grafana

Commit Graph

Author	SHA1	Message	Date
Andres Martinez Gotor	8dbe15c974	Advisor: Explicitly skip health checks for frontend-only datasources (#124125 )	3 days ago
Roberto Jiménez Sánchez	b262acddf7	Provisioning: Negotiate receive-pack capabilities for git pushes (#124122 ) Some GitLab servers wrap receive-pack responses in side-band-64k, which caused pushes that the server actually rejected (e.g. pre-receive hook declined) to surface as silent success. Enabling nanogit's capability negotiation makes the client advertise only the intersection with what the server announces, avoiding the wrapping path on those servers and keeping the default set on servers that already advertise it. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	3 days ago
Roberto Jiménez Sánchez	7577cb2ec2	Provisioning: Honor ruleset bypass for write workflow validation (#123893 ) GetRulesets returned a hard block whenever a branch had any active pull_request rule, even when the configured GitHub App was in the parent ruleset's bypass_actors with bypass_mode=always. Direct push actually succeeds at runtime in that case, so the preflight produced a false positive that blocked legitimate Repository configurations. Fetch each unique parent ruleset and consult CurrentUserCanBypass; GitHub evaluates the bypass match server-side for the calling actor, so we don't need the App installation ID. Treat only "always" and "exempt" as non-blocking — "pull_request" only bypasses on PR merge. Fail-closed when the parent fetch errors so configs that would fail at push time don't silently save. Fixes #123877 Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	3 days ago
Roberto Jiménez Sánchez	f2e88be480	Provisioning: Bump nanogit to v0.17.0 to fix pushes with repositories using git modules (#124114 ) Bump nanogit v0.17.0	3 days ago
Daniele Stefano Ferru	48dec119ef	Provisioning: Scope repository uniqueness by (URL, branch, path) (#123498 ) * fix(FD-009): reject duplicate repos with empty paths and scope uniqueness by branch The Repository admission validator had two related defects in the (URL, path) identity-key logic: 1. Two Repositories with the same URL and both paths empty were admitted as non-duplicates, even though empty path means "repository root" — the worst case of overlap. 2. Branch was not part of the identity key, so two Repositories pointing at the same URL and path but different branches were incorrectly rejected as duplicates. The fix changes the identity rule to (URL, branch, path) with literal equality on all three components. The empty-path exception is removed. Closes grafana/git-ui-sync-project#1080 Closes grafana/git-ui-sync-project#1081 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * different approach * updating integration tests * simplifying changes * further simplifying changeS * re-adding useful comments * updating integration test * updating integration test --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	3 days ago
Moustafa Baiou	251785ed66	chore(deps): update grafana-app-sdk to v0.54.1 (#124079 ) One notable issue is the removal of the "spec.datasource.name" field selector in the correlations app, which was previously used for filtering correlations based on the datasource name. This field selector has been removed in favor of "spec.source.name". To maintain backward compatibility, the code still checks for "spec.datasource.name" in the legacy storage implementation, but it is no longer included in the selectable fields in the schema. The selector wasn't properly working for unified storage anyways and the selectable field wasn't parsed properly. The new app-sdk code throws an error now when generating invalid paths, so it needed to be updated.	3 days ago
Andres Martinez Gotor	bd6a01bb88	Advisor: Add healthchecker init function (#123620 )	4 days ago
Mariell Hoversholm	ad78fa01f4	fix: module is now fully tidy (#124024 ) * fix: module is now fully tidy * fix: update enterprise_imports * fix: make update-workspace * fix: own the code * fix: update CI check to check for enterprise imports * fix: own dependencies	4 days ago
Misi	c0166d8471	IAM: Use continue/limit pagination for /users/{name}/teams (#123921 ) * Use continue/limit pagination for /user/{name}/teams * IAM: Address review feedback on user/{name}/teams keyset pagination - Revert flag rename in user-teams handler (keep FlagKubernetesTeamBindings) - URL-escape the continue token in OSS integration test helper so base64 tokens survive the query-string round-trip - Document the SortFields contract on the legacy search adapter * IAM: Address review feedback on user/{name}/teams keyset pagination - Document URL-encoding requirement for the continue query param in OpenAPI - Clarify legacy adapter cost is O(N) per page (N = membership count, not bounded by MaxListLimit) - Add unit test locking the SortFields[0] == Key.Name continue-token contract - Surface continue-token decode errors via span and HTTP body - Span attribute records the cursor (search_after) instead of just a bool - Drop redundant ListMeta selector on GetUserTeamsResponse access (staticcheck QF1008)	4 days ago
Paul Marbach	2d3ddde174	DataLinks: Nested scope handling (#123937 ) * DataLinks: Nested scope handling * e2e: test the datalink interpolation for nested and non-nested * prettier	7 days ago
dependabot[bot]	8885d14a54	deps(go): bump go.opentelemetry.io/collector/pdata from 1.56.0 to 1.57.0 in the go-opentelemetry-io group across 1 directory (#123942 ) * deps(go): bump go.opentelemetry.io/collector/pdata Bumps the go-opentelemetry-io group with 1 update in the / directory: [go.opentelemetry.io/collector/pdata](https://github.com/open-telemetry/opentelemetry-collector). Updates `go.opentelemetry.io/collector/pdata` from 1.56.0 to 1.57.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-collector/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-collector/blob/main/CHANGELOG-API.md) - [Commits](https://github.com/open-telemetry/opentelemetry-collector/compare/pdata/v1.56.0...pdata/v1.57.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/collector/pdata dependency-version: 1.57.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-opentelemetry-io ... Signed-off-by: dependabot[bot] <support@github.com> * update --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com>	1 week ago
