attestation: hardcode measurements for v2.19.0

deps: update versions to v2.19.0
chore: update version.txt to v2.19.0
2025-04-10 09:59:10 -04:00 · 2024-10-18 11:57:14 +00:00 · 2024-10-18 11:21:12 +00:00 · 2024-10-18 11:21:00 +00:00
780 changed files with 10290 additions and 61266 deletions
--- a/.bazelversion
+++ b/.bazelversion
@ -1 +1 @@
-7.6.0
+7.3.2
--- a/.github/actions/artifact_download/action.yml
+++ b/.github/actions/artifact_download/action.yml
@ -28,7 +28,7 @@ runs:
      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"

    - name: Download the artifact
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}
--- a/.github/actions/artifact_upload/action.yml
+++ b/.github/actions/artifact_upload/action.yml
@ -69,7 +69,7 @@ runs:
        done

    - name: Upload archive as artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@ -79,7 +79,7 @@ runs:
    # once it has the functionality
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

    - name: Install Rekor
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@ -42,7 +42,7 @@ runs:

    - name: Docker metadata
      id: meta
-      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
      with:
        images: |
          ghcr.io/${{ github.repository }}/${{ inputs.name }}
@ -62,7 +62,7 @@ runs:

    - name: Build and push container image
      id: build-micro-service
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
      with:
        context: .
        file: ${{ inputs.dockerfile }}
--- a/.github/actions/cdbg_deploy/action.yml
+++ b/.github/actions/cdbg_deploy/action.yml
@ -61,7 +61,7 @@ runs:

    - name: Login to AWS (IAM service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -80,7 +80,7 @@ runs:

    - name: Login to AWS (Cluster service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/check_measurements_reproducibility/action.yml
+++ b/.github/actions/check_measurements_reproducibility/action.yml
@ -1,64 +0,0 @@
-name: Check measurements reproducibility
-description: Check if the measurements of a given release are reproducible.
-
-inputs:
-  version:
-    type: string
-    description: The version of the measurements that are downloaded from the CDN.
-    required: true
-  ref:
-    type: string
-    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ inputs.ref }}
-        path: ./release
-
-    - name: Set up bazel
-      uses: ./.github/actions/setup_bazel_nix
-      with:
-        useCache: "false"
-        nixTools: |
-          systemdUkify
-          jq
-          jd-diff-patch
-          moreutils
-
-    - name: Allow unrestricted user namespaces
-      shell: bash
-      run: |
-        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
-        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
-
-    - name: Build images
-      id: build-images
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        # Build required binaries
-        pushd release
-        bazel build //image/system:stable
-        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
-        popd
-
-    - name: Download measurements
-      shell: bash
-      run: |
-        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
-
-    - name: Cleanup release measurements and generate our own
-      shell: bash
-      run: |
-        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
-
-    - name: Compare measurements
-      shell: bash
-      run: |
-        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
--- a/.github/actions/check_measurements_reproducibility/compare_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/compare_measurements.sh
@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-# no -e since we need to collect errors later
-# no -u since it interferes with checking associative arrays
-set -o pipefail
-shopt -s extglob
-
-declare -A errors
-
-for directory in "$1"/system/!(mkosi_wrapper.sh); do
-  dirname="$(basename "$directory")"
-  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
-
-  echo "Their measurements for $attestationVariant:"
-  ts "  " < "$attestationVariant"_their-measurements.json
-  echo "Own measurements for $attestationVariant:"
-  ts "  " < "$attestationVariant"_own-measurements.json
-
-  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
-  if [[ -n $diff ]]; then
-    errors["$attestationVariant"]="$diff"
-  fi
-done
-
-for attestationVariant in "${!errors[@]}"; do
-  echo "Failed to reproduce measurements for $attestationVariant:"
-  echo "${errors["$attestationVariant"]}" | ts "  "
-done
-
-if [[ ${#errors[@]} -ne 0 ]]; then
-  exit 1
-fi
--- a/.github/actions/check_measurements_reproducibility/create_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/create_measurements.sh
@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-shopt -s extglob
-
-for directory in "$1"/system/!(mkosi_wrapper.sh); do
-  dirname="$(basename "$directory")"
-  csp="$(echo "$dirname" | cut -d_ -f1)"
-  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
-
-  # This jq filter selects the measurements for the correct CSP and attestation variant
-  # and then removes all `warnOnly: true` measurements.
-  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
-    '
-      .list.[]
-      | select(
-        .attestationVariant == $attestation_variant
-        and (.csp | ascii_downcase) == $csp
-      )
-      | .measurements
-      | to_entries
-      | map(select(.value.warnOnly | not))
-      | from_entries
-      | del(.[] .warnOnly)
-  ' \
-    measurements.json > "$attestationVariant"_their-measurements.json
-
-  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
-done
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -257,9 +257,9 @@ runs:
      continue-on-error: true
      uses: ./.github/actions/artifact_upload
      with:
-        name: debug-logs-${{ inputs.artifactNameSuffix }}
-        path: |
-          *.log
+        name: serial-logs-${{ inputs.artifactNameSuffix }}
+        path: >
+          !(terraform).log
        encryptionSecret: ${{ inputs.encryptionSecret }}

    - name: Prepare terraform state folders
@ -268,12 +268,9 @@ runs:
      run: |
        mkdir to-zip
        cp -r constellation-terraform to-zip
-        # constellation-iam-terraform is optional
-        if [ -d constellation-iam-terraform ]; then
-          cp -r constellation-iam-terraform to-zip
-        fi
+        cp -r constellation-iam-terraform to-zip
        rm -f to-zip/constellation-terraform/plan.zip
-        rm -rf to-zip/*/.terraform
+        rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform

    - name: Upload terraform state
      if: always()
--- a/.github/actions/constellation_destroy/action.yml
+++ b/.github/actions/constellation_destroy/action.yml
@ -67,7 +67,7 @@ runs:

    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/constellation_iam_create/action.yml
+++ b/.github/actions/constellation_iam_create/action.yml
@ -42,15 +42,6 @@ inputs:
  gcpZone:
    description: "The GCP zone to deploy Constellation in."
    required: false
-  #
-  # STACKIT specific inputs
-  #
-  stackitZone:
-    description: "The STACKIT zone to deploy Constellation in."
-    required: false
-  stackitProjectID:
-    description: "The STACKIT project ID to deploy Constellation in."
-    required: false

 runs:
  using: "composite"
@ -102,7 +93,6 @@ runs:
          --tf-log=DEBUG \
          --yes ${extraFlags}

-    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
    - name: Constellation iam create gcp
      shell: bash
      if: inputs.cloudProvider == 'gcp'
@ -114,13 +104,3 @@ runs:
          --update-config \
          --tf-log=DEBUG \
          --yes
-
-    - name: Set STACKIT-specific configuration
-      shell: bash
-      if: inputs.cloudProvider == 'stackit'
-      env:
-        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
-      run: |
-        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
-        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
-        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
--- a/.github/actions/constellation_iam_destroy/action.yml
+++ b/.github/actions/constellation_iam_destroy/action.yml
@ -23,7 +23,7 @@ runs:

