Add ignored-tests option to filter out specific test failures

.bun-version

@@ -1 +1 @@
-1.2.21
+1.2.22

.github/workflows/codeql.yml

@@ -57,14 +57,14 @@ jobs:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
           config: |
             paths-ignore: ${{ toJSON(matrix.paths-ignore) }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -28,4 +28,4 @@ jobs:
         with:
           persist-credentials: false
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0

.github/workflows/lint-shared-workflows.yaml

@@ -51,7 +51,7 @@ jobs:
       - name: Restore github-action.json schema
         id: restore-schema
         if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             github-action.json
@@ -98,7 +98,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
 
       - name: Save github-action.json schema to cache
-        uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         if: steps.restore-schema.conclusion == 'success' && steps.download-schema.outputs.schema-changed == 'true'
         with:
           path: |

.github/workflows/publish-techdocs.yaml

@@ -124,9 +124,8 @@ jobs:
           role-arn: ${{ steps.instance-settings.outputs.aws-role-arn }}
           set-creds-in-environment: true
 
-      # Pinning until resolved https://github.com/backstage/backstage/issues/25303
       - name: Install techdocs-cli
-        run: sudo npm install -g @techdocs/cli@1.8.11
+        run: sudo npm install -g @techdocs/cli@1.9.8
 
       - name: setup python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0

.github/workflows/renovate.yml

@@ -70,13 +70,13 @@ jobs:
 
       - name: Generate token
         id: generate-token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ env.GRAFANA_RENOVATE_APP_ID }}
           private-key: ${{ env.GRAFANA_RENOVATE_PRIVATE_KEY }}
 
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@6927a58a017ee9ac468a34a5b0d2a9a9bd45cac3 # v43.0.11
+        uses: renovatebot/github-action@9ba84f1ade243f8c2ce5b223df61cf23dc094584 # v43.0.13
         with:
           configurationFile: .github/renovate-config.json5
           # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate

.github/workflows/reusable-zizmor.yml

@@ -242,7 +242,7 @@ jobs:
       MIN_SEVERITY: ${{ inputs.min-severity }}
       MIN_CONFIDENCE: ${{ inputs.min-confidence }}
       # renovate: datasource=pypi depName=zizmor
-      ZIZMOR_VERSION: 1.12.1
+      ZIZMOR_VERSION: 1.13.0
       GH_TOKEN: ${{ inputs.github-token || github.token }}
       ZIZMOR_EXTRA_ARGS: ${{ inputs.extra-args }}
       DEFAULT_ZIZMOR_CONFIG_DOWNLOADED: ${{ needs.job-workflow-ref.outputs.sha }}
@@ -261,7 +261,7 @@ jobs:
 
       - name: Restore config from cache
         id: cache-config
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         if: env.DEFAULT_ZIZMOR_CONFIG_DOWNLOADED
         with:
           path: ${{ runner.temp }}/zizmor.yml
@@ -361,15 +361,15 @@ jobs:
           fi
 
       - name: Setup UV
-        uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
+        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0
         with:
           enable-cache: true
           activate-environment: true
           cache-suffix: ${{ env.ZIZMOR_VERSION }}
           cache-dependency-glob: ""
 
       - name: Zizmor cache
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ${{ runner.temp }}/.cache/zizmor
           key: zizmor-${{ runner.os }}-${{ runner.arch }}
@@ -399,7 +399,7 @@ jobs:
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         continue-on-error: true
         with:
           sarif_file: results.sarif
@@ -450,13 +450,13 @@ jobs:
       - name: Hide any previous comments
         if: ${{ !cancelled() && github.event.pull_request.head.repo.full_name == github.repository }}
         id: hide-comments
-        uses: int128/hide-comment-action@a30d551065e4231e6d7a671bb5ce884f9ee6417b # v1.43.0
+        uses: int128/hide-comment-action@9803637eab610cca14ac6f64c42c0d7ffe9327e0 # v1.44.0
         with:
           ends-with: "<!-- comment-action/${{ github.workflow }}/${{ github.job }} -->"
 
       - name: Comment with zizmor results
         if: steps.zizmor-plain.outputs.zizmor-exit-code != 0 && github.event.pull_request.head.repo.full_name == github.repository
-        uses: int128/comment-action@f4faf53666ef83da7d274fa2007e9212c4d719c3 # v1.39.0
+        uses: int128/comment-action@b2bcb6693040ee191f8e643d247faf3e22e4b2f1 # v1.40.0
         with:
           post: |
             :cry: zizmor failed with exit code ${{ steps.zizmor-plain.outputs.zizmor-exit-code }}.

