From c502a669c58edc19cf02f8b6042b9d533f820ff0 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 27 Feb 2026 09:30:26 +0100
Subject: [PATCH 1/4] ci: automate protobuf source generation for Renovate
 updates

Group protobuf-java and protoc into a single Renovate PR and add a
workflow that regenerates protobuf sources when both deps are updated.
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
---
 .github/renovate.json5                  |  6 +++
 .github/workflows/generate-protobuf.yml | 53 +++++++++++++++++++++++++
 mise.toml                               |  7 +---
 3 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/generate-protobuf.yml

diff --git a/.github/renovate.json5 b/.github/renovate.json5
index ff4363ba5..2b6af73f7 100644
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@@ -32,6 +32,12 @@
       description: "Ignore internal project modules",
       matchPackageNames: ["/^io\\.prometheus:(examples|example-.+|integration-tests|it-.+)$/"],
     },
+    {
+      description: "Group protobuf-java and protoc together so generated code can be updated in one PR",
+      matchDepNames: ["com.google.protobuf:protobuf-java", "protoc"],
+      groupName: "protobuf",
+      separateMajorMinor: false,
+    },
   ],
   customManagers: [],
 }
diff --git a/.github/workflows/generate-protobuf.yml b/.github/workflows/generate-protobuf.yml
new file mode 100644
index 000000000..cb06d2343
--- /dev/null
+++ b/.github/workflows/generate-protobuf.yml
@@ -0,0 +1,53 @@
+---
+name: Generate Protobuf
+
+on:
+  push:
+    branches:
+      - "renovate/protobuf"
+
+permissions: {}
+
+jobs:
+  generate:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          ref: ${{ github.ref }}
+      - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+        with:
+          version: v2026.2.11
+          sha256: 3e1baedb9284124b770d2d561a04a98c343d05967c83deb8b35c7c941f8d9c9a
+      - name: Cache local Maven repository
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        with:
+          path: ~/.m2/repository
+          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
+          restore-keys: |
+            ${{ runner.os }}-maven-
+      - name: Verify both protobuf deps are updated
+        run: |
+          git fetch origin main
+          git diff origin/main -- pom.xml | grep -q 'protobuf-java.version' || { echo "::error::protobuf-java not updated in pom.xml — waiting for Renovate"; exit 1; }
+          git diff origin/main -- mise.toml | grep -q 'protoc' || { echo "::error::protoc not updated in mise.toml — waiting for Renovate"; exit 1; }
+      - name: Generate protobuf sources
+        run: mise run generate
+      - name: Commit and push generated sources
+        run: |
+          git diff --quiet && exit 0
+          UNEXPECTED=$(git diff --name-only | grep -v '\.java$' | grep -v '^mise\.toml$' || true)
+          if [[ -n "$UNEXPECTED" ]]; then
+            echo "::error::Unexpected files changed:"
+            echo "$UNEXPECTED"
+            exit 1
+          fi
+          # TODO: verify whether GITHUB_TOKEN can push to Renovate branches,
+          #       or if we need a PAT / GitHub App token (ask Martin)
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add '*.java' mise.toml
+          git commit -m "chore: regenerate protobuf sources"
+          git push
diff --git a/mise.toml b/mise.toml
index e545af213..1d2112312 100644
--- a/mise.toml
+++ b/mise.toml
@@ -31,11 +31,8 @@ description = "bare compile, ignoring formatting and linters"
 run = "./mvnw install -DskipTests -Dspotless.check.skip=true -Dcoverage.skip=true -Dcheckstyle.skip=true -Dwarnings=-nowarn"
 
 [tasks.generate]
-description = "bare compile, ignoring formatting and linters"
-run = [
-  "mise use --pin protoc@latest",
-  "./mvnw clean install -DskipTests -Dspotless.check.skip=true -Dcoverage.skip=true -Dcheckstyle.skip=true -Dwarnings=-nowarn"
-]
+description = "regenerate protobuf sources"
+run = "./mvnw clean install -DskipTests -Dspotless.check.skip=true -Dcoverage.skip=true -Dcheckstyle.skip=true -Dwarnings=-nowarn"
 env.PROTO_GENERATION = "true"
 
 [tasks.test]

From 68a0d20aa89ba0f07f420a5a3c5a54ee0ba3b950 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 27 Feb 2026 12:21:32 +0100
Subject: [PATCH 2/4] ci: clarify GITHUB_TOKEN limitation and close/reopen
 workaround Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>

