DO NOT MERGE test sync between release branch and main branch

.gitattributes

@@ -4,4 +4,4 @@ pkg/operator/crds/*.yaml linguist-generated=true
 Makefile text eol=lf
 tools/make/*.mk text eol=lf
 tools/image-tag text eol=lf
-tools/release text eol=lf
+tools/publish-release-assets.sh text eol=lf

.github/pull_request_template.md

@@ -1,10 +1,9 @@
 <!--
 
-CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md#updating-the-changelog
+CONTRIBUTORS GUIDE: https://github.com/grafana/alloy/blob/main/docs/developer/contributing.md
 
 If this is your first PR or you have not contributed in a while, we recommend
-taking the time to review the guide. It gives helpful instructions for
-contributors around things like how to update the changelog.
+taking the time to review the guide.
 
 -->
 
@@ -21,7 +20,6 @@ contributors around things like how to update the changelog.
 
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
-- [ ] CHANGELOG.md updated
 - [ ] Documentation added
 - [ ] Tests updated
 - [ ] Config converters updated

.github/workflows/autolock.yml

@@ -1,25 +1,35 @@
-name: Lock closed issues and PRs
+name: Auto-lock conversations
+
 on:
-  workflow_dispatch: {}
+  pull_request_target: # zizmor: ignore[dangerous-triggers] Only used to lock PRs from forks
+    types: [closed]
   schedule:
     - cron: '0 0 * * *'
-
-permissions:
-  issues: write
-  pull-requests: write
-  discussions: write
-
-concurrency:
-  group: lock-threads
+  workflow_dispatch:
 
 jobs:
-  action:
+  lock-pr-on-close:
+    if: github.event_name == 'pull_request_target'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Lock PR conversation 🔏
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr lock "$PR_URL"
+    permissions:
+      pull-requests: write
+
+  lock-stale-issues:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
+      - name: Lock stale issue conversations 🔏
+        uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
-          pr-inactive-days: 30
-          issue-inactive-days: 30
+          issue-inactive-days: 14
           add-issue-labels: 'frozen-due-to-age'
-          add-pr-labels: 'frozen-due-to-age'
-          process-only: 'issues, prs'
+          process-only: 'issues'
+    permissions:
+      issues: write

.github/workflows/check-sync-module-dependencies.yml

@@ -0,0 +1,47 @@
+name: Check generate-module-dependencies
+permissions:
+  contents: read
+on: pull_request
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version: '1.25.x'
+
+      - name: Run tests
+        run: |
+          cd tools/generate-module-dependencies
+          go test -v .
+
+      - name: Run generate-module-dependencies
+        run: |
+          make generate-module-dependencies
+
+      - name: Check for go.mod changes
+        run: |
+          # List changed go.mod files (added/modified/deleted)
+          CHANGED=$(git diff --name-only --ignore-all-space | grep -E '(^|/)go\.mod$' || true)
+
+          if [ -n "$CHANGED" ]; then
+            echo "::error::go.mod files are out of sync with generate-module-dependencies."
+            echo "The following go.mod files changed:"
+            echo "$CHANGED"
+            echo
+            echo "Diff:"
+            git --no-pager diff -- $CHANGED || true
+            echo
+            echo "To fix locally:"
+            echo "  Ensure that you update the dependency-replacements.yaml file and run make generate-module-dependencies"
+            exit 1
+          fi

.github/workflows/check-windows-container.yml

@@ -9,15 +9,15 @@ on:
       - '.github/workflows/check-windows-container.yml'
       - '.github/workflows/publish-alloy.yml'
       - '.github/workflows/publish-alloy-devel.yml'
-      - '.github/workflows/publish-alloy-release.yml'
+      - '.github/workflows/release-publish-alloy-artifacts.yml'
   pull_request:
     paths:
       - 'Dockerfile.windows'
       - 'tools/ci/docker-containers-windows'
       - '.github/workflows/check-windows-container.yml'
       - '.github/workflows/publish-alloy.yml'
       - '.github/workflows/publish-alloy-devel.yml'
-      - '.github/workflows/publish-alloy-release.yml'
+      - '.github/workflows/release-publish-alloy-artifacts.yml'
 
 permissions:
   contents: read

.github/workflows/integration-tests-k8s.yml

@@ -14,7 +14,9 @@ jobs:
       labels: github-hosted-ubuntu-x64-large
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
     - name: Setup Go
       uses: actions/setup-go@v5
       with:

.github/workflows/lint-pr-title.yml

@@ -0,0 +1,61 @@
+name: PR Title Lint
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  pull-requests: read
+  id-token: write
+
+jobs:
+  lint-pr-title:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get GitHub app secrets 🔐
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@a37de51f3d713a30a9e4b21bcdfbd38170020593 # get-vault-secrets/v1.3.0
+        with:
+          export_env: false
+          repo_secrets: |
+            ALLOYBOT_APP_ID=alloybot:app_id
+            ALLOYBOT_PRIVATE_KEY=alloybot:private_key
+
+      - name: Generate token 🔐
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        id: app-token
+        with:
+          app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_APP_ID }}
+          private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).ALLOYBOT_PRIVATE_KEY }}
+          owner: grafana
+          repositories: alloy
+
+      - name: Validate PR title 🔎
+        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+        with:
+          # Require conventional commit types
+          types: |
+            feat
+            fix
+            docs
+            style
+            refactor
+            perf
+            test
+            build
+            ci
+            chore
+            revert
+          # Scope is optional
+          requireScope: false
+          # Disallow uppercase first letter in subject
+          subjectPattern: ^[a-z].+$
+          subjectPatternError: |
+            The subject "{subject}" must start with a lowercase letter.
+            Example: "feat: add new component" not "feat: Add new component"

.github/workflows/lint.yml

@@ -55,7 +55,7 @@ jobs:
           packaging,\
           production,\
           tools/ci,\
-          tools/release,\
+          tools/publish-release-assets.sh,\
           docs/sources/tutorials/assets\
           "