.github/workflows/scorecards.yml

@@ -77,6 +77,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@d3678e237b9c32a6c9bffb3315c335f976f3549f # v3.30.2
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
         with:
           sarif_file: results.sarif

.release-please-manifest.json

@@ -21,7 +21,7 @@
     "actions/remove-checkout-credentials": "0.1.0",
     "actions/dependabot-auto-triage": "1.1.0",
     "actions/get-latest-workflow-artifact": "0.2.0",
-    "actions/create-github-app-token": "v0.1.0",
+    "actions/create-github-app-token": "0.2.0",
     "actions/run-capslock": "0.2.0",
     "actions/azure-trusted-signing": "1.0.0"
 }

CODEOWNERS

@@ -19,3 +19,6 @@
 
 # Platform Infrasec
 /actions/create-github-app-token @grafana/platform-infrasec
+
+# Mimir
+actions/go-flaky-tests/cmd/go-flaky-tests @grafana/mimir-maintainers

actions/azure-trusted-signing/action.yaml

@@ -80,7 +80,7 @@ runs:
       uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         # renovate: datasource=dotnet-version depName=dotnet-sdk
-        dotnet-version: "8.0.413"
+        dotnet-version: "8.0.414"
 
     - name: Install Sign CLI tool
       id: install-sign-tool

actions/cleanup-branches/README.md

@@ -0,0 +1,38 @@
+# cleanup-branches
+
+Composite action (step) to query for branches that are not in an open PR, and delete them if 'dry-run' is 'false'. Protected branches are excluded as well.
+
+## Inputs
+
+| Name       | Type     | Description                                                                                                                                                                        | Default Value         | Required |
+| ---------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | -------- |
+| `token`    | `string` | GitHub token used to authenticate with `gh`. Requires permission to query for protected branches and delete branches (`contents: write`) and pull requests (`pull_requests: read`) | `${{ github.token }}` | true     |
+| `dry-run`  | `bool`   | If `'true'`, then the action will print branches to be deleted, but will not delete them                                                                                           | `'true'`              | true     |
+| `max-date` | `string` | Value passed to `date -d`; a human readable date string. Maximum date of the head ref of a branch in order to be deleted.                                                          | `"2 weeks ago"`       | false    |
+
+## Examples
+
+### Clean up branches on a weekly cron schedule
+
+<!-- x-release-please-start-version -->
+
+```yaml
+name: Clean up orphaned branches
+on:
+  schedule:
+    - cron: "0 9 * * 1"
+
+jobs:
+  cleanup-branches::
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: read
+    steps:
+      - uses: actions/checkout@v5
+      - uses: grafana/shared-workflows/actions/cleanup-branches@cleanup-branches/v1.0.0
+        with:
+          dry-run: false
+```
+
+<!-- x-release-please-end-version -->