dependabot[bot]	07de1c5f05	deps(go): bump the grafana-app-sdk group across 17 directories with 1 update (#123943 ) Bumps the grafana-app-sdk group with 1 update in the / directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/advisor directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/alerting/historian directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/alerting/notifications directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/alerting/rules directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/annotation directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/correlations directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/dashboard directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/dashvalidator directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/example directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/logsdrilldown directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/plugins directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/provisioning directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/quotas directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /apps/shorturl directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /pkg/apiserver directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Bumps the grafana-app-sdk group with 1 update in the /pkg/storage/unified/resource/kv directory: [github.com/grafana/grafana-app-sdk/logging](https://github.com/grafana/grafana-app-sdk). Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) Updates `github.com/grafana/grafana-app-sdk/logging` from 0.53.2 to 0.54.0 - [Release notes](https://github.com/grafana/grafana-app-sdk/releases) - [Commits](https://github.com/grafana/grafana-app-sdk/compare/v0.53.2...v0.54.0) --- updated-dependencies: - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk - dependency-name: github.com/grafana/grafana-app-sdk/logging dependency-version: 0.54.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: grafana-app-sdk ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	1 week ago
owensmallwood	688763699a	Unified Storage: Vector storage adds embedders for gcp and aws (#123840 ) * Unified Storage: extract dashboard embeddings * adds embedders for gcp and aws. First pass. * adds some temp integration tests to test the client implementations work against their respective model providers. Pad vertexAI vectors since theyre 768 and we store 1024. Adds some more tests for the padding and batching. * remove unused truncation code * make update-workspace * fix go mod dep owner * fix edgecase with batch process * go work sync * make update-workspace * format go mod and assign owner to dep * make update-workspace	1 week ago
Alejandro	e2a864d98f	Provisioning: Surface cross-manager folder conflicts as warnings (#123934 ) Mirrors the depth-exceeded handling from #123726 for the case where a target folder is already managed by a different manager (another repo, plugin, etc.). Returning a typed FolderManagedByOtherError lets the sync job classify it as a user warning so the queue does not retry the unrecoverable conflict. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	1 week ago
Paul Marbach	59f12d21dc	Barchart: Reuse existing panels for the e2es (#123421 ) * BarChart: add e2e tests for render, no-data, tooltips, legend, and data links Closes #112986 * BarChart: update golden checksums for barchart_tests dashboard * BarChart: restore eslint-suppressions.json to main state * BarChart: regenerate dev-dashboards.libsonnet to include barchart_tests * BarChart: add e2e tests for panel options (show values, stacking, full highlight, orientation) * BarChart: update golden checksum for barchart_tests with panels 7-9 * BarChart: extract uPlot center position helper to reduce duplication * BarChart: fix stacking toggle comment to match UI label (Off not None) * BarChart: restore eslint-suppressions.json to main state * reuse existing panels for the e2es * delete the newly added dashboard * make gen-jsonnet --------- Co-authored-by: Brian Gann <bkgann@gmail.com>	1 week ago
Will Assis	1f3ddefe10	unified-storage: create resourcepb standalone module (#123912 )	1 week ago
ismail simsek	3aafdaaf67	Chore: Bump promlib v0.0.11 (#123736 ) * bump promlib v0.0.11 and fix other dependency issues along the way * remove memcache pin and run make update-workspace * fix compile errors * pin apimachinery to v0.35.3 * make update-workspace * run gofmt * proper tidy each module + bump azure * also need to bump tempo * fix test * fix tempo test * handle omitzero since labels became a new type * more fixes to tests and linter * fix conflicts * merge main --------- Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com>	1 week ago
Ezequiel Victorero	0dd60fda62	Snapshots: Add public mode and external token support to snapshot MT k8s api (#120619 )	1 week ago
Roberto Jiménez Sánchez	fec689329e	Provisioning: Add selective resource migration via Resources field (#123890 ) * Provisioning: Add selective resource migration via Resources field Mirrors the selective Export support (#123381) for the Migrate job: MigrateJobOptions now accepts a Resources []ResourceRef list. When empty the legacy "migrate everything" behavior is preserved; when non-empty the inner Export pushes only the listed dashboards (folder hierarchy is still emitted). For instance-target repos we skip the namespace cleanup phase in selective mode, since deleting every other unmanaged resource would be destructive when the user only asked to take over specific dashboards. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Add MigrateJobOptions.Resources to OpenAPI violation exceptions The codegen check expected the new slice field to be listed alongside the other list_type_missing entries (DeleteJobOptions.Resources, ExportJobOptions.Resources, MoveJobOptions.Resources, etc.). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