    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
--- a/.github/actions/container_registry_login/action.yml
+++ b/.github/actions/container_registry_login/action.yml
@ -17,7 +17,7 @@ runs:
  steps:
    - name: Use docker for logging in
      if: runner.os != 'macOS'
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.username }}
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -19,7 +19,7 @@ runs:
  steps:
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

    - name: Download Syft & Grype
      uses: ./.github/actions/install_syft_grype
--- a/.github/actions/deploy_logcollection/action.yml
+++ b/.github/actions/deploy_logcollection/action.yml
@ -67,7 +67,7 @@ runs:
    # Make sure that helm is installed
    # This is not always the case, e.g. on MacOS runners
    - name: Install Helm
-      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
      with:
        version: v3.9.0

--- a/.github/actions/download_release_binaries/action.yml
+++ b/.github/actions/download_release_binaries/action.yml
@ -5,51 +5,51 @@ runs:
  using: "composite"
  steps:
    - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-darwin-amd64

    - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-darwin-arm64

    - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-linux-amd64

    - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-linux-arm64

    - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-windows-amd64

    - name: Download Terraform module
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-module

    - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-darwin-amd64

    - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-darwin-arm64

    - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-linux-amd64

    - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-linux-arm64
--- a/.github/actions/e2e_attestationconfigapi/action.yml
+++ b/.github/actions/e2e_attestationconfigapi/action.yml
@ -19,7 +19,7 @@ runs:
      uses: ./.github/actions/setup_bazel_nix

    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
        aws-region: eu-west-1
--- a/.github/actions/e2e_autoscaling/action.yml
+++ b/.github/actions/e2e_autoscaling/action.yml
@ -82,30 +82,7 @@ runs:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        worker_count=${{ steps.worker_count.outputs.worker_count }}
-
-        cat <<EOF | kubectl apply -f -
-        kind: Deployment
-        apiVersion: apps/v1
-        metadata:
-          name: nginx
-          namespace: default
-        spec:
-          replicas: $(( 110 * (worker_count + 1) + 55 ))
-          strategy:
-            rollingUpdate:
-              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
-          selector:
-            matchLabels:
-              app: nginx
-          template:
-            metadata:
-              labels:
-                app: nginx
-            spec:
-              containers:
-              - name: nginx
-                image: nginx
-        EOF
+        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))

    - name: Wait for autoscaling and check result
      shell: bash
--- a/.github/actions/e2e_benchmark/action.yml
+++ b/.github/actions/e2e_benchmark/action.yml
@ -32,9 +32,9 @@ runs:

  steps:
    - name: Setup python
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
      with:
-        python-version: "3.13"
+        python-version: "3.10"

    - name: Install kubestr
      shell: bash
@ -48,7 +48,7 @@ runs:
        install kubestr /usr/local/bin

    - name: Checkout k8s-bench-suite
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        fetch-depth: 0
        repository: "edgelesssys/k8s-bench-suite"
@ -166,7 +166,7 @@ runs:
        encryptionSecret: ${{ inputs.encryptionSecret }}

    - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
        aws-region: us-east-2
--- a/.github/actions/e2e_benchmark/evaluate/requirements.txt
+++ b/.github/actions/e2e_benchmark/evaluate/requirements.txt
@ -1,3 +1,3 @@
-numpy ==2.2.4
-matplotlib ==3.10.1
-Pillow ==11.1.0
+numpy ==1.26.4
+matplotlib ==3.8.3
+Pillow ==10.3.0
--- a/.github/actions/e2e_cleanup_timeframe/action.yml
+++ b/.github/actions/e2e_cleanup_timeframe/action.yml
@ -11,18 +11,12 @@ inputs:
  azure_credentials:
    description: "Credentials authorized to create Constellation on Azure."
    required: true
-  openStackCloudsYaml:
-    description: "The contents of ~/.config/openstack/clouds.yaml"
-    required: false
-  stackitUat:
-    description: "The UAT for STACKIT"
-    required: false

 runs:
  using: "composite"
  steps:
    - name: Authenticate AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
        aws-region: eu-central-1
@ -37,16 +31,6 @@ runs:
      with:
        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"

-    - name: Login to OpenStack
-      uses: ./.github/actions/login_openstack
-      with:
-        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
-
-    - name: Login to STACKIT
-      uses: ./.github/actions/login_stackit
-      with:
-        serviceAccountToken: ${{ inputs.stackitUat }}
-
    - name: Install tools
      uses: ./.github/actions/setup_bazel_nix
      with:
--- a/.github/actions/e2e_emergency_ssh/action.yml
+++ b/.github/actions/e2e_emergency_ssh/action.yml
@ -1,68 +0,0 @@
-name: Emergency ssh
-description: "Verify that an emergency ssh connection can be established."
-
-inputs:
-  kubeconfig:
-    description: "The kubeconfig file for the cluster."
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Test emergency ssh
-      shell: bash
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
-        set -euo pipefail
-
-        # Activate emergency ssh access to the cluster
-        pushd ./constellation-terraform
-        echo "emergency_ssh = true" >> terraform.tfvars
-        terraform apply -auto-approve
-        lb="$(terraform output -raw loadbalancer_address)"
-        popd
-
-        # write ssh config
-        cat > ssh_config <<EOF
-        Host $lb
-          ProxyJump none
-
-        Host *
-          StrictHostKeyChecking no
-          UserKnownHostsFile=/dev/null
-          IdentityFile ./access-key
-          PreferredAuthentications publickey
-          CertificateFile=constellation_cert.pub
-          User root
-          ProxyJump $lb
-        EOF
-
-        for i in {1..26}; do
-          if [[ "$i" -eq 26 ]]; then
-            echo "Port 22 never became reachable"
-            exit 1
-          fi
-          echo "Waiting until port 22 is reachable: $i/25"
-          if nc -z -w 25 "$lb" 22; then
-            break
-          fi
-        done
-
-        # generate and try keypair
-        ssh-keygen -t ecdsa -q -N "" -f ./access-key
-        constellation ssh --debug --key ./access-key.pub
-        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
-        for ip in $internalIPs; do
-          for i in {1..26}; do
-            if [[ "$i" -eq 26 ]]; then
-              echo "Failed to connect to $ip over $lb"
-              exit 1
-            fi
-            echo "Trying connection to $ip over $lb: $i/25"
-            if ssh -F ssh_config -o BatchMode=yes $ip true; then
-              echo "Connected to $ip successfully"
-              break
-            fi
-          done
-        done
--- a/.github/actions/e2e_mini/action.yml
+++ b/.github/actions/e2e_mini/action.yml
@ -25,7 +25,7 @@ runs:
  using: "composite"
  steps:
    - name: Install terraform
-      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
      with:
        terraform_wrapper: false

--- a/.github/actions/e2e_sonobuoy/action.yml
+++ b/.github/actions/e2e_sonobuoy/action.yml
@ -70,7 +70,7 @@ runs:

    - name: Publish test results
      if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@cf701569b05ccdd861a76b8607a66d76f6fd4857 # v5.5.1
+      uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
      with:
        report_paths: "**/junit_01.xml"
        fail_on_failure: true
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -56,7 +56,7 @@ inputs:
    description: "Azure credentials authorized to create an IAM configuration."
    required: true
  test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
    required: true
  sonobuoyTestSuiteCmd:
    description: "The sonobuoy test suite to run."
@ -93,15 +93,6 @@ inputs:
  encryptionSecret:
    description: "The secret to use for decrypting the artifact."
    required: true
-  openStackCloudsYaml:
-    description: "The contents of ~/.config/openstack/clouds.yaml"
-    required: false
-  stackitUat:
-    description: "The UAT for STACKIT"
-    required: false
-  stackitProjectID:
-    description: "The STACKIT project ID to deploy Constellation in."
-    required: false

 outputs:
  kubeconfig:
@ -115,7 +106,7 @@ runs:
  using: "composite"
  steps:
    - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
      shell: bash
      run: |
        echo "::error::Invalid input for test field: ${{ inputs.test }}"
@ -149,8 +140,6 @@ runs:

    - name: Setup bazel
      uses: ./.github/actions/setup_bazel_nix
-      with:
-        nixTools: terraform

    - name: Log in to the Container registry
      uses: ./.github/actions/container_registry_login
@ -227,7 +216,7 @@ runs:

    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -240,30 +229,12 @@ runs:
      with:
        azure_credentials: ${{ inputs.azureIAMCreateCredentials }}

-    - name: Login to OpenStack
-      if: inputs.cloudProvider == 'stackit'
-      uses: ./.github/actions/login_openstack
-      with:
-        clouds_yaml: ${{inputs.openStackCloudsYaml }}
-
-    - name: Login to STACKIT
-      if: inputs.cloudProvider == 'stackit'
-      uses: ./.github/actions/login_stackit
-      with:
-        serviceAccountToken: ${{ inputs.stackitUat }}
-
    - name: Create prefix
      id: create-prefix
      shell: bash
      run: |
        uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
        uuid=${uuid%%-*}
-
-        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
-        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
-          uuid=${uuid:0:6}
-        fi
-
        echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
        echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT

@ -273,7 +244,7 @@ runs:
      with:
        attestationVariant: ${{ inputs.attestationVariant }}

-    - name: Create Constellation config and IAM
+    - name: Create IAM configuration
      id: constellation-iam-create
      uses: ./.github/actions/constellation_iam_create
      with:
@ -285,8 +256,6 @@ runs:
        azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
        gcpProjectID: ${{ inputs.gcpProject }}
        gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
-        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
-        stackitProjectID: ${{ inputs.stackitProjectID }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
        additionalTags: "workflow=${{ github.run_id }}"

@ -298,7 +267,7 @@ runs:

    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
@ -452,9 +421,3 @@ runs:
        s3AccessKey: ${{ inputs.s3AccessKey }}
        s3SecretKey: ${{ inputs.s3SecretKey }}
        githubToken: ${{ inputs.githubToken }}
-    
-    - name: Run emergency ssh test
-      if: inputs.test == 'emergency ssh'
-      uses: ./.github/actions/e2e_emergency_ssh
-      with:
-        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
--- a/.github/actions/e2e_verify/action.yml
+++ b/.github/actions/e2e_verify/action.yml
@ -82,7 +82,7 @@ runs:

    - name: Login to AWS
      if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
        aws-region: eu-central-1
--- a/.github/actions/find_latest_image/action.yml
+++ b/.github/actions/find_latest_image/action.yml
@ -26,19 +26,19 @@ runs:
  steps:
    - name: Checkout head
      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

    - name: Checkout ref
      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ inputs.git-ref }}

    - name: Login to AWS
      if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/login_azure/action.yml
+++ b/.github/actions/login_azure/action.yml
@ -10,6 +10,6 @@ runs:
    # As described at:
    # https://github.com/Azure/login#configure-deployment-credentials
    - name: Login to Azure
-      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
      with:
        creds: ${{ inputs.azure_credentials }}
--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@ -20,11 +20,11 @@ runs:
        echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"

    - name: Authorize GCP access
-      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
      with:
-        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
        service_account: ${{ inputs.service_account }}

    # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
    - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
--- a/.github/actions/login_stackit/action.yml
+++ b/.github/actions/login_stackit/action.yml
@ -1,16 +0,0 @@
-name: STACKIT login
-description: "Login to STACKIT"
-inputs:
-  serviceAccountToken:
-    description: "Credentials authorized to create Constellation on STACKIT."
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Login to STACKIT
-      env:
-        UAT: ${{ inputs.serviceAccountToken }}
-      shell: bash
-      run: |
-          mkdir -p ~/.stackit
-          echo "${UAT}" > ~/.stackit/credentials.json
--- a/.github/actions/notify_stackit/action.yml
+++ b/.github/actions/notify_stackit/action.yml
@ -1,19 +0,0 @@
-name: Notify STACKIT
-description: "Notify STACKIT about test failure"
-inputs:
-  slackToken:
-    description: "Slack access token."
-    required: true
-runs:
-  using: "composite"
-  steps:
-    - name: Notify STACKIT
-      env:
-        SLACK_TOKEN: ${{ inputs.slackToken }}
-      shell: bash
-      run: |
-          curl -X POST \
-            -H "Authorization: Bearer $SLACK_TOKEN" \
-            -H "Content-type: application/json; charset=utf-8" \
-            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
-            https://slack.com/api/chat.postMessage
--- a/.github/actions/publish_helmchart/action.yml
+++ b/.github/actions/publish_helmchart/action.yml
@ -13,7 +13,7 @@ runs:
  using: "composite"
  steps:
    - name: Checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: edgelesssys/helm
        ref: main
@ -29,7 +29,7 @@ runs:
        echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT

    - name: Create pull request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
      with:
        path: helm
        branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
--- a/.github/actions/select_image/action.yml
+++ b/.github/actions/select_image/action.yml
@ -18,7 +18,7 @@ runs:
  using: "composite"
  steps:
    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/setup_bazel_nix/action.yml
+++ b/.github/actions/setup_bazel_nix/action.yml
@ -75,7 +75,6 @@ runs:
            echo "$RUNNER_ARCH not supported"
            exit 1
        fi
-        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
        echo "::endgroup::"

    - name: Install current Bash on macOS
@ -114,9 +113,7 @@ runs:

    - name: Install nix
      if: steps.check_inputs.outputs.nixPreinstalled == 'false'
-      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
-      with:
-        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    - name: Set $USER if not set
      shell: bash
@ -221,7 +218,7 @@ runs:
        { tools, repository, rev }:
        let
          repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgs;
+          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
          pkgs = import nixpkgs { system = builtins.currentSystem; };
          toolPkgs = map (p: pkgs.${p}) tools;
        in
--- a/.github/actions/terraform_apply/action.yml
+++ b/.github/actions/terraform_apply/action.yml
@ -29,9 +29,6 @@ runs:
          "gcpSEVSNP")
            attestationVariant="gcp-sev-snp"
            ;;
-          "qemuVTPM")
-            attestationVariant="qemu-vtpm"
-            ;;
          *)
            echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
            exit 1
@ -47,7 +44,7 @@ runs:
            }
            random = {
              source  = "hashicorp/random"
-              version = "3.7.1"
+              version = "3.6.2"
            }
          }
        }
@ -109,16 +106,6 @@ runs:
            project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
            service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
          }
-          openstack = {
-            cloud                      = "stackit"
-            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
-            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
-            deploy_yawol_load_balancer = true
-            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
-            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
-            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
-            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
-          }
          network_config = {
            ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
            ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
--- a/.github/actions/upload_terraform_module/action.yml
+++ b/.github/actions/upload_terraform_module/action.yml
@ -15,7 +15,7 @@ runs:
        zip -r terraform-module.zip terraform-module

