github · mnkiefer · May 19, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/.github/workflows/shared/otlp-backends.md → .github/workflows/shared/datadog.md b/.github/workflows/shared/otlp-backends.md → .github/workflows/shared/datadog.md
@@ -1,20 +1,12 @@
 ---
 network:
   allowed:
-    - "*.sentry.io"
-    - "*.grafana.net"
     - "*.datadoghq.com"
     - "*.datadoghq.eu"
     - "*.ddog-gov.com"
 observability:
   otlp:
     endpoint:
-      - url: ${{ secrets.GH_AW_OTEL_SENTRY_ENDPOINT }}
-        headers:
-          Authorization: ${{ secrets.GH_AW_OTEL_SENTRY_AUTHORIZATION }}
-      - url: ${{ secrets.GH_AW_OTEL_GRAFANA_ENDPOINT }}
-        headers:
-          Authorization: ${{ secrets.GH_AW_OTEL_GRAFANA_AUTHORIZATION }}
       - url: ${{ secrets.GH_AW_OTEL_DATADOG_ENDPOINT || format('https://otlp-intake.{0}/v1/traces', secrets.DD_SITE || 'datadoghq.com') }}
         headers:
           DD-API-KEY: ${{ secrets.GH_AW_OTEL_DATADOG_API_KEY || secrets.DD_API_KEY }}
@@ -24,9 +16,5 @@ observability:
 
 Consumers of this shared import must provision the following secrets:
 
-- `GH_AW_OTEL_SENTRY_ENDPOINT`
-- `GH_AW_OTEL_SENTRY_AUTHORIZATION`
-- `GH_AW_OTEL_GRAFANA_ENDPOINT`
-- `GH_AW_OTEL_GRAFANA_AUTHORIZATION`
 - `GH_AW_OTEL_DATADOG_ENDPOINT` (optional; defaults to `https://otlp-intake.${DD_SITE}/v1/traces`)
 - `GH_AW_OTEL_DATADOG_API_KEY` (optional; falls back to `DD_API_KEY`)
diff --git a/.github/workflows/shared/grafana.md b/.github/workflows/shared/grafana.md
@@ -0,0 +1,18 @@
+---
+network:
+  allowed:
+    - "*.grafana.net"
+observability:
+  otlp:
+    endpoint:
+      - url: ${{ secrets.GH_AW_OTEL_GRAFANA_ENDPOINT }}
+        headers:
+          Authorization: ${{ secrets.GH_AW_OTEL_GRAFANA_AUTHORIZATION }}
+---
+
+## Required secrets
+
+Consumers of this shared import must provision the following secrets:
+
+- `GH_AW_OTEL_GRAFANA_ENDPOINT`
+- `GH_AW_OTEL_GRAFANA_AUTHORIZATION`
diff --git a/.github/workflows/shared/sentry.md b/.github/workflows/shared/sentry.md
@@ -0,0 +1,18 @@
+---
+network:
+  allowed:
+    - "*.sentry.io"
+observability:
+  otlp:
+    endpoint:
+      - url: ${{ secrets.GH_AW_OTEL_SENTRY_ENDPOINT }}
+        headers:
+          Authorization: ${{ secrets.GH_AW_OTEL_SENTRY_AUTHORIZATION }}
+---
+
+## Required secrets
+
+Consumers of this shared import must provision the following secrets:
+
+- `GH_AW_OTEL_SENTRY_ENDPOINT`
+- `GH_AW_OTEL_SENTRY_AUTHORIZATION`
diff --git a/.github/workflows/smoke-otel-backends.lock.yml b/.github/workflows/smoke-otel-backends.lock.yml
diff --git a/.github/workflows/smoke-otel-backends.md b/.github/workflows/smoke-otel-backends.md
@@ -37,7 +37,9 @@ imports:
   - shared/mcp/grafana.md
   - shared/mcp/sentry.md
   - shared/otel-queries.md
-  - shared/otlp-backends.md
+  - shared/sentry.md
+  - shared/grafana.md
+  - shared/datadog.md
 ---
 
 # Smoke OTEL

diff --git a/pkg/workflow/expression_extraction_test.go b/pkg/workflow/expression_extraction_test.go
@@ -651,7 +651,7 @@ func TestExtractTerminalSubExpressions(t *testing.T) {
 			want:    []string{"steps.foo.outputs.bar"},
 		},
 		{
-			name:    "simple expression (no operators) — single qualifying token is returned",
+			name: "simple expression (no operators) — single qualifying token is returned",
 			// Note: ExtractExpressions guards the call with !simpleIdentifierRegex,
 			// so this case never arises in production; but the function is correct regardless.
 			content: "steps.sanitized.outputs.text",