_ID, taskParams);
+    console.log(`Task created successfully! Task ID: ${response.data.id}`);
+    return response.data;
+  } catch (error) {
+    console.error('Failed to create Crowdin task: ', error.message);
+    if (error.response && error.response.data) {
+      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
+    }
+    process.exit(1);
+  }
+}
--- a/.github/workflows/scripts/crowdin/create-tasks.ts
+++ b/.github/workflows/scripts/crowdin/create-tasks.ts
@@ -1,110 +0,0 @@
-import crowdinImport from '@crowdin/crowdin-api-client';
-const TRANSLATED_CONNECTOR_DESCRIPTION = '{{tos_service_type: premium}}';
-const TRANSLATE_BY_VENDOR_WORKFLOW_TYPE = 'TranslateByVendor'
-
-// TODO Remove this type assertion when https://github.com/crowdin/crowdin-api-client-js/issues/508 is fixed
-// @ts-expect-error
-const crowdin = crowdinImport.default as typeof crowdinImport;
-
-const API_TOKEN = process.env.CROWDIN_PERSONAL_TOKEN;
-if (!API_TOKEN) {
-  console.error('Error: CROWDIN_PERSONAL_TOKEN environment variable is not set');
-  process.exit(1);
-}
-
-const PROJECT_ID = process.env.CROWDIN_PROJECT_ID ? parseInt(process.env.CROWDIN_PROJECT_ID, 10) : undefined;
-if (!PROJECT_ID) {
-  console.error('Error: CROWDIN_PROJECT_ID environment variable is not set');
-  process.exit(1);
-}
-
-const credentials = {
-  token: API_TOKEN,
-  organization: 'grafana'
-};
-
-const { tasksApi, projectsGroupsApi, sourceFilesApi, workflowsApi } = new crowdin(credentials);
-
-const languages = await getLanguages(PROJECT_ID);
-const fileIds = await getFileIds(PROJECT_ID);
-const workflowStepId = await getWorkflowStepId(PROJECT_ID);
-
-for (const language of languages) {
-  const { name, id } = language;
-  await createTask(PROJECT_ID, `Translate to ${name}`, id, fileIds, workflowStepId);
-}
-
-async function getLanguages(projectId: number) {
-  try {
-    const project = await projectsGroupsApi.getProject(projectId);
-    const languages = project.data.targetLanguages;
-    console.log('Fetched languages successfully!');
-    return languages;
-  } catch (error) {
-    console.error('Failed to fetch languages: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getFileIds(projectId: number) {
-  try {
-    const response = await sourceFilesApi.listProjectFiles(projectId);
-    const files = response.data;
-    const fileIds = files.map(file => file.data.id);
-    console.log('Fetched file ids successfully!');
-    return fileIds;
-  } catch (error) {
-    console.error('Failed to fetch file IDs: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function getWorkflowStepId(projectId: number) {
-  try {
-    const response = await workflowsApi.listWorkflowSteps(projectId);
-    const workflowSteps = response.data;
-    const workflowStepId = workflowSteps.find(step => step.data.type === TRANSLATE_BY_VENDOR_WORKFLOW_TYPE)?.data.id;
-    if (!workflowStepId) {
-      throw new Error(`Workflow step with type "${TRANSLATE_BY_VENDOR_WORKFLOW_TYPE}" not found`);
-    }
-    console.log('Fetched workflow step ID successfully!');
-    return workflowStepId;
-  } catch (error) {
-    console.error('Failed to fetch workflow step ID: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
-
-async function createTask(projectId: number, title: string, languageId: string, fileIds: number[], workflowStepId: number) {
-  try {
-    const taskParams = {
-      title,
-      description: TRANSLATED_CONNECTOR_DESCRIPTION,
-      languageId,
-      workflowStepId,
-      skipAssignedStrings: true,
-      fileIds,
-    };
-
-    console.log(`Creating Crowdin task: "${title}" for language ${languageId}`);
-
-    const response = await tasksApi.addTask(projectId, taskParams);
-    console.log(`Task created successfully! Task ID: ${response.data.id}`);
-    return response.data;
-  } catch (error) {
-    console.error('Failed to create Crowdin task: ', error.message);