actions/cleanup-branches/action.yml

@@ -0,0 +1,83 @@
+name: Clean up orphaned git branches
+description: |
+  This action will query for branches that are not in an open PR, and will delete them if 'dry-run' is 'false'.
+  Protected branches are excluded as well.
+inputs:
+  dry-run:
+    default: "true"
+    required: true
+    description: "If 'true', then the action will print branches to be deleted, but will not delete them"
+  token:
+    default: ${{ github.token }}
+    required: true
+    description: "GitHub token used to authenticate with `gh`. Requires permission to query for protected branches and delete branches (contents: write) and pull requests (pull_requests: read)"
+  max-date:
+    default: "2 weeks ago"
+    required: false
+    description: |
+      Value provided to `date -d={}. From `man date`: "The --date=STRING is a mostly free format human readable date string such as "Sun, 29 Feb 2004 16:21:42 -0800" or "2004-02-29 16:21:42" or even "next Thursday".  A date string may
+       contain items indicating calendar date, time of day, time zone, day of week, relative time, relative date, and numbers.  An empty string indicates the beginning of the day.  The
+       date string format is more complex than is easily documented here but is fully described in the info documentation."
+runs:
+  using: composite
+  steps:
+    - name: List branches
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+        DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+        MAX_DATE: ${{ inputs.max-date }}
+      run: |
+        #!/usr/bin/env bash
+        # Fetch all branches from remote. This is basically `git fetch --unshallow` but also fetches branches.
+        git fetch origin "+refs/heads/*:refs/remotes/origin/*"
+
+        # A limit of 1,000 open PRs is far beyond any repository that is in the grafana org
+        readarray -t open_pr_branches < <(gh pr list --state open -L 1000 --json headRefName | jq -cr '.[].headRefName')
+
+        # For repositories that have exceeded 2,000+ branches, this could fail.
+        readarray -t protected_branches < <(gh api --paginate "/repos/${GITHUB_REPOSITORY}/branches?protected=true" | jq -cr '.[].name')
+
+        branches=()
+        while IFS= read -r line; do
+          branches+=("$line")
+        done < <(git ls-remote --heads origin | awk '{print $2}' | sed 's|refs/heads/||' | grep -Ev "^(origin/)?(${DEFAULT_BRANCH})$")
+
+        to_delete=()
+        for branch in "${branches[@]}"; do
+          found=0
+          for pr_branch in "${open_pr_branches[@]}"; do
+            if [[ "$branch" == "$pr_branch" ]]; then
+              found=1
+              break
+            fi
+          done
+          if [ "$found" != 1 ]; then
+            for protected_branch in "${protected_branches[@]}"; do
+              if [[ "$branch" == "$protected_branch" ]]; then
+                found=1
+                break
+              fi
+            done
+          fi
+          if [ "$found" != 1 ]; then
+            to_delete+=("$branch")
+          fi
+        done
+        max_date=$(TZ=utc date -d "$MAX_DATE" +%s)
+        for branch in "${to_delete[@]}"; do
+          branch_ts=$(git log -1 --format=%ct "origin/$branch")
+          if [[ "$branch_ts" -lt "$max_date" ]]; then
+            echo "$branch" >> branches.txt
+          fi
+        done
+    - name: Delete branches (dry run)
+      shell: bash
+      if: ${{ inputs.dry-run == "true" }}
+      run: |
+        cat branches.txt | xargs -I {} echo git push origin --delete "{}"
+    - name: Delete branches
+      shell: bash
+      if: ${{ inputs.dry-run != "true" }}
+      run: |
+        cat branches.txt | xargs -I {} git push origin --delete "{}"

actions/create-github-app-token/CHANGELOG.md

@@ -0,0 +1,16 @@
+# Changelog
+
+## [0.2.0](https://github.com/grafana/shared-workflows/compare/create-github-app-token/v0.1.0...create-github-app-token/v0.2.0) (2025-09-16)
+
+
+### 🎉 Features
+
+* **create-github-app-token:** added retries and test workflow ([#1294](https://github.com/grafana/shared-workflows/issues/1294)) ([2c842d9](https://github.com/grafana/shared-workflows/commit/2c842d90ec0e332485acf7d7afe9f03d03f68f7b))
+* **create-github-app-token:** adding create-github-app-token action ([#1144](https://github.com/grafana/shared-workflows/issues/1144)) ([7c748d7](https://github.com/grafana/shared-workflows/commit/7c748d77ca1ccc01af4281ea72c7ec9d2b3d9129))
+
+
+### 🔧 Miscellaneous Chores
+
+* **deps:** update actions/github-script action to v7.1.0 ([#1306](https://github.com/grafana/shared-workflows/issues/1306)) ([31b0c57](https://github.com/grafana/shared-workflows/commit/31b0c573abbbd9b56060318f7327ae8bb3ec041e))
+* **deps:** update actions/github-script action to v8 ([#1307](https://github.com/grafana/shared-workflows/issues/1307)) ([078c4a8](https://github.com/grafana/shared-workflows/commit/078c4a8af09e06d646077550f9e0f68171d5881e))
+* **main:** release push-to-gar-docker 0.3.0 ([#794](https://github.com/grafana/shared-workflows/issues/794)) ([a7bc536](https://github.com/grafana/shared-workflows/commit/a7bc5367c4a91c389526d58839d8f6224dba4dcc))