Roberto Jiménez Sánchez	a4faa7f6bd	Provisioning: Per-verb fallback for the files subresource (#123867 ) The files connector handles GET/POST/PUT/DELETE in a single place but was wired with a single static fallback role (accessWithAdmin), so any role fallback was wrong for at least one verb family — reads should fall back to Viewer, writes to Editor; an Admin-only fallback over-restricts both. Introduce auth.NewVerbAwareAccessChecker(read, write AccessChecker) which dispatches Check by req.Verb (get/list/watch -> read, everything else -> write), and compose accessWithViewer + accessWithEditor for the files connector. Inner checkers retain their fallback configuration; the wrapper's WithFallbackRole is intentionally a no-op (per-verb fallbacks are decided at construction). This does not by itself resolve the customer regression where MT-side authz denies dashboards:create for Editors on non-General folders — that denial originates in the MT authz service and the role fallback is a no-op in token mode regardless. Filed separately for the I&A team. This PR removes the static-fallback-role footgun on the files connector so the eventual MT fix surfaces correctly here. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
Roberto Jiménez Sánchez	b3784aac27	Provisioning: Retry SQLITE_BUSY on repository status patch (#123873 ) Provisioning: Retry SQLITE_BUSY on repo status patch The repository status patcher only retried K8s optimistic-concurrency conflicts. When the unified storage SQL backend bubbles a transient SQLITE_BUSY through the apiserver (as a 500 InternalError carrying the "database is locked"/"SQLITE_BUSY" text), the patch failed instead of retrying. This surfaced as flakes such as TestIntegrationProvisioning_FullSync_FolderMetadataTitle on the SQLite shards. Switch to retry.OnError with a predicate that retries both K8s conflicts and SQLite lock contention, and add a unit test for the new path. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
dependabot[bot]	43d601a8f6	deps(go): bump the k8s-io group across 2 directories with 3 updates (#123865 ) * deps(go): bump the k8s-io group across 2 directories with 3 updates Bumps the k8s-io group with 1 update in the / directory: [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator). Bumps the k8s-io group with 1 update in the /hack directory: [k8s.io/code-generator](https://github.com/kubernetes/code-generator). Updates `k8s.io/kube-aggregator` from 0.35.0 to 0.36.0 - [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.35.0...v0.36.0) Updates `k8s.io/code-generator` from 0.35.0 to 0.36.0 - [Commits](https://github.com/kubernetes/code-generator/compare/v0.35.0...v0.36.0) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) Updates `k8s.io/kube-openapi` from 0.0.0-20260127142750-a19766b6e2d4 to 0.0.0-20260317180543-43fb72c5454a - [Commits](https://github.com/kubernetes/kube-openapi/commits) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/code-generator dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io - dependency-name: k8s.io/kube-openapi dependency-version: 0.0.0-20260317180543-43fb72c5454a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-io ... Signed-off-by: dependabot[bot] <support@github.com> * update codegen * update codegen --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ryan McKinley <ryantxu@gmail.com>	1 week ago
Roberto Jiménez Sánchez	84a727b1f0	Provisioning: Surface folder uid-too-long and other validation 4xx as sync warnings (#123797 ) * Provisioning: Surface folder uid-too-long as a sync warning When the folder API rejects a write because the UID exceeds 40 characters, provisioning treats it as a retryable hard error today and the sync job is requeued every 5 minutes — the same retry-loop bug that #123726 fixed for max-depth violations, just for a different validation rule. Path-derived UIDs always fit (resources.appendHashSuffix truncates to 40), so the rejection only fires when _folder.json declares a stable UID over the limit; the user must fix the repository, not wait for a retry. Mirror the FolderDepthExceeded pattern: ErrFolderUIDTooLong sentinel, FolderUIDTooLongError type, IsFolderUIDTooLongAPIError matcher (sentinel + Status.Details.UID == "folder.uid-too-long" + substring fallback for the pre-fix legacy 500 form and the post-fix bracketed message-id form). EnsureFolderExists wraps the rejection on both Create and Update/move paths. classifyWarning maps it to the new ReasonFolderUIDTooLong, so the sync surfaces as a warning instead of an error and downstream resources under the offending folder are short-circuited via the existing failedCreations machinery. Integration test in pkg/tests/apis/provisioning/foldermetadata/ (env has folder metadata enabled) writes _folder.json with a 41-char UID, runs a pull job, asserts JobStateWarning, no errors, exactly one uid-too-long warning, the dashboard under the bad folder is silently skipped, the shallow folder still gets created, condition reason is CompletedWithWarnings, and a re-run reproduces the same warning state without state corruption. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Surface generic folder validation 4xx as a sync warning Extends the depth-exceeded and uid-too-long handling to cover any folder-API validation rejection the more specific matchers don't claim (illegal-uid-chars, reserved-uid, future folder validations). Same retry-loop bug, same fix shape: typed warning, generic reason. resources.IsFolderValidationAPIError matches anything a depth or uid-too-long check would catch, plus any K8s StatusError whose code is 400 and whose Status.Details.UID has the "folder." messageID prefix. That covers every existing folder errutil sentinel post-#123709 and any new ones that follow the same pattern. Restricted to 400 (not all 4xx) so 401/403/404 stay in their existing ResourceOwnership/Unmanaged conflict territory; restricted to known message IDs so unknown 400s (likely caller bugs) keep surfacing as errors we can debug. EnsureFolderExists wraps the rejection on both Create and Update/move paths after the more specific depth/uid-too-long checks. classifyWarning maps it to the new ReasonFolderValidationFailed; the order of cases guarantees the more specific reasons (FolderDepthExceeded, FolderUIDTooLong) win when they apply. apierrors.ToFolderStatusError now preserves the structured Details (messageID) when the underlying error is an errutil.Error. Without this the JSON-only conversion stripped Status.Details.UID and the structured matcher above could only catch errors via the legacy substring path. This is also the path the folder_storage Create handler sends every admission rejection through. Integration test (folder metadata env): writes a _folder.json with an illegal-chars UID, asserts JobStateWarning, exactly one validation warning, no errors, the dashboard under the bad folder is silently skipped, the shallow folder still gets created, and re-runs reproduce the same warning state. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Allow-list folder validation message IDs (review fixes) Codex flagged a P1 on the previous commit: matching every "folder." message ID treats folder.ErrBadRequest ("folder.bad-request") — a 400 errutil error raised on internal/programmer faults like a missing signed-in user — as a non-fatal warning. That silently downgrades real provisioning bugs to "CompletedWithWarnings". Switch IsFolderValidationAPIError from a "folder." prefix match to an explicit allow-list of nine known user-fixable validation message IDs: title-empty, invalid-uid, invalid-uid-chars, uid-too-long, cannot-be-parent-of-itself, maximum-depth-reached, cannot-be-moved-to-k6, name-exists, circular-reference. Future folder. errutil errors must be added to the allow-list explicitly after the team confirms the failure is user-fixable; defaulting to "warning" for the unknown is the wrong policy. Tests pin all three properties: allow-list IDs match, folder.bad-request does not match, and an unknown "folder.future-..." ID does not match. Also addresses Copilot review nits: - errors.go matcher comment referenced #123709 instead of #123843. - folders.go Create-path comment claimed a path-derived UID could overflow; appendHashSuffix always truncates to <=40, so the comment now correctly attributes the rejection to user-supplied UID sources (_folder.json today, future external sources tomorrow). - folders_test.go test comment described exercising both pre-fix 500 and post-fix 400 forms; the stub only returns BadRequest, so the comment now reflects what the test actually does (the legacy 500-form is covered by IsFolderUIDTooLongAPIError's substring fallbacks in errors_test.go instead). - Both integration tests had a `for _, e := range jobObj.Status.Errors` loop after `require.Empty(t, jobObj.Status.Errors)` — dead code. Dropped both loops; require.Empty already covers the assertion. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
Dominik Prokop	9aafc68be1	Dashboards: Tighten panel ID types in v2 schema to integers (#123139 ) * Dashboards: Tighten panel ID types in v2 schema to integers Change `PanelSpec.id`, `LibraryPanelKindSpec.id`, and `AnnotationPanelFilter.ids` from CUE `number`/`uint32` to `uint16` across v2alpha1, v2beta1, and v2. Why: kube-openapi maps `uint32` to `format: int64`, and CUE `number` to `type: number, format: double`. Consumer codegens that follow the int64-as-string convention (to avoid JS precision loss past 2^53) then serialise panel IDs as strings, breaking wire compatibility with Grafana's typed Go decoders. Panel IDs are integers in practice and always have been; `uint16` narrows the advertised range to match reality and renders cleanly as `format: int32` in OpenAPI. Fixes grafana/hyperion-planning#588. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Dashboards: Widen v2 panel ID types from uint16 to int32 & >=0 uint16 caps panel IDs at 65,535. Fine for UI-created dashboards, but dashboards-as-code (Terraform, jsonnet, k8s controllers) can emit timestamps or arbitrary numerics as IDs. The v1 -> v2alpha1 converter then silently drops those. uint16 also leaves a contract mismatch: CUE uint16 emits format: int32 in OpenAPI, so the wire spec advertises int32 range while the Go decoder rejects anything > 65535. Same class of loose-contract bug as the original int64-with-string issue, just inverted. int32 & >=0 emits the same OpenAPI shape (format: int32, no string coercion), widens the range to ~2.1B, and aligns the Go runtime exactly with the wire. Migration silent-drop path tightened to MaxInt32 -- unreachable in practice. Per @kristinademeshchik's review on the original PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Dashboards: regen v2 OpenAPI snapshots and gofmt codegen Two CI-driven fixups for the int32 schema change: - OpenAPI v2 stable: regenerate dashboard.grafana.app-v2.json (snapshot + package mirror). Previous commit only updated the v2alpha1 / v2beta1 specs because the wrong gen entrypoint was used; CI's "Verify OpenAPI specs" caught the v2 stable drift. - gofmt: drop stray blank lines from v0alpha1 / v1 dashboard_object_gen.go. They were introduced by running `make generate` from apps/dashboard instead of the canonical `make gen-apps` from repo root, which CI uses. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	1 week ago