    - name: Upload artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: terraform-module
        path: terraform-module.zip
--- a/.github/workflows/assign_reviewer.yml
+++ b/.github/workflows/assign_reviewer.yml
@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' &&  github.event.pull_request.user.login == 'renovate[bot]'
    steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Pick assignee
      id: pick-assignee
      uses: ./.github/actions/pick_assignee
--- a/.github/workflows/aws-snp-launchmeasurement.yml
+++ b/.github/workflows/aws-snp-launchmeasurement.yml
@ -11,17 +11,17 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ github.head_ref }}
        path: constellation

    - name: Install Nix
-      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30

    - name: Download Firmware release
      id: download-firmware
-      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+      uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
      with:
        repository: aws/uefi
        latest: true
@ -44,7 +44,7 @@ jobs:
        echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
        popd || exit 1

-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: virtee/sev-snp-measure-go.git
        ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: [arc-runner-set]
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@ -19,24 +19,24 @@ jobs:
      latest: ${{ steps.find-latest.outputs.latest }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
          fetch-depth: 0

      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false

      - name: Install Crane
        run: |
-          go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
+          go install github.com/google/go-containerregistry/cmd/crane@latest

      - name: Find versions
        id: find-versions
@ -65,10 +65,10 @@ jobs:
        version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
@ -76,7 +76,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            ghcr.io/edgelesssys/cloud-provider-gcp
@ -113,7 +113,7 @@ jobs:

      - name: Build and push container image
        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
        with:
          context: ./cloud-provider-gcp
          push: ${{ github.ref_name == 'main' }}
--- a/.github/workflows/build-gcp-guest-agent.yml
+++ b/.github/workflows/build-gcp-guest-agent.yml
@ -69,7 +69,7 @@ jobs:

      - name: Checkout GoogleCloudPlatform/guest-agent
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "GoogleCloudPlatform/guest-agent"
          ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:

      - name: Checkout Constellation
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          path: "constellation"
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -85,7 +85,7 @@ jobs:
      - name: Docker meta
        id: meta
        if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@ -114,7 +114,7 @@ jobs:
      - name: Build and push container image
        if: steps.needs-build.outputs.out == 'true'
        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
        with:
          context: ./guest-agent
          file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
--- a/.github/workflows/build-libvirt-container.yml
+++ b/.github/workflows/build-libvirt-container.yml
@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
--- a/.github/workflows/build-logcollector-images.yml
+++ b/.github/workflows/build-logcollector-images.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-os-image-scheduled.yml
+++ b/.github/workflows/build-os-image-scheduled.yml
@ -59,15 +59,15 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}

      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false

      - name: Determine version
@ -97,7 +97,7 @@ jobs:
        run: rm -f internal/attestation/measurements/measurement-generator/generate

      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: "image/automated/update-measurements-${{ github.run_number }}"
          base: main
@ -120,7 +120,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}

--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -59,7 +59,7 @@ jobs:
      cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -138,7 +138,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -147,7 +147,7 @@ jobs:
          useCache: "false"

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
@ -167,12 +167,6 @@ jobs:
        with:
          clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}

-      - name: Allow unrestricted user namespaces
-        shell: bash
-        run: |
-          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
-          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
-          
      - name: Build and upload
        id: build
        shell: bash
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@ -20,12 +20,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Link Checker
-        uses: lycheeverse/lychee-action@1d97d84f0bc547f7b25f4c2170d87d810dc2fb2c # v2.4.0
+        uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
        with:
          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
          fail: true
--- a/.github/workflows/check-measurements-reproducibility.yml
+++ b/.github/workflows/check-measurements-reproducibility.yml
@ -1,25 +0,0 @@
-name: Check measurements reproducibility
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        type: string
-        description: The version of the measurements that are downloaded from the CDN.
-        required: true
-      ref:
-        type: string
-        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
-        required: true
-
-jobs:
-  check-reproducibility:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        
-      - name: Check reproducibility
-        uses: ./.github/actions/check_measurements_reproducibility
-        with:
-          version: ${{ github.event.inputs.version }}
-          ref: ${{ github.event.inputs.ref }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -34,17 +34,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Setup Go environment
        if: matrix.language == 'go'
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          languages: ${{ matrix.language }}

@ -63,6 +63,6 @@ jobs:
          echo "::endgroup::"

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/docs-vale.yml
+++ b/.github/workflows/docs-vale.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      # Work around https://github.com/errata-ai/vale-action/issues/128.
@ -25,8 +25,7 @@ jobs:
          python3 -m venv "$venv"
          echo "$venv/bin" >> "$GITHUB_PATH"
      - name: Vale
-        uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
+        uses: errata-ai/vale-action@91ac403e8d26f5aa1b3feaa86ca63065936a85b6 # tag=reviewdog
        with:
          files: docs/docs
          fail_on_error: true
-          version: 3.9.3
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@ -72,7 +72,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -92,8 +92,8 @@ jobs:
          cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        if : ${{ matrix.os != 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -101,8 +101,8 @@ jobs:
            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig

      - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        if : ${{ matrix.os == 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -133,7 +133,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -149,16 +149,16 @@ jobs:
          targetArch: ${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        if : ${{ matrix.os != 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        if: ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        if : ${{ matrix.os == 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -169,7 +169,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -187,7 +187,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -219,7 +219,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -227,7 +227,7 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom

@ -256,12 +256,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

      - name: Download Syft & Grype
        uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
          COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: constellation.spdx.sbom
          path: constellation.spdx.sbom

      - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: constellation.spdx.sbom.sig
          path: constellation.spdx.sbom.sig
@ -316,14 +316,14 @@ jobs:
      - provenance-subjects
    # This must not be pinned to digest. See:
    # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"

  provenance-verify:
    runs-on: ubuntu-24.04
    env:
-      SLSA_VERIFIER_VERSION: "2.7.0"
+      SLSA_VERIFIER_VERSION: "2.5.1"
    needs:
      - build-cli
      - provenance
@ -332,7 +332,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -340,12 +340,12 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom

      - name: Download provenance
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}

@ -405,7 +405,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -418,17 +418,17 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom

      - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom.sig

      - name: Download Constellation provenance
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}

@ -472,7 +472,7 @@ jobs:
      - name: Create release with artifacts
        id: create-release
        # GitHub endorsed release project. See: https://github.com/actions/create-release
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          draft: true
          generate_release_notes: true
@ -487,7 +487,7 @@ jobs:
            terraform-module.zip