-    if (error.response && error.response.data) {
-      console.error('Error details: ', JSON.stringify(error.response.data, null, 2));
-    }
-    process.exit(1);
-  }
-}
--- a/.github/workflows/scripts/determine-npm-tag.sh
+++ b/.github/workflows/scripts/determine-npm-tag.sh
@@ -1,66 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-fail() { echo "Error: $*" >&2; exit 1; }
-
-# Ensure required variables are set
-if [[ -z "${REFERENCE_PKG}" || -z "${VERSION_TYPE}" || -z "${VERSION}" ]]; then
-  fail "Missing required environment variables: REFERENCE_PKG, VERSION_TYPE, VERSION"
-fi
-
-semver_cmp () {
-  IFS='.' read -r -a arr_a <<< "$1"
-  IFS='.' read -r -a arr_b <<< "$2"
-
-  for i in 0 1 2; do
-    local aa=${arr_a[i]:-0}
-    local bb=${arr_b[i]:-0}
-    # shellcheck disable=SC2004
-    if (( 10#$aa > 10#$bb )); then echo gt; return 0; fi
-    if (( 10#$aa < 10#$bb )); then echo lt; return 0; fi
-  done
-
-  echo "eq"
-}
-
-
-STABLE_REGEX='^([0-9]+)\.([0-9]+)\.([0-9]+)$'       # x.y.z
-PRE_REGEX='^([0-9]+)\.([0-9]+)\.([0-9]+)-([0-9]+)$' # x.y.z-123456
-
-# Validate that the VERSION matches VERSION_TYPE
-# - stable must be x.y.z
-# - nightly/canary must be x.y.z-123456
-case "$VERSION_TYPE" in
-  stable)
-    [[ $VERSION =~ $STABLE_REGEX ]] || fail "For 'stable', version must match x.y.z" ;;
-  nightly|canary)
-    [[ $VERSION =~ $PRE_REGEX   ]] || fail "For '$VERSION_TYPE', version must match x.y.z-123456" ;;
-  *)
-    fail "Unknown version_type '$VERSION_TYPE'" ;;
-esac
-
-# Extract major, minor from VERSION
-IFS=.- read -r major minor patch _ <<< "$VERSION"
-
-# Determine NPM tag
-case "$VERSION_TYPE" in
-  canary)  TAG="canary" ;;
-  nightly) TAG="nightly" ;;
-  stable)
-    # Use npm dist-tag "latest" as the reference
-    LATEST="$(npm view --silent "$REFERENCE_PKG" dist-tags.latest 2>/dev/null || true)"
-    echo "Latest for $REFERENCE_PKG is ${LATEST:-<none>}" >&2
-
-    if [[ -z ${LATEST:-} ]]; then
-      TAG="latest"  # first ever publish
-    else
-      case "$(semver_cmp "$VERSION" "$LATEST")" in
-        gt)    TAG="latest" ;;                      # newer than reference -> latest
-        lt|eq) TAG="v${major}.${minor}-latest" ;;   # older or equal -> vX.Y-latest
-      esac
-    fi
-    ;;
-esac
-
-echo "Resolved NPM_TAG=$TAG (VERSION=$VERSION, current latest=${LATEST:-none})"  1>&2 # stderr
-printf '%s' "$TAG"
--- a/.github/workflows/scripts/validate-commit-in-head.sh
+++ b/.github/workflows/scripts/validate-commit-in-head.sh
@@ -1,14 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if [[ -z "${GIT_COMMIT:-}" ]]; then
-  echo "Error: Environment variable GIT_COMMIT is required"
-  exit 1
-fi
-
-if git merge-base --is-ancestor "$GIT_COMMIT" HEAD; then
-  echo "Commit $GIT_COMMIT is contained in HEAD"
-else
-  echo "Error: Commit $GIT_COMMIT is not contained in HEAD"
-  exit 1
-fi
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -1,29 +0,0 @@
-name: Shellcheck
-
-on:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  shellcheck:
-    name: Shellcheck scripts
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # clone the repository
-
-    steps:
-      - name: Clone repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Run Shellcheck
-        run: find scripts/ -name '*.sh' -type f -exec shellcheck -e SC1071 -e SC2162 '{}' +
--- a/.github/workflows/skye-add-to-project.yml
+++ b/.github/workflows/skye-add-to-project.yml
@@ -1,15 +1,15 @@
-name: Add issues to Skye project board
+name: Add issues and PRs to Skye project board
 on:
  workflow_dispatch:
    inputs:
      manual_issue_number:
-        description: 'Issue to add to project'
+        description: 'Issue/PR number to add to project'
        required: false
        type: number
-  # Ideally we could trigger this for PRs as well, but getting the secrets on that is tricky
-  # so we just won't bother for now
  issues:
    types: [opened]
+  pull_request:
+    types: [opened]

