grafana
diff --git a/‎.github/workflows/autolock.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/autolock.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/check-linux-build-image.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/check-linux-build-image.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/create_build_image.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/create_build_image.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/release-lint-pr-title.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release-lint-pr-title.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release-please.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release-please.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/sources/reference/components/loki/loki.secretfilter.md‎
Lines changed: 7 additions & 2 deletions b/‎docs/sources/reference/components/loki/loki.secretfilter.md‎
Lines changed: 7 additions & 2 deletions
@@ -16,7 +16,7 @@ jobs:
   action:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
         with:
           pr-inactive-days: 14
           issue-inactive-days: 14
 
@@ -32,13 +32,13 @@ jobs:
             rm -rf /opt/hostedtoolcache
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Create test Linux build image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           platforms: linux/amd64,linux/arm64
           context: ./tools/build-image
 
@@ -42,13 +42,13 @@ jobs:
       uses: grafana/shared-workflows/actions/dockerhub-login@081a366728379fd0426b9cfef190e9a21c2d5418 # dockerhub-login/v1.0.3
 
     - name: Setup QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
     - name: Create Linux build image
-      uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
       with:
         platforms: linux/amd64,linux/arm64
         context: ./tools/build-image
 
@@ -23,13 +23,13 @@ jobs:
         cache: false
 
     - name: Lint alloy module
-      uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
       with:
         # renovate: datasource=github-releases packageName=golangci/golangci-lint
         version: v2.4.0
 
     - name: Lint syntax module
-      uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+      uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
       with:
         # renovate: datasource=github-releases packageName=golangci/golangci-lint
         version: v2.4.0
@@ -73,7 +73,7 @@ jobs:
         persist-credentials: false
 
     - name: Set up Node.js
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
       with:
         node-version-file: internal/web/ui/.nvmrc
 
 
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Validate PR title 🔎
-        uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
         env:
           GITHUB_TOKEN: ${{ github.token }}
         with:
 
@@ -39,7 +39,7 @@ jobs:
           persist-credentials: false
 
       - name: Setup Node.js 🏗️
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version-file: tools/release/release-please-runner/.nvmrc
           package-manager-cache: false
 
@@ -52,7 +52,7 @@ You can use the following arguments with `loki.secretfilter`:
 | `drop_on_timeout`    | `bool`               | When true, drop entries that exceed `processing_timeout` instead of forwarding them unredacted.                             | `false` | no       |
 | `gitleaks_config`    | `string`             | Path to a custom Gitleaks TOML config file. If empty, the default Gitleaks config is used.                                  | `""`    | no       |
 | `label_timed_out`    | `bool`               | When true, adds `secretfilter="timed-out"` to entries forwarded after a processing timeout.                                 | `false` | no       |
-| `origin_label`       | `string`             | Loki label to use for the `secrets_redacted_by_origin` metric. If empty, that metric is not registered.                     | `""`    | no       |
+| `origin_label`       | `string`             | Loki label to use as the `origin` dimension in `secrets_redacted_by_origin` and `secrets_redacted_by_category_total`. If empty, `secrets_redacted_by_origin` is not registered and the `origin` label on `secrets_redacted_by_category_total` is set to `""`. | `""`    | no       |
 | `processing_timeout` | `duration`           | Maximum time allowed to process a single log entry. `0` disables the timeout.                                               | `0`     | no       |
 | `rate`               | `float`              | Entry sampling rate in `[0.0, 1.0]` where `1` processes all entries. Unsampled entries are forwarded unchanged.             | `1.0`   | no       |
 | `redact_percent`     | `uint`               | When `redact_with` is not set: percent of the secret to redact (1–100), where 100 is full redaction.                        | `80`    | no       |
@@ -67,6 +67,8 @@ The default configuration may change between {{< param "PRODUCT_NAME" >}} versio
 For consistent behavior, use an external configuration file via `gitleaks_config`.
 {{< /admonition >}}
 
+If you leave `origin_label` empty, the component doesn't register `secrets_redacted_by_origin` and sets the origin label on `secrets_redacted_by_category_total` to `""`.
+
 **Redaction behavior:**
 
 - If `redact_with` is set, it is used as the replacement string for every detected secret.
@@ -82,7 +84,9 @@ Entries that {{< param "PRODUCT_NAME" >}} does not select based on the sampling
 Use a value below `1.0`, for example, `0.1` for 10%, to reduce CPU usage when processing high-volume logs.
 Monitor `loki_secretfilter_entries_bypassed_total` to observe how many entries were skipped.
 
-**Origin metric:** The `origin_label` argument specifies which Loki label to use for the `secrets_redacted_by_origin` metric, so you can track how many secrets were redacted per source or environment.
+**Origin metric:** The `origin_label` argument specifies the Loki label the component uses as the origin dimension in the `secrets_redacted_by_origin` and `secrets_redacted_by_category_total` metrics.
+You can track how many secrets were redacted per source or environment.
+When `origin_label` isn’t set, the component doesn’t register `secrets_redacted_by_origin`, and the `origin` label on `secrets_redacted_by_category_total` defaults to an empty string.
 
 **Processing timeout:** The `processing_timeout` argument sets a maximum duration for processing each log entry.
 When the timeout is exceeded, the `loki_secretfilter_lines_timed_out_total` metric is incremented.
@@ -131,6 +135,7 @@ The following fields are exported and can be referenced by other components:
 | `loki_secretfilter_secrets_redacted_total`         | Counter | Total number of secrets redacted.                                                              |
 | `loki_secretfilter_secrets_redacted_by_rule_total` | Counter | Number of secrets redacted, partitioned by rule name.                                          |
 | `loki_secretfilter_secrets_redacted_by_origin`     | Counter | Number of secrets redacted, partitioned by origin label, when `origin_label` is set.           |
+| `loki_secretfilter_secrets_redacted_by_category_total` | Counter | Number of secrets redacted, partitioned by rule name and origin label value. The `origin` label is empty when `origin_label` is not set or the label is absent on the entry. |
 
 ## Example