      - name: Create Terraform provider release with artifcats
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          draft: true
          generate_release_notes: false
--- a/.github/workflows/e2e-attestationconfigapi.yml
+++ b/.github/workflows/e2e-attestationconfigapi.yml
@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          # Don't trigger in forks, use head on pull requests, use default otherwise.
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
--- a/.github/workflows/e2e-cleanup-weekly.yml
+++ b/.github/workflows/e2e-cleanup-weekly.yml
@ -4,7 +4,7 @@ on:
  schedule:
    - cron: "0 0 * * 0" # At 00:00 every Sunday UTC
  workflow_dispatch:
-
+    

 jobs:
  cleanup:
@ -14,7 +14,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Cleanup
        uses: ./.github/actions/e2e_cleanup_timeframe
@ -22,5 +22,3 @@ jobs:
          ghToken: ${{ secrets.GITHUB_TOKEN }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
          azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
-          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
-          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
--- a/.github/workflows/e2e-mini.yml
+++ b/.github/workflows/e2e-mini.yml
@ -29,12 +29,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}

      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -21,7 +21,7 @@ jobs:
      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -45,7 +45,7 @@ jobs:
      fail-fast: false
      max-parallel: 5
      matrix:
-        kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
+        kubernetesVersion: ["1.28"] # should be default
        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
        refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
        test: ["sonobuoy quick"]
@ -59,7 +59,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -159,12 +159,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-internal-lb.yml
+++ b/.github/workflows/e2e-test-internal-lb.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
+        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-marketplace-image.yml
+++ b/.github/workflows/e2e-test-marketplace-image.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
+        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-provider-example.yml
+++ b/.github/workflows/e2e-test-provider-example.yml
@ -71,7 +71,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -154,7 +154,7 @@ jobs:

      - name: Login to AWS (IAM + Cluster role)
        if: steps.determine.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
          aws-region: eu-central-1
@ -337,12 +337,12 @@ jobs:
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
          terraform init
          if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
-            timeout 1h terraform apply -target module.azure_iam -auto-approve
-            timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
+            terraform apply -target module.azure_iam -auto-approve
+            terraform apply -target module.azure_infrastructure -auto-approve
            ${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
-            timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
+            terraform apply -target constellation_cluster.azure_example -auto-approve
          else
-            timeout 1h terraform apply -auto-approve
+            terraform apply -auto-approve
          fi

      - name: Cleanup Terraform Cluster on failure
@ -353,7 +353,7 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve -lock=false
+          terraform destroy -auto-approve

      - name: Add Provider to local Terraform registry # needed if release version was used before
        if: inputs.providerVersion != ''
@ -407,7 +407,7 @@ jobs:
        shell: bash
        run: |
          terraform init --upgrade
-          timeout 1h terraform apply -auto-approve
+          terraform apply -auto-approve

      - name: Assert upgrade successful
        working-directory: ${{ github.workspace }}/cluster
@ -475,11 +475,11 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve -lock=false
+          terraform destroy -auto-approve

      - name: Notify about failure
        if: |
-          (failure() || cancelled()) &&
+          failure() &&
          github.ref == 'refs/heads/main' &&
          github.event_name == 'schedule'
        continue-on-error: true
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -73,53 +73,53 @@ jobs:

          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"

          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"

@ -306,11 +306,11 @@ jobs:
          # - test: "verify"
          #  attestationVariant: "azure-sev-snp"
          #  kubernetes-version: "v1.30"
-          #  runner: "macos-latest"
+          #  runner: "macos-12"
          - test: "recover"
            attestationVariant: "gcp-sev-es"
            kubernetes-version: "v1.30"
-            runner: "macos-latest"
+            runner: "macos-12"
            clusterCreation: "cli"
    runs-on: ${{ matrix.runner }}
    permissions:
@ -326,7 +326,7 @@ jobs:
        run: brew install coreutils kubectl bash

      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref || github.head_ref }}
@ -342,7 +342,7 @@ jobs:

      - name: Set up gcloud CLI (macOS)
        if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0

      - name: Run E2E test
        id: e2e_test
@ -409,7 +409,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.22.0"]
+        fromVersion: ["v2.18.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
--- a/.github/workflows/e2e-test-stackit.yml
+++ b/.github/workflows/e2e-test-stackit.yml
@ -1,153 +0,0 @@
-name: e2e test STACKIT
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 0 * * *" # Every day at midnight.
-
-jobs:
-  find-latest-image:
-    name: Find latest image
-    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
-      contents: read
-    outputs:
-      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Select relevant image
-        id: select-image-action
-        uses: ./.github/actions/select_image
-        with:
-          osImage: "ref/release/stream/stable/?"
-
-      - name: Relabel output
-        id: relabel-output
-        shell: bash
-        run: |
-          ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
-          stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
-
-          echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
-
-  e2e-stackit:
-    strategy:
-      fail-fast: false
-      max-parallel: 6
-      matrix:
-        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
-        clusterCreation: [ "cli", "terraform" ]
-        test: [ "sonobuoy quick" ]
-    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
-      checks: write
-      contents: read
-      packages: write
-      actions: write
-    needs: [find-latest-image]
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Setup bazel
-        uses: ./.github/actions/setup_bazel_nix
-        with:
-          nixTools: terraform
-
-      - name: Run E2E test
-        id: e2e_test
-        uses: ./.github/actions/e2e_test
-        with:
-          workerNodesCount: "1"
-          controlNodesCount: "1"
-          cloudProvider: stackit
-          attestationVariant: qemu-vtpm
-          osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
-          isDebugImage: false
-          cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
-          kubernetesVersion: ${{ matrix.kubernetesVersion }}
-          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
-          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
-          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
-          gcpProject: constellation-e2e
-          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
-          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
-          test: ${{ matrix.test }}
-          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
-          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          registry: ghcr.io
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
-          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
-          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          fetchMeasurements: false
-          clusterCreation: ${{ matrix.clusterCreation }}
-          s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
-          s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
-          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
-          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
-          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
-
-      - name: Always terminate cluster
-        if: always()
-        uses: ./.github/actions/constellation_destroy
-        with:
-          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
-          clusterCreation: ${{ matrix.clusterCreation }}
-          cloudProvider: stackit
-          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
-          gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
-
-      - name: Always delete IAM configuration
-        if: always()
-        uses: ./.github/actions/constellation_iam_destroy
-        with:
-          cloudProvider: stackit
-          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
-          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
-
-      - name: Update tfstate
-        if: always()
-        env:
-          GH_TOKEN: ${{ github.token }}
-        uses: ./.github/actions/update_tfstate
-        with:
-          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
-          runID: ${{ github.run_id }}
-          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
-
-      - name: Notify about failure
-        if: |
-          failure() &&
-          github.ref == 'refs/heads/main' &&
-          github.event_name == 'schedule'
-        continue-on-error: true
-        uses: ./.github/actions/notify_e2e_failure
-        with:
-          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
-          refStream: "ref/release/stream/stable/?"
-          test: ${{ matrix.test }}
-          kubernetesVersion: ${{ matrix.kubernetesVersion }}
-          provider: stackit
-          attestationVariant: qemu-vtpm
-          clusterCreation: ${{ matrix.clusterCreation }}
-
-      - name: Notify STACKIT
-        if: |
-          failure() &&
-          github.ref == 'refs/heads/main' &&
-          github.event_name == 'schedule'
-        continue-on-error: true
-        uses: ./.github/actions/notify_stackit
-        with:
-          slackToken: ${{ secrets.SLACK_TOKEN }}
--- a/.github/workflows/e2e-test-terraform-provider.yml
+++ b/.github/workflows/e2e-test-terraform-provider.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
+        default: "1.28"
        required: true
      releaseVersion:
        description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -10,7 +10,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
    name: Find latest image
    runs-on: ubuntu-24.04
    permissions:
@ -22,7 +22,7 @@ jobs:
      image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -51,33 +51,6 @@ jobs:
          # Tests on main-debug refStream
          #