Austin Pond	2de04f26cf	chore(deps): Upgrade grafana-app-sdk to v0.54.0 (#123847 ) * Upgrade grafana-app-sdk to v0.54.0 and update code and tests to fix breaking changes in resource.ClientGenerator and k8s version upgrade. * Run public/app/plugins/datasource/grafana-testdata-datasource/schema/v0alpha1.json through jq to format. * Revert changes to public/app/plugins/datasource/grafana-testdata-datasource/schema/v0alpha1.json as the change seems to be entirely formatting-related. * Remove getkin/kin-openapi replace directive in apps/plugins/go.mod, and remove yaml replace directives in go.mod as getkin/kin-openapi needs newer versions. * Regenerate OpenAPI snapshots, which now include new shardSelector query field introduced in k8s 1.36 * Run yarn generate-apis * Fix linter issues.	1 week ago
Kristina Demeshchik	906c7694b6	Dashboards: Preserve legacy string datasources in v1 to v2 conversion (#123553 ) * handle ds as a string * adjust comments * improve client side migration path * go linter * unit tests * cover variable * re-use existing helper * unit tests * fix * improve comments * improve tests * empty object usecase * improve test coverage * fix test	1 week ago
Povilas Vaitkus	63a8a027e8	Provisioning: Add commitMessageTemplate field to Repository spec (#123166 ) * Provisioning: Add commitMessageTemplate field to Repository spec Adds an optional `commitMessageTemplate` field to the RepositorySpec and the RepositoryView so that provisioned-resource save flows can pre-populate the commit/comment field from a per-repo template (e.g. conventional commits). The template supports three variables — {{action}} (create/update/delete/ move/rename), {{resource}} (dashboard/folder), and {{title}} — which the frontend interpolates at save time. When the field is empty, existing hardcoded fallback messages ("Save dashboard: <title>", etc.) continue to apply, so current behaviour is preserved. Frontend wiring lives in a follow-up PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Provisioning: Nest commit options under CommitOptions struct Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Provisioning: Re-attach RepositoryView.commit ref in PostProcessOpenAPI * Provisioning: Regenerate v1beta1 OpenAPI snapshot * Provisioning: Regenerate OpenAPI client artifacts --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	1 week ago
Bruno	ea6875089f	Secrets: add kmsKeyId to AWSConfig (#123387 )	1 week ago
owensmallwood	e375a40a0f	Unified Storage: Vector storage db setup and migrations (#122751 ) * feat(unified-storage): add vector-storage database config section * feat(unified-storage): add VectorBackend interface and types * feat(unified-storage): add pgvector schema DDL and init * feat(unified-storage): add vector SQL templates and request structs Add 5 SQL template files (upsert, delete, search, get_latest_rv, create_partition) and queries.go with typed request/response structs following the sqltemplate pattern used in unified storage. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(unified-storage): add vector SQL template snapshot tests Add snapshot tests for all 5 SQL templates (upsert, delete, search, get_latest_rv, create_partition) using PostgreSQL dialect only via the mocks.CheckQuerySnapshots framework. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat(unified-storage): add pgvectorBackend implementation Implements the VectorBackend interface using pgvector-go for half-vector similarity search, the Grafana db.DB/db.Tx abstractions for dbutil compatibility, and a sync.Map partition cache for idempotent DDL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(unified-storage): add pgvectorBackend unit tests Tests cover sanitizePartitionName, Upsert no-op with empty/nil slice, Delete (all and stale), and GetLatestRV (value and no-rows cases) using the existing sqlmock test infrastructure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * refactor(unified-storage): make vector search metadata filters generic Replace hardcoded datasource_uids/query_languages filters with a generic MetadataFilterEntry that works for any JSONB key. The SQL template now uses {{ range .MetadataFilters }} instead of dashboard-specific conditionals. * refactor(unified-storage): use migrator pattern for vector schema Replace raw schema.sql DDL with Grafana's migrator pattern (same as MigrateResourceStore). Each DDL statement is a tracked migration against the separate vector database, enabling incremental schema evolution. * devenv: add pgvector docker block for vector search integration tests PostgreSQL with pgvector extension on port 5433. Usage: make devenv sources=pgvector * feat(unified-storage): add vector database provider wiring ProvideVectorBackend connects [database_vector] config to a working pgvectorBackend: builds connection string, creates xorm engine, runs migrations, wraps as db.DB. Returns (nil, nil) if not configured. * test(unified-storage): add pgvector integration tests Tests run against real PostgreSQL+pgvector via devenv block: make devenv sources=pgvector PGVECTOR_TEST_DB="..." go test -run TestIntegration ... Covers: upsert, search with filters, GetLatestRV, delete stale, upsert overwrite. Skips when PGVECTOR_TEST_DB is not set. * chore: remove planning docs from repo * chore: remove trivial vector config tests * get tests passing * partition on namespace + model so we dont mix embeddings * wire up VectorBackend and feature flag * fix wiring * gofmt and provider func name change * docs: spec for tenant watcher/deleter tracing Performance-oriented tracing design: spans around labelling and deletion to identify slow tenants/group-resources. * chore: remove superpowers spec accidentally merged from local main The docs/superpowers/specs/2026-04-20-tenant-tracing-design.md was committed to local main and came along during a merge-back into this branch. Per repo convention, superpowers planning docs stay outside the repo. * gofmt * fix codeowners for pgvector docker block * fix CI make gen-apps * make update-workspace * fix bad comment and modowners * fix linter errors * rename ff to vector_backend * shard by table. Create tables on write. Remove