actions/create-github-app-token/README.md

@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - id: get-github-token
-        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.2.0
         with:
           github_app: github-app-name
 
@@ -72,7 +72,7 @@ jobs:
 
     steps:
       - id: get-github-token-read
-        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.2.0
         with:
           github_app: github-app-name
           permissions-set: read-only-on-foo-repository
@@ -87,7 +87,7 @@ jobs:
             https://api.github.com/repos/grafana/foo-repository/assignees
 
       - id: get-github-token-write
-        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.1.0
+        uses: grafana/shared-workflows/actions/create-github-app-token@create-github-app-token/v0.2.0
         with:
           github_app: github-app-name
           permissions-set: write-on-bar-repository

actions/dependabot-auto-triage/package.json

@@ -17,13 +17,13 @@
     "minimatch": "10.0.3"
   },
   "devDependencies": {
-    "@eslint/js": "9.35.0",
-    "@types/bun": "1.2.21",
+    "@eslint/js": "9.36.0",
+    "@types/bun": "1.2.22",
     "eslint-config-prettier": "10.1.8",
     "eslint-plugin-jest": "29.0.1",
     "eslint-plugin-prettier": "5.5.4",
     "typescript": "5.9.2",
-    "typescript-eslint": "8.43.0"
+    "typescript-eslint": "8.44.1"
   },
   "engines": {
     "bun": "^1.0.0"

actions/generate-openapi-clients/action.yaml

@@ -38,7 +38,7 @@ runs:
   steps:
     # Get openapi-generator
     - id: openapi-generator-cache
-      uses: actions/cache/restore@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         key: openapi-generator-${{ inputs.generator-version }}
         path: openapi-generator-cli.jar
@@ -50,7 +50,7 @@ runs:
         GENERATOR_VERSION: ${{ inputs.generator-version }}
       run: |
         wget -nv "https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/${GENERATOR_VERSION}/openapi-generator-cli-${GENERATOR_VERSION}.jar" -O ./openapi-generator-cli.jar
-    - uses: actions/cache/save@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       if: steps.openapi-generator-cache.outputs.cache-hit != 'true'
       with:
         key: openapi-generator-${{ inputs.generator-version }}

actions/get-latest-workflow-artifact/package.json

@@ -14,9 +14,9 @@
     "@js-temporal/polyfill": "0.5.1"
   },
   "devDependencies": {
-    "@octokit/openapi-types": "25.1.0",
+    "@octokit/openapi-types": "26.0.0",
     "@types/bun": "latest",
-    "@types/node": "24.3.1"
+    "@types/node": "24.5.2"
   },
   "bugs": {
     "url": "https://github.com/grafana/get-latest-workflow-artifact-action/issues"

actions/go-flaky-tests/CHANGELOG.md

@@ -7,11 +7,15 @@
 - Initial implementation of flaky test analysis action
 - Loki integration for fetching test failure logs
 - Git history analysis to find test authors
+- GitHub issue creation and management for flaky tests
+- Dry run mode for testing without creating issues
 - Comprehensive test suite with golden file testing
 
 ### Features
 
 - **Loki Log Analysis**: Fetches and parses test failure logs using LogQL
 - **Flaky Test Detection**: Identifies tests that fail inconsistently across branches
 - **Git Author Tracking**: Finds recent commits that modified flaky tests
+- **GitHub Integration**: Creates and updates issues with detailed test information
 - **Configurable Limits**: Top-K filtering to focus on most problematic tests
+- **Rich Issue Templates**: Detailed issue descriptions with investigation guidance