-          # Emergency SSH test on latest k8s version
-          - test: "emergency ssh"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
-            clusterCreation: "cli"
-          - test: "emergency ssh"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
-            clusterCreation: "cli"
-          - test: "emergency ssh"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
-            clusterCreation: "cli"
-          - test: "emergency ssh"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
-            clusterCreation: "cli"
-          - test: "emergency ssh"
-            refStream: "ref/main/stream/debug/?"
-            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
-            clusterCreation: "cli"
-
          # Sonobuoy full test on latest k8s version
          - test: "sonobuoy full"
            refStream: "ref/main/stream/debug/?"
@ -116,55 +89,56 @@ jobs:
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"

          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"

+
          # verify test on latest k8s version
          - test: "verify"
            refStream: "ref/main/stream/debug/?"
@ -316,27 +290,27 @@ jobs:
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"

    runs-on: ubuntu-24.04
@ -349,7 +323,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -446,7 +420,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.22.0"]
+        fromVersion: ["v2.18.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
@ -474,12 +448,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -16,7 +16,6 @@ on:
          - "azure-sev-snp"
          - "azure-tdx"
          - "aws-sev-snp"
-          - "stackit-qemu-vtpm"
        default: "azure-sev-snp"
        required: true
      runner:
@ -24,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
@ -40,12 +39,11 @@ on:
          - "recover"
          - "malicious join"
          - "s3proxy"
-          - "emergency ssh"
          - "nop"
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.30"
+        default: "1.29"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@ -139,7 +137,6 @@ jobs:
      workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
      controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
      cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
-      attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
    steps:
      - name: Split nodeCount
        id: split-nodeCount
@ -164,12 +161,6 @@ jobs:
          attestationVariant="${{ inputs.attestationVariant }}"
          cloudProvider="${attestationVariant%%-*}"

-          # special case for STACKIT, as there's no special attestation variant for it
-          if [[ "${cloudProvider}" == "stackit" ]]; then
-            attestationVariant="qemu-vtpm"
-          fi
-
-          echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"

  find-latest-image:
@ -184,13 +175,13 @@ jobs:
    steps:
      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.git-ref }}

@ -221,19 +212,19 @@ jobs:

      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.git-ref }}

      - name: Set up gcloud CLI (macOS)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0

      - name: Run manual E2E test
        id: e2e_test
@ -242,7 +233,7 @@ jobs:
          workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
          controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
-          attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
+          attestationVariant: ${{ inputs.attestationVariant }}
          machineType: ${{ inputs.machineType }}
          regionZone: ${{ inputs.regionZone }}
          gcpProject: constellation-e2e
@ -271,9 +262,6 @@ jobs:
          marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
          force: ${{ inputs.force }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
-          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
-          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
-          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}

      - name: Always terminate cluster
        if: always()
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@ -132,6 +132,57 @@ jobs:

          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"

+  build-target-cli:
+    name: Build upgrade target version CLI
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        if: inputs.gitRef == 'head'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Checkout ref
+        if: inputs.gitRef != 'head'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.gitRef }}
+
+      - name: Setup Bazel & Nix
+        uses: ./.github/actions/setup_bazel_nix
+
+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Simulate patch upgrade
+        if: inputs.simulatedTargetVersion != ''
+        run: |
+          echo ${{ inputs.simulatedTargetVersion }} > version.txt
+
+      - name: Build CLI
+        uses: ./.github/actions/build_cli
+        with:
+          enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
+
+      - name: Upload CLI binary
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build/constellation
+
  create-cluster:
    name: Create upgrade origin version cluster
    runs-on: ubuntu-24.04
@ -147,14 +198,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -228,18 +279,19 @@ jobs:
      packages: write
    needs:
      - generate-input-parameters
+      - build-target-cli
      - create-cluster
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -247,34 +299,8 @@ jobs:
      - name: Setup Bazel & Nix
        uses: ./.github/actions/setup_bazel_nix

-      - name: Log in to the Container registry
-        uses: ./.github/actions/container_registry_login
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # applying the version manipulation here so that the upgrade test tool is also on the simulated target version
-      - name: Simulate patch upgrade
-        if: inputs.simulatedTargetVersion != ''
-        run: |
-          echo ${{ inputs.simulatedTargetVersion }} > version.txt
-
-      - name: Build CLI
-        uses: ./.github/actions/build_cli
-        with:
-          enterpriseCLI: true
-          outputPath: "build/constellation"
-          push: true
-
-      - name: Upload CLI binary # is needed for the cleanup step
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: constellation-upgrade-${{ inputs.attestationVariant }}
-          path: build/constellation
-
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
@ -296,7 +322,7 @@ jobs:

      - name: Login to AWS (IAM role)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
          aws-region: eu-central-1
@ -309,6 +335,11 @@ jobs:
        with:
          azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}

+      - name: Download CLI
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build

      - name: Download Working Directory (Pre-test)
        uses: ./.github/actions/artifact_download
@ -347,7 +378,7 @@ jobs:

      - name: Login to AWS (Cluster role)
        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
          aws-region: eu-central-1
@ -373,9 +404,15 @@ jobs:
          echo "K8s target: $KUBERNETES"
          echo "Microservice target: $MICROSERVICES"

+          if [[ -n ${MICROSERVICES} ]]; then
+            MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
+          fi
+          if [[ -n ${KUBERNETES} ]]; then
+            KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
+          fi
+
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
-          CLI=$(realpath ./build/constellation)
-          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"
+          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"

      - name: Remove Terraform plugin cache
        if: always()
@ -411,20 +448,20 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}

      - name: Download CLI
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build
--- a/.github/workflows/e2e-windows.yml
+++ b/.github/workflows/e2e-windows.yml
@ -21,7 +21,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -45,23 +45,23 @@ jobs:
          push: true

      - name: Upload CLI artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          path: build/constellation.exe
          name: "constell-exe"

  e2e-test:
    name: E2E Test Windows
-    runs-on: windows-2025
+    runs-on: windows-2022
    needs: build-cli
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download CLI artifact
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: "constell-exe"

@ -186,7 +186,7 @@ jobs:
      inputs.scheduled
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@ -26,7 +26,7 @@ jobs:
      WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0 # fetch all history

@ -49,7 +49,7 @@ jobs:
      latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Override latest
        if: github.event.inputs.latest == 'true'
@ -123,7 +123,7 @@ jobs:
      contents: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Remove temporary branch
        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -137,12 +137,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - uses: ./.github/actions/setup_bazel_nix