 permissions:
  contents: read
@@ -47,16 +47,26 @@ jobs:
          app_id: ${{ env.GH_APP_ID }}
          private_key: ${{ env.GH_APP_PEM }}

-      # We do the check in the Github Actions expression and then export it to the output
-      # to reuse it
+      # Check if the user is in the list from the secret
      - name: Check if user is allowed
        id: check_user
        env:
-          USER_IS_ALLOWED: ${{ contains(fromJSON(env.ALLOWED_USERS), github.event.sender.login) }}
+          ALLOWED_USERS: ${{ env.ALLOWED_USERS }}
+          USERNAME: ${{ github.event.sender.login }}
        run: |
-          echo "user_allowed=${USER_IS_ALLOWED}" >> "$GITHUB_OUTPUT"
+          # Convert the comma-separated list to an array
+          IFS=',' read -ra ALLOWED_USERS <<< "$ALLOWED_USERS"

-      # Convert the issue to a node ID for the GraphQL API
+          # Check if user is in the allowed list
+          for allowed_user in "${ALLOWED_USERS[@]}"; do
+            if [ "$allowed_user" = "$USERNAME" ]; then
+              echo "user_allowed=true" >> $GITHUB_OUTPUT
+              exit 0
+            fi
+          done
+          echo "user_allowed=false" >> $GITHUB_OUTPUT
+
+      # Convert the issue/PR number to a node ID for the GraphQL API
      - name: Get node ID for item
        if: steps.check_user.outputs.user_allowed == 'true'
        id: get_node_id
@@ -78,7 +88,7 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

-      # Finally, add the issue to the project board
+      # Finally, add the issue/PR to the project board
      - name: Add to project board
        if: steps.check_user.outputs.user_allowed == 'true'
        uses: octokit/graphql-action@51bf543c240dcd14761320e2efc625dc32ec0d32
--- a/.github/workflows/storybook-verification.yml
+++ b/.github/workflows/storybook-verification.yml
@@ -14,30 +14,26 @@ on:
      - '!docs/**'
      - '!*.md'

-permissions: {}
-
 jobs:
  verify-storybook:
    name: Verify Storybook
    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-
+    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          persist-credentials: false
-
+      
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
-          node-version-file: '.nvmrc'
+          node-version-file: 'package.json'
          cache: 'yarn'
-
+      
      - name: Install dependencies
        run: yarn install --immutable
-
+      
      - name: Run Storybook and E2E tests
        uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f
        with:
--- a/.github/workflows/swagger-gen.yml
+++ b/.github/workflows/swagger-gen.yml
@@ -1,51 +0,0 @@
-name: Swagger generated code
-
-on:
-  push:
-    branches:
-      - main
-      - release-*.*.*
-  pull_request:
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  verify:
-    name: Verify committed API specs match
-    runs-on: ubuntu-latest
-    if: ${{ github.repository == 'grafana/grafana' }}
-    permissions:
-      contents: read # clone the repository
-      id-token: write # required for Vault access
-    steps:
-      # Set up repository clone
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-      - name: Setup Enterprise
-        if: ${{ github.event.pull_request.head.repo.fork == false }}
-        uses: ./.github/actions/setup-enterprise
-        with:
-          github-app-name: 'grafana-ci-bot'
-
-      - name: Generate Swagger specs
-        run: make swagger-clean && make openapi3-gen
-      - name: Check for changes
-        run: |
-          git add -f public/api-merged.json public/openapi3.json
-          if [ -z "$(git diff --name-only --cached)" ]; then
-            echo "No changes detected in API specs."
-          else
-            echo "Changes detected in API specs. Please review the changes."
-            echo "You can regenerate them locally with: make swagger-clean && make openapi3-gen"
-            exit 1
-          fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
github-actions[bot]	436269848d	Release: 12.0.2+security-01 (#108267 ) * Update changelog * Update version to 12.0.2+security-01 * Update CHANGELOG.md --------- Co-authored-by: grafana-delivery-bot[bot] <grafana-delivery-bot[bot]@users.noreply.github.com> Co-authored-by: Yuri Tseretyan <yuriy.tseretyan@grafana.com>	2025-07-17 15:13:05 -04:00
Serge Zaitsev	76ea754dbb	apply 444-202506261140 manually	2025-07-02 17:42:20 +02:00
github-actions[bot]	72f54b2cd9	apply security patch: release-12.0.2/438-202505231907.patch	2025-06-17 15:38:51 +00:00