rv dep for embeddings and track it globally in one table until we have a persistent queue * use halfvec(1024) for embeddings to match what GA uses. Fix some comments. * add some vector validation * gofmt * update partitioning strategy... again. One table per resource, tenants with many resources get their own dedicated partition created dynamically that has hnsw index, all other tenants share a single partition with no hnsw index * add gin index to metadata when creating new partition * move promoter into vector backend * make gen-jsonnet * use partitioning for resource tables instead. Makes things simpler and makes cross resource search easier * remove top level default partition - not used * add some comments * promoter uses partial index instead of partitions * shortens hnsw index name so theres more room for resource name since theres a 63 char max --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	1 week ago
Gonzalo Trigueros Manzanas	cbf6bd6c00	Provisioning: Folder max depth problems should be surface as warnings (#123726 ) * bug: folder too depth problems should be a job warning * bug: add integration test for max depth and other integration test * Provisioning: Detect folder depth violations on Update/move path The previous matcher only recognized the Create-path error string ("folder max depth exceeded"). Folder move/update validation in pkg/registry/apis/folders/validate.go returns folder.ErrMaximumDepthReached ("Maximum nested folder depth reached"), so a managed folder being moved deeper than the limit surfaced as a hard error and triggered the same retry loop the warning was meant to prevent. Broaden detection to also match the structured errutil sentinel, the K8s status details message ID, and the public-message substring. Apply the same FolderDepthExceededError wrapping on the Update path of EnsureFolderExists so moves into too-deep paths are surfaced as warnings too. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
Roberto Jiménez Sánchez	e66c549145	Provisioning: Return test results instead of HTTP 500 when GetDefaultBranch fails (#123725 ) Provisioning: Surface GetDefaultBranch failures via TestResults instead of HTTP 500 When the test endpoint built a temporary GitHub repository whose branch was empty, a failure in GetDefaultBranch (e.g. GitHub returning 404 for an unreachable repo or 401/403 for a token without access) propagated as a Go error and was returned to the client as "failed to get repository metadata: file not found" with HTTP 500. This is the onboarding entry point, so the user has no way to act on the message. Classify the underlying repository error and return a TestResults with a field-targeted ErrorDetails, mirroring the existing URL-parse and branch-protection handling. The connector remains responsible for serializing the result. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	1 week ago
Bruno	85ba958a6a	Secrets: include status.active in keeper list/read http responses (#123627 ) * Secrets: include status.active in keeper list/read http responses * typo	1 week ago
Matheus Macabu	2db345e0cc	Deps: Update authlib to latest (#123708 )	1 week ago
alerting-team[bot]	89b1bc060f	Alerting: Update alerting module to abd9b421dc12c885ef6410ece3a92c96e2b8c127 (#123549 ) [create-pull-request] automated change Co-authored-by: yuri-tceretian <25988953+yuri-tceretian@users.noreply.github.com>	2 weeks ago
Victor Marin	f417fd1a4f	Schema: Preserve 'inControlsMenu' variable hide property in v1 to v2 conversion (#123482 ) Schema: Preserve 'inControlsMenu' properly in v1 to v2 conversion	2 weeks ago
Roberto Jiménez Sánchez	e97a104b5a	Provisioning: Add selective dashboard export via Resources field (#123381 ) * Provisioning: Add selective dashboard export via Resources field Adds an optional Resources []ResourceRef field to ExportJobOptions so an export job can target a specific list of dashboards instead of the full instance. An empty Resources list preserves the existing whole-namespace export behavior. The admission validator rejects refs missing Name/Kind, non-Dashboard kinds, and non-dashboard.grafana.app groups so a misconfigured request fails fast. The worker resolves each ref via ForKind+Get, reuses the shared exportItem helper so the conversion shim and UID regeneration stay in lockstep with the bulk path, and records a per-resource warning when an explicitly named dashboard is skipped because it is managed by another repository. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Use constants for dashboard kind/group in selective export Replaces the string literals "Dashboard" and "dashboard.grafana.app" in the admission validator and the ExportSpecificResources worker with package constants so a rename or GVK change only has to land in one place. Adds a DashboardResourceKind/DashboardResourceGroup constant pair to the provisioning API package (apps/provisioning cannot import apps/dashboard across module boundaries) and a DashboardKind GVK to the existing pkg/registry/apis/provisioning/resources var block alongside FolderKind. Also adds admission integration cases for non-Dashboard kind, non- dashboard group, and missing resource name, plus a worker-path integration test covering the not-found warning scenario where a present dashboard is exported while an absent sibling is recorded as a warning. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Expand admission integration cases for selective export Adds five more push-with-resources validation cases: resource missing kind, empty ref, index reporting for a mixed valid/invalid list, lowercase dashboard kind, and LibraryPanel kind. These nail down the boundary behavior of the new ResourceRef validation so regressions in the field-path indices or the case-sensitivity of the Dashboard kind check surface as a test failure rather than a runtime surprise. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Move dashboard kind/group constants into apps/provisioning/pkg/resources The Dashboard kind and group strings were parked in the v0alpha1 API package next to ResourceRef as a short-term shim. Promotes them into a dedicated resources package at apps/provisioning/pkg/resources where future provisioning-owned resource identifiers can live alongside them. The typed GVR/GVK vars stay in pkg/registry/apis/provisioning/resources because they depend on apps/dashboard/apps/folder/apps/iam, which apps/provisioning does not import. A pointer comment in client.go documents the intentional split so future readers see why the same strings appear in both places. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Use typed dashboard GVR/GVK and fail explicit export misses Pull apps/dashboard into apps/provisioning so apps/provisioning/pkg/resources can re-derive Dashboard GVR/GVK directly from DashboardResourceInfo instead of mirroring strings. pkg/registry/apis/provisioning/resources now re-exports those vars so there is a single source of truth. When ExportSpecificResources cannot fulfil a caller-named ref — wrong kind, already managed by another repository, or not found — record the result as an error rather than a warning so the job surfaces the failure. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Cover v2 stable and v2beta1 in selective export integration test Extend TestIntegrationProvisioning_ExportSpecificResources to select dashboards across every supported stored version (v0, v1, v2, v2beta1). v2alpha1 becomes the non-selected case that proves filtering still excludes unnamed dashboards. Add DashboardsV2 to the provisioning test helper and DashboardResourceV2 to apps/provisioning/pkg/resources so the typed GVR is available alongside the existing v2alpha1 and v2beta1 entries. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * Provisioning: Escalate explicit-export failures to job-level error state jobProgressRecorder.Record silently drops per-resource errors when the result carries FileActionIgnored (progress.go:94), so the previous selective-export error paths were local-only and the job finished as success even when the caller-named dashboard could not be exported. Clear the action on the explicit-request failure paths (wrong kind, managed, not-found, get-error) so the recorder counts the error, appends it to JobStatus.Errors, and escalates the final state to Error. The bulk-export path keeps the Ignored action since encountering managed or write-skipped resources there is expected and shouldn't fail the job. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2 weeks ago
Adela Almasan	da7ecca99b	Trend: Add E2E test coverage (#123170 )	2 weeks ago
Dave Henderson	9986fa76a5	deps(go): bump github.com/hashicorp/go-secure-stdlib/plugincontainer to v0.5.0 (#123552 ) Signed-off-by: Dave Henderson <dave.henderson@grafana.com>	2 weeks ago
Brian Gann	e7e1a7a79b	BarChart: add e2e tests (#123284 ) * BarChart: add e2e tests for render, no-data, tooltips, legend, and data links Ref #112986 * BarChart: update golden checksums for barchart_tests dashboard * BarChart: regenerate dev-dashboards.libsonnet to include barchart_tests * BarChart: add e2e tests for panel options (show values, stacking, full highlight, orientation) * BarChart: update golden checksum for barchart_tests with panels 7-9 * BarChart: extract uPlot center position helper to reduce duplication * BarChart: fix stacking toggle comment to match UI label (Off not None)	2 weeks ago
Misi	ffb4fea402	IAM: Persist team members on the Team resource (step 1) (#123468 ) * IAM: Persist team members on the Team resource (step 1) * Add shared CUE TeamMember + TeamPermission types and expose TeamSpec.Members as a list of those. * team LegacyStore: hydrate spec.members on Get/List and reconcile add/update/delete deltas on Create/Update against the legacy team tables. Reconciliation runs in the same SQL transaction as the team row update; team-internal-ID resolution happens before BEGIN to avoid a SQLite self-deadlock when the write tx holds the file lock. * Admission rejects duplicate members and flips of the immutable `external` flag so the error is consistent regardless of dual-write mode. * Legacy CreateTeam now returns apierrors.NewAlreadyExists on a unique constraint violation so clients see a proper 409 instead of a 500 wrapping the raw SQL error. * Index member UIDs on the Team search document. * Integration tests cover CRUD with members, hydration, and the new admission rules. Scope of this commit is the data model + legacy store + index path. The user-teams / team-members subresources, the enterprise team-group synchronizer, and the legacy member-search adapter land in follow-up steps on this branch. * Regenerate openapi spec * IAM: fix testdata path in team integration subtests The team integration test file lives in `pkg/tests/apis/iam/team/` while the shared testdata fixtures live one level up in `pkg/tests/apis/iam/testdata/`. The new members/AlreadyExists subtests referenced `testdata/…` instead of `../testdata/…`, so CI failed with "no such file or directory" when loading the fixture. Use the correct relative path and switch the helper deletions from `defer` to `t.Cleanup` for consistency with the rest of the file. * Fix frontend * IAM: address review on team members path * Create is now transactional. CreateTeamCommand gained MemberCreates and legacy.CreateTeam inserts the team row and all seed members in one WithTransaction; a failing member rolls back the team too, matching Update's atomicity. * Update now maps team.ErrTeamMemberAlreadyAdded → apierrors.NewConflict so the concurrent-add race returns 409 instead of 500, matching the Create path. * buildCreateCommand / buildUpdateCommand translate GetUserInternalID failures into apierrors.NewBadRequest so an unknown user UID in spec.members returns 400 rather than a 500. * Replace the per-team hydration on List with a single bulk query via a new ListTeamBindingsQuery.TeamUIDs + ArgList in