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
--- a/.github/workflows/purge-main.yml
+++ b/.github/workflows/purge-main.yml
@ -18,12 +18,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -1,79 +0,0 @@
-name: 'Release: on-publish'
-
-on:
-  release:
-    types:
-      - published
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Semantic version tag of the release (vX.Y.Z).'
-        required: true
-
-jobs:
-  post-release-actions:
-    runs-on: ubuntu-24.04
-    permissions:
-      issues: write
-    env:
-      FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
-      GH_TOKEN: ${{ github.token }}
-    steps:
-      - name: Mark milestone as complete
-        run: |
-          milestones=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/edgelesssys/constellation/milestones)
-
-          current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
-          echo "current milestone: ${current_milestone}"
-          if [[ -z "${current_milestone}" ]]; then
-            echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
-            exit 0
-          fi
-
-          current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
-          echo "current milestone state: ${current_milestone_state}"
-          if [[ "${current_milestone_state}" != "open" ]]; then
-            echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
-            exit 0
-          fi
-
-          milestone_number=$(echo "${current_milestone}" | jq -r '.number')
-          echo "milestone number: ${milestone_number}"
-          if [[ -z "${milestone_number}" ]]; then
-            echo "failed parsing milestone number"
-            exit 1
-          fi
-
-          gh api \
-            --method PATCH \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/edgelesssys/constellation/milestones/${milestone_number}" \
-            -f state=closed
-
-      - name: Create next milestone
-        run: |
-          WITHOUT_V=${FULL_VERSION#v}
-          PART_MAJOR=${WITHOUT_V%%.*}
-          PART_MINOR=${WITHOUT_V#*.}
-          PART_MINOR=${PART_MINOR%%.*}
-          NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
-
-          gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/edgelesssys/constellation/milestones |
-            jq -r '.[].title' | \
-            grep -xqF "${NEXT_MINOR}" && exit 0
-
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /repos/edgelesssys/constellation/milestones \
-            -f title="${NEXT_MINOR}" \
-            -f state='open' \
-            -f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,7 +33,7 @@ jobs:
      RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
      WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Working branch
        run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -72,9 +72,10 @@ jobs:
            echo "WORKING_BRANCH=${WORKING_BRANCH}"
          } | tee -a "$GITHUB_OUTPUT"

-  update-main-branch:
-    name: Update main branch with release changes
+  docs:
+    name: Create docs release (from main)
    runs-on: ubuntu-24.04
+    if: inputs.kind == 'minor'
    needs: verify-inputs
    permissions:
      contents: write
@ -84,55 +85,30 @@ jobs:
      MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
      BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: main

-      - name: Configure git
-        run: |
-          git config --global user.name "edgelessci"
-          git config --global user.email "edgelessci@users.noreply.github.com"
-
      - name: Create docs release
-        if: inputs.kind == 'minor'
        working-directory: docs
        run: |
-          npm ci
+          npm install
          npm run docusaurus docs:version "${MAJOR_MINOR}"
-          git add .
-          git commit -am "docs: release ${MAJOR_MINOR}"
-          # Clean up auxiliary files, so next steps run on a clean tree
-          git clean -fdx :/
-
-      - name: Update version.txt
-        if: inputs.kind == 'minor'
-        run: |
-          pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
-          echo "${pre_release_version}" > version.txt
-          git add version.txt
-          git commit -m "chore: update version.txt to ${pre_release_version}"
-
-      - name: Update CI for new version
-        run: |
-          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
-          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml

      - name: Create docs pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: ${{ env.BRANCH }}
          base: main
-          title: "Post ${{ env.VERSION }} release updates to main"
+          title: "docs: add release ${{ env.VERSION }}"
          body: |
            :robot: *This is an automated PR.* :robot:

            The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
-          commit-message: "chore: update CI for ${{ env.VERSION }}"
+            It releases a new version of the documentation.
+          commit-message: "docs: add release ${{ env.VERSION }}"
          committer: edgelessci <edgelessci@users.noreply.github.com>
-          author: edgelessci <edgelessci@users.noreply.github.com>
          labels: no changelog
-          assignees: ${{ github.actor }}
-          reviewers: ${{ github.actor }}
          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

@ -147,7 +123,7 @@ jobs:
      WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -185,7 +161,7 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -239,17 +215,6 @@ jobs:
      stream: "stable"
      ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

-  check-measurements-reproducibility:
-    name: Check measurements reproducibility
-    needs: [verify-inputs, os-image]
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Check reproducibility
-        uses: ./.github/actions/check_measurements_reproducibility
-        with:
-          version: ${{ inputs.version }}
-          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
-
  update-hardcoded-measurements:
    name: Update hardcoded measurements (in the CLI)
    needs: [verify-inputs, os-image]
@ -261,14 +226,14 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: true

      - name: Build generateMeasurements tool
--- a/.github/workflows/reproducible-builds.yml
+++ b/.github/workflows/reproducible-builds.yml
@ -1,9 +1,8 @@
 # Verify that Constellation builds are reproducible.
 #
-# The build-* jobs' matrix has three dimensions: a list of targets to build, a
-# list of runners to build on and a method of installing dependencies. The
-# produced binaries and OS images are expected to be bit-for-bit identical,
-# without any dependencies on the runtime setup details.
+# The build-* jobs' matrix has two dimensions: a list of targets to build and
+# a list of runners to build on. The produced binaries and OS images are
+# expected to be bit-for-bit identical, regardless of the chosen build runner.
 #
 # The compare-* jobs only have the target dimension. They obtain the built
 # targets from all runners and check that there are no diffs between them.
@ -13,9 +12,6 @@ on:
  workflow_dispatch:
  schedule:
    - cron: "45 06 * * 1" # Every Monday at 6:45am
-  pull_request:
-    paths:
-      - .github/workflows/reproducible-builds.yml

 jobs:
  build-binaries:
@ -28,39 +24,19 @@ jobs:
            - "cli_enterprise_linux_amd64"
            - "cli_enterprise_linux_arm64"
            - "cli_enterprise_windows_amd64"
-          runner:
-            - "ubuntu-24.04"
-            - "ubuntu-22.04"
-          deps:
-            - conventional
-            - eccentric
+          runner: ["ubuntu-22.04", "ubuntu-20.04"]
    env:
        bazel_target: "//cli:${{ matrix.target }}"
-        binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+        binary: "${{ matrix.target }}-${{ matrix.runner }}"
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

-      - name: Setup dependencies
+      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
-        if: matrix.deps == 'conventional'
-
-      - name: Setup dependencies (eccentric)
-        if: matrix.deps == 'eccentric'
-        run: |
-          bazelVersion=$(cat .bazelversion)
-          mkdir -p "$HOME/.local/bin"
-          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
-          chmod a+x "$HOME/.local/bin/bazel"
-          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-
-          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
-          nixVersion=$(cat .nixversion)
-          chmod a+x "$HOME/.local/bin/nix-installer"
-          "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"

