fix(grafana): address code review findings

- Add pagination loop for service accounts (was silently capped at 1000)
- Use grafanaConnection() helper consistently across all resource files
  instead of raw type assertions; helper now returns error on type mismatch
- Send X-Grafana-Org-Id header when org-id option is set
- Add explanatory comment on discovery no-op (single-org scope)
- Add datasource, grafana, pagerduty to spelling expect list

Author: syrull

.github/actions/spelling/expect.txt

@@ -55,6 +55,7 @@ cyclonedx
 dast
 databricks
 datapath
+datasource
 DATAUSER
 datetime
 ddos
@@ -99,6 +100,7 @@ geomatchstatement
 gistfile
 gotestsum
 gpu
+grafana
 groupname
 gvnic
 HADOOP
@@ -189,6 +191,7 @@ ospf
 panos
 parallelquery
 PAYG
+pagerduty
 persistentvolume
 persistentvolumeclaim
 Pids

providers/grafana/connection/connection.go

@@ -115,6 +115,9 @@ func (c *GrafanaConnection) Get(ctx context.Context, path string) (*http.Respons
 	req.Header.Set("Authorization", "Bearer "+c.token)
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", "application/json")
+	if orgID := c.OrgID(); orgID != "" {
+		req.Header.Set("X-Grafana-Org-Id", orgID)
+	}
 	return c.client.Do(req)
 }
 

providers/grafana/resources/alerting.go

@@ -11,7 +11,6 @@ import (
 
 	"go.mondoo.com/mql/v13/llx"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
-	"go.mondoo.com/mql/v13/providers/grafana/connection"
 	"go.mondoo.com/mql/v13/types"
 )
 
@@ -33,7 +32,10 @@ type grafanaNotificationPolicyJSON struct {
 }
 
 func (g *mqlGrafana) contactPoints() ([]interface{}, error) {
-	conn := g.MqlRuntime.Connection.(*connection.GrafanaConnection)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := conn.Get(context.Background(), "/api/v1/provisioning/contact-points")
 	if err != nil {
 		return nil, err
@@ -82,7 +84,10 @@ func (c *mqlGrafanaContactPoint) id() (string, error) {
 }
 
 func (g *mqlGrafana) notificationPolicy() (*mqlGrafanaNotificationPolicy, error) {
-	conn := g.MqlRuntime.Connection.(*connection.GrafanaConnection)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := conn.Get(context.Background(), "/api/v1/provisioning/policies")
 	if err != nil {
 		return nil, err

providers/grafana/resources/datasources.go

@@ -11,7 +11,6 @@ import (
 
 	"go.mondoo.com/mql/v13/llx"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
-	"go.mondoo.com/mql/v13/providers/grafana/connection"
 )
 
 // grafanaDatasourceJSON mirrors one element of the /api/datasources response.
@@ -30,7 +29,10 @@ type grafanaDatasourceJSON struct {
 }
 
 func (g *mqlGrafana) datasources() ([]interface{}, error) {
-	conn := g.MqlRuntime.Connection.(*connection.GrafanaConnection)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := conn.Get(context.Background(), "/api/datasources")
 	if err != nil {
 		return nil, err

providers/grafana/resources/discovery.go

@@ -8,6 +8,8 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
 )
 
+// Discover is intentionally a no-op for the Grafana provider. The provider
+// operates in single-org scope — there are no sub-assets to discover.
 func Discover(runtime *plugin.Runtime, opts map[string]string) (*inventory.Inventory, error) {
 	return nil, nil
 }

providers/grafana/resources/service_accounts.go

@@ -11,7 +11,6 @@ import (
 	"strconv"
 
 	"go.mondoo.com/mql/v13/llx"
-	"go.mondoo.com/mql/v13/providers/grafana/connection"
 )
 
 // grafanaServiceAccountJSON mirrors one element of the /api/serviceaccounts/search response.
@@ -27,38 +26,61 @@ type grafanaServiceAccountJSON struct {
 
 // grafanaServiceAccountsResponse wraps the paginated service accounts endpoint.
 type grafanaServiceAccountsResponse struct {
-	ServiceAccounts []grafanaServiceAccountJSON `json:"serviceAccounts"`
+	TotalCount      int                             `json:"totalCount"`
+	ServiceAccounts []grafanaServiceAccountJSON      `json:"serviceAccounts"`
+	Page            int                             `json:"page"`
+	PerPage         int                             `json:"perPage"`
 }
 
 // grafanaTokenJSON mirrors one element of the /api/serviceaccounts/{id}/tokens response.
 type grafanaTokenJSON struct {
-	ID                     int     `json:"id"`
-	Name                   string  `json:"name"`
-	Created                string  `json:"created"`
-	Expiration             string  `json:"expiration"`
-	HasExpired             bool    `json:"hasExpired"`
-	SecondsTillExpiration  float64 `json:"secondsUntilExpiration"`
-	IsRevoked              bool    `json:"isRevoked"`
+	ID                    int     `json:"id"`
+	Name                  string  `json:"name"`
+	Created               string  `json:"created"`
+	Expiration            string  `json:"expiration"`
+	HasExpired            bool    `json:"hasExpired"`
+	SecondsTillExpiration float64 `json:"secondsUntilExpiration"`
+	IsRevoked             bool    `json:"isRevoked"`
 }
 