team_bindings_query.sql, backed by listTeamMembersForTeams. Drops the N+1. * mapTeamPermission / toLegacyPermission use explicit switches with a default panic so adding a new permission variant upstream without updating the mapping fails loud instead of silently collapsing to "member". * Clarify comments on CreateTeamCommand.MemberCreates and UpdateTeamCommand.Member{Deletes,Updates,Creates} to spell out the atomicity guarantee and which fields the caller must pre-resolve. * Document the remaining TOCTOU gap between listAllTeamMembers and the write tx in Update, and why the race that matters (add-add) is covered by the unique-constraint → 409 path. * IAM: integration test for Update 409 on concurrent member adds Exercises the ErrTeamMemberAlreadyAdded → apierrors.NewConflict mapping on the team Update path by racing 10 goroutines that each add the same user to an empty team. The test asserts no goroutine ever receives a 500 (the pre-fix failure mode), at least one succeeds, and the final team state contains the user exactly once — i.e. the race converges through the 409/retry path rather than duplicating or corrupting rows. * IAM: propagate permission-mapping errors and bulk team-member writes * mapTeamPermission / toLegacyPermission / mapToTeamMember / toTeamObject now return (value, error) instead of panicking on unknown variants. diffMembers, buildCreateCommand, buildUpdateCommand, and the Get / List / Create / Update flows in team/store.go propagate the error so a corrupt SQL row or a new upstream variant surfaces as a 500 at the HTTP boundary instead of crashing the apiserver. * legacy.CreateTeam and legacy.UpdateTeam now issue one bulk INSERT (multi-row VALUES) for MemberCreates and one bulk DELETE (… WHERE uid IN (...)) for MemberDeletes, replacing the per-row loops. DeleteTeamMembersBulkCommand is scoped by OrgID so a UID collision across orgs cannot remove the wrong row. Permission UPDATEs stay as one statement per row — each has a distinct target value and a CASE-WHEN bulk isn't worth the complexity today. * New golden-SQL tests (single + many variants) cover the two bulk templates across mysql/postgres/sqlite.	2 weeks ago
Roberto Jiménez Sánchez	9ab6c3c467	Provisioning: retry Repository patches on RV conflict (#123497 ) The unified storage layer translates every JSON Patch into a read-modify-write with PreviousRV set to the value it just read, so concurrent writes legitimately race with our patches and surface as "Operation cannot be fulfilled on repositories.provisioning.grafana.app ...: requested RV does not match current RV". Two call sites on the repository object have no retry and fail outright today: - RepositoryStatusPatcher.Patch — shared helper behind every status patch (status patch operations, post-hook status updates, delete- status writes). - handleDelete — the JSON Patch that strips /metadata/finalizers after finalizer processing completes. Wrap both in retry.RetryOnConflict with the default backoff (5 steps, ~50ms). Conflicts are transient by nature here, so a re-read + re-apply will succeed on the next attempt in almost every real case, and the retry budget is bounded so persistent conflicts still surface. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2 weeks ago
Ihor Yeromin	541eb02a6e	Transformations: Add smoke tests for dashboard transformations (#123390 ) * chore(transformations): add smoke tests for dashboard transformations * chore: regenerate golden files for transforms smoke fixture * chore(transformations): assert no ErrorBoundaryAlert inside transformation editor	2 weeks ago
Will Browne	840291c51a	Plugins: Drop `public/` prefix for core plugins meta (#123478 ) * drop public/ prefix for core plugins meta * add comment details	2 weeks ago
Paul Marbach	8536aa4f20	Stat: E2E tests (#123276 ) * wip: e2e stat * working * datalink test * regenerate golden checksums * tighter scope for uplot selectors * added assertions	2 weeks ago
Ryan McKinley	b8fd1b6c6b	Chore: use go 1.26.2 (#123379 ) * golang 1.26 * bump all modules and docker file * fix plugins test --------- Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>	2 weeks ago
Daniele Stefano Ferru	ca8051a806	Provisioning: Rotate webhook secret periodically (#122797 ) * Provisioning: add mechanism for automatic webhook secret rotation * fix unit tests * generating apis * generating openapi * generating openapi * adding integration tests * fixing integration tests * removing healthcheck on webhook integration tests * updating integration tests * Provisioning: Simplify webhook secret rotation patch ops Match the token rotation pattern in the connection controller: a plain "replace" on /secure/webhookSecret rather than a three-way switch over Secure.IsZero / WebhookSecret.IsZero / default. RotateWebhookSecret only runs after Status.Webhook.ID is populated by OnCreate, which also populates /secure/webhookSecret, so the defensive branches were guarding a state that cannot occur in practice. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Roberto Jimenez Sanchez <roberto.jimenez@grafana.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2 weeks ago
Kevin Yu	c3cc462c37	Chore: Upgrade github.com/grafana/grafana-aws-sdk from 1.4.3 to 1.4.4 (#123299 )	2 weeks ago
Matheus Macabu	2c48987405	Dependencies: Update some otlp packages (#123368 )	2 weeks ago
dependabot[bot]	1996aee8e8	deps(go): Bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 (#123305 ) * deps(go): Bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.9.1 to 5.9.2. - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2) --- updated-dependencies: - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.9.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * make update-workspace --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>	2 weeks ago
Ryan McKinley	5edb668a2f	DataSources: allow extending schema for each datasource (#110216 )	2 weeks ago

1 2 3 4 5 ...

1101 Commits (IfSentient/example-operator)