---
 .github/workflows/generate-protobuf.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate-protobuf.yml b/.github/workflows/generate-protobuf.yml
index cb06d2343..d46077186 100644
--- a/.github/workflows/generate-protobuf.yml
+++ b/.github/workflows/generate-protobuf.yml
@@ -44,8 +44,9 @@ jobs:
             echo "$UNEXPECTED"
             exit 1
           fi
-          # TODO: verify whether GITHUB_TOKEN can push to Renovate branches,
-          #       or if we need a PAT / GitHub App token (ask Martin)
+          # Note: GITHUB_TOKEN pushes don't trigger CI re-runs.
+          # Close and reopen the PR to trigger CI after this commit.
+          # TODO: switch to PROMBOT_GITHUB_TOKEN once it's added to this repo.
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add '*.java' mise.toml

From 87f97d418f94da57fcdc7bd8df638676c075cd50 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 27 Feb 2026 12:29:41 +0100
Subject: [PATCH 3/4] ci: fix lint issues in generate-protobuf workflow
 Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>

---
 .github/renovate-tracked-deps.json      |  3 +++
 .github/workflows/generate-protobuf.yml | 14 ++++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/renovate-tracked-deps.json b/.github/renovate-tracked-deps.json
index 0b257110a..5e0fe8a13 100644
--- a/.github/renovate-tracked-deps.json
+++ b/.github/renovate-tracked-deps.json
@@ -8,6 +8,9 @@
   ".github/workflows/build.yml": {
     "regex": ["mise"]
   },
+  ".github/workflows/generate-protobuf.yml": {
+    "regex": ["mise"]
+  },
   ".github/workflows/github-pages.yaml": {
     "regex": ["mise"]
   },
diff --git a/.github/workflows/generate-protobuf.yml b/.github/workflows/generate-protobuf.yml
index d46077186..6c81748ad 100644
--- a/.github/workflows/generate-protobuf.yml
+++ b/.github/workflows/generate-protobuf.yml
@@ -17,6 +17,8 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.ref }}
+          # zizmor: ignore[artipacked] -- needs credentials to push
+          persist-credentials: true
       - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
         with:
           version: v2026.2.11
@@ -31,8 +33,16 @@ jobs:
       - name: Verify both protobuf deps are updated
         run: |
           git fetch origin main
-          git diff origin/main -- pom.xml | grep -q 'protobuf-java.version' || { echo "::error::protobuf-java not updated in pom.xml — waiting for Renovate"; exit 1; }
-          git diff origin/main -- mise.toml | grep -q 'protoc' || { echo "::error::protoc not updated in mise.toml — waiting for Renovate"; exit 1; }
+          DIFF_POM=$(git diff origin/main -- pom.xml)
+          DIFF_MISE=$(git diff origin/main -- mise.toml)
+          if ! echo "$DIFF_POM" | grep -q 'protobuf-java.version'; then
+            echo "::error::protobuf-java not updated in pom.xml"
+            exit 1
+          fi
+          if ! echo "$DIFF_MISE" | grep -q 'protoc'; then
+            echo "::error::protoc not updated in mise.toml"
+            exit 1
+          fi
       - name: Generate protobuf sources
         run: mise run generate
       - name: Commit and push generated sources

From b1b5559c40ead977ff556d5a776f9d4ede34c510 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 27 Feb 2026 12:45:11 +0100
Subject: [PATCH 4/4] ci: remove mise.toml from generate workflow commit scope

Since the generate task no longer runs `mise use --pin protoc@latest`,
mise.toml should not change during generation.
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
---
 .github/workflows/generate-protobuf.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/generate-protobuf.yml b/.github/workflows/generate-protobuf.yml
index 6c81748ad..9bfe252a1 100644
--- a/.github/workflows/generate-protobuf.yml
+++ b/.github/workflows/generate-protobuf.yml
@@ -48,7 +48,7 @@ jobs:
       - name: Commit and push generated sources
         run: |
           git diff --quiet && exit 0
-          UNEXPECTED=$(git diff --name-only | grep -v '\.java$' | grep -v '^mise\.toml$' || true)
+          UNEXPECTED=$(git diff --name-only | grep -v '\.java$' || true)
           if [[ -n "$UNEXPECTED" ]]; then
             echo "::error::Unexpected files changed:"
             echo "$UNEXPECTED"
@@ -59,6 +59,6 @@ jobs:
           # TODO: switch to PROMBOT_GITHUB_TOKEN once it's added to this repo.
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add '*.java' mise.toml
+          git add '*.java'
           git commit -m "chore: regenerate protobuf sources"
           git push