+const serviceAccountPageSize = 1000
+
 func (g *mqlGrafana) serviceAccounts() ([]interface{}, error) {
-	conn := g.MqlRuntime.Connection.(*connection.GrafanaConnection)
-	resp, err := conn.Get(context.Background(), "/api/serviceaccounts/search?perpage=1000&page=1")
+	conn, err := grafanaConnection(g.MqlRuntime)
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("grafana: GET /api/serviceaccounts/search returned status %d", resp.StatusCode)
-	}
 
-	var result grafanaServiceAccountsResponse
-	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
-		return nil, fmt.Errorf("grafana: decoding /api/serviceaccounts/search response: %w", err)
+	// Paginate through all service accounts. The API returns at most perpage
+	// results per request; we stop when we've collected totalCount or the
+	// page returns fewer results than requested.
+	var allSAs []grafanaServiceAccountJSON
+	for page := 1; ; page++ {
+		path := fmt.Sprintf("/api/serviceaccounts/search?perpage=%d&page=%d", serviceAccountPageSize, page)
+		resp, err := conn.Get(context.Background(), path)
+		if err != nil {
+			return nil, err
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != http.StatusOK {
+			return nil, fmt.Errorf("grafana: GET /api/serviceaccounts/search returned status %d", resp.StatusCode)
+		}
+
+		var result grafanaServiceAccountsResponse
+		if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+			return nil, fmt.Errorf("grafana: decoding /api/serviceaccounts/search response: %w", err)
+		}
+
+		allSAs = append(allSAs, result.ServiceAccounts...)
+
+		// Stop when we've fetched everything or the page was not full.
+		if len(allSAs) >= result.TotalCount || len(result.ServiceAccounts) < serviceAccountPageSize {
+			break
+		}
 	}
 
-	list := make([]interface{}, 0, len(result.ServiceAccounts))
-	for _, sa := range result.ServiceAccounts {
+	list := make([]interface{}, 0, len(allSAs))
+	for _, sa := range allSAs {
 		res, err := CreateResource(g.MqlRuntime, "grafana.serviceAccount", map[string]*llx.RawData{
 			"id":         llx.IntData(int64(sa.ID)),
 			"orgId":      llx.IntData(int64(sa.OrgID)),
@@ -81,7 +103,10 @@ func (g *mqlGrafanaServiceAccount) id() (string, error) {
 }
 
 func (g *mqlGrafanaServiceAccount) tokens() ([]interface{}, error) {
-	conn := g.MqlRuntime.Connection.(*connection.GrafanaConnection)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	saID := g.Id.Data
 	path := "/api/serviceaccounts/" + strconv.FormatInt(saID, 10) + "/tokens"
 

providers/grafana/resources/users.go

@@ -17,9 +17,14 @@ import (
 )
 
 // grafanaConnection is a helper that type-asserts the runtime connection to
-// *connection.GrafanaConnection. All resource methods use this to obtain the client.
-func grafanaConnection(runtime *plugin.Runtime) *connection.GrafanaConnection {
-	return runtime.Connection.(*connection.GrafanaConnection)
+// *connection.GrafanaConnection. All resource methods must use this instead of
+// raw type assertions to get a clear error on misconfigured runtimes.
+func grafanaConnection(runtime *plugin.Runtime) (*connection.GrafanaConnection, error) {
+	conn, ok := runtime.Connection.(*connection.GrafanaConnection)
+	if !ok {
+		return nil, fmt.Errorf("grafana: unexpected connection type %T", runtime.Connection)
+	}
+	return conn, nil
 }
 
 // parseGrafanaTime parses a Grafana RFC3339 timestamp, returning the zero
@@ -51,7 +56,10 @@ type grafanaOrgUserJSON struct {
 }
 
 func (g *mqlGrafana) organization() (*mqlGrafanaOrganization, error) {
-	conn := grafanaConnection(g.MqlRuntime)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := conn.Get(context.Background(), "/api/org")
 	if err != nil {
 		return nil, err
@@ -77,7 +85,10 @@ func (g *mqlGrafana) organization() (*mqlGrafanaOrganization, error) {
 }
 
 func (g *mqlGrafana) users() ([]interface{}, error) {
-	conn := grafanaConnection(g.MqlRuntime)
+	conn, err := grafanaConnection(g.MqlRuntime)
+	if err != nil {
+		return nil, err
+	}
 	resp, err := conn.Get(context.Background(), "/api/org/users")
 	if err != nil {
 		return nil, err