      - name: Build
        shell: bash
@ -81,15 +57,15 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
-          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
-          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"

  build-osimages:
@ -101,26 +77,14 @@ jobs:
            - "aws_aws-nitro-tpm_console"
            - "qemu_qemu-vtpm_debug"
            - "gcp_gcp-sev-snp_nightly"
-          runner: ["ubuntu-24.04", "ubuntu-22.04"]
+          runner: ["ubuntu-22.04", "ubuntu-20.04"]
    env:
        bazel_target: "//image/system:${{ matrix.target }}"
        binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
    runs-on: ${{ matrix.runner }}
    steps:
-      - name: Remove security hardening features
-        if: matrix.runner == 'ubuntu-24.04'
-        shell: bash
-        run: |
-          # Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
-          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
-          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
-          # This command fails with a non-zero error code even though it unloads the apparmor profiles.
-          # https://gitlab.com/apparmor/apparmor/-/issues/403
-          sudo aa-teardown || true
-          sudo apt-get remove -y apparmor
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -146,13 +110,13 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
@ -170,12 +134,12 @@ jobs:
            - "cli_enterprise_windows_amd64"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download binaries
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          pattern: "binaries-${{ matrix.target }}-*"
          merge-multiple: true
@ -204,12 +168,12 @@ jobs:
              - "gcp_gcp-sev-snp_nightly"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download os images
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          pattern: "osimages-${{ matrix.target }}-*"
          merge-multiple: true
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -18,25 +18,25 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false

      - name: Run analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sync-terraform-docs.yml
+++ b/.github/workflows/sync-terraform-docs.yml
@ -18,14 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout constellation repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
          path: constellation

      - name: Checkout terraform-provider-constellation repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: edgelesssys/terraform-provider-constellation
          ref: main
@ -40,7 +40,7 @@ jobs:

      - name: Create pull request
        id: create-pull-request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          path: terraform-provider-constellation
          branch: "feat/docs/update"
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@ -25,7 +25,7 @@ jobs:
      CTEST_OUTPUT_ON_FAILURE: True
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-operator-codegen.yml
+++ b/.github/workflows/test-operator-codegen.yml
@ -21,14 +21,14 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: true

      - name: Run code generation
--- a/.github/workflows/test-tfsec.yml
+++ b/.github/workflows/test-tfsec.yml
@ -23,7 +23,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-tidy.yml
+++ b/.github/workflows/test-tidy.yml
@ -17,7 +17,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          # No token available for forks, so we can't push changes
@ -37,7 +37,7 @@ jobs:

      - name: Assume AWS role to upload Bazel dependencies to S3
        if: startsWith(github.head_ref, 'renovate/')
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
--- a/.github/workflows/test-unittest.yml
+++ b/.github/workflows/test-unittest.yml
@ -30,7 +30,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
@ -49,7 +49,7 @@ jobs:
          rm -rf awscliv2.zip aws

      - name: Login to AWS (IAM role)
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
          aws-region: eu-central-1
@ -69,7 +69,7 @@ jobs:

      - name: Comment coverage
        if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
        with:
          header: coverage
          path: coverage_diff.md
--- a/.github/workflows/update-rpms.yml
+++ b/.github/workflows/update-rpms.yml
@ -13,12 +13,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}

      - name: Assume AWS role to upload Bazel dependencies to S3
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
@ -39,7 +39,7 @@ jobs:
          fi

      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: "image/automated/update-rpms-${{ github.run_number }}"
          base: main
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -115,7 +115,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -149,21 +149,21 @@ jobs:

      - name: Login to AWS without write access
        if: steps.check-rights.outputs.write == 'false'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1

      - name: Login to AWS with write access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
          aws-region: eu-central-1

      - name: Login to AWS with write and image remove access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
          aws-region: eu-central-1
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,65 +1,53 @@
-version: "2"
 run:
+  timeout: 10m
  build-tags:
    - integration
    - e2e
  modules-download-mode: readonly
+
 output:
  formats:
-    tab:
+    - format: tab
      path: stdout
-      colors: false
+  sort-results: true
+
 linters:
  enable:
+    # Default linters
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - typecheck
+    - unused
+    # Additional linters
    - bodyclose
-    - copyloopvar
    - errname
+    - exportloopref
    - godot
+    - gofmt
+    - gofumpt
    - misspell
    - noctx
    - revive
+    - tenv
    - unconvert
    - unparam
-    - usetesting
-  settings:
-    errcheck:
-      exclude-functions:
-        - (*go.uber.org/zap.Logger).Sync
-        - (*google.golang.org/grpc.Server).Serve
-  exclusions:
-    generated: lax
-    presets:
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - 3rdparty/node-maintenance-operator
-    rules:
-    # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed.
-    - linters: ["staticcheck"]
-      text: "QF1008: could remove embedded field"
-    - linters: ["staticcheck"]
-      text: "QF1001: could apply De Morgan's law"
-    - linters: ["staticcheck"]
-      text: "ST1005: error strings should not be capitalized"
-    - linters: ["revive"]
-      text: "package-comments: package comment should be of the form"
-    - linters: ["revive"]
-      text: "package-comments: should have a package comment"
-    - linters: ["staticcheck"]
-      text: "QF1012: Use fmt.Fprintf"
-    - linters: ["staticcheck"]
-      text: "ST1019"

-      
 issues:
  max-issues-per-linter: 0
  max-same-issues: 20
-formatters:
-  enable:
-    - gofmt
-    - gofumpt
-  exclusions:
-    generated: lax
-    paths:
-      - 3rdparty/node-maintenance-operator
+  exclude-dirs:
+    - 3rdparty/node-maintenance-operator
+  include:
+    - EXC0012
+    - EXC0014
+
+linters-settings:
+  errcheck:
+    # List of functions to exclude from checking, where each entry is a single function to exclude.
+    # See https://github.com/kisielk/errcheck#excluding-functions for details.
+    exclude-functions:
+      - (*go.uber.org/zap.Logger).Sync
+      - (*google.golang.org/grpc.Server).Serve
--- a/.nixversion
+++ b/.nixversion
@ -1 +0,0 @@
-2.25.2
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
@ -1,13 +0,0 @@
-load("//bazel/sh:def.bzl", "sh_template")
-
-sh_template(
-    name = "pull_files",
-    data = [
-        "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
-    ],
-    substitutions = {
-        "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
-    },
-    template = "pull_files.sh",
-    visibility = ["//visibility:public"],
-)
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-###### script header ######
-
-lib=$(realpath @@BASE_LIB@@) || exit 1
-stat "${lib}" >> /dev/null || exit 1
-
-# shellcheck source=../../../bazel/sh/lib.bash
-if ! source "${lib}"; then
-  echo "Error: could not find import"
-  exit 1
-fi
-
-controller_policy_source="@@POLICY_SRC@@"
-
-###### script body ######
-
-controller_policy_real_source=$(realpath "${controller_policy_source}")
-
-cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
-
-targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
-
-cp "${controller_policy_real_source}" "${targetDir}"
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
@ -1,22 +0,0 @@
-"""A module defining the source of the AWS load balancer controller."""
-
-load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-
-def aws_load_balancer_controller_deps():
-    http_archive(
-        name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
-        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
-            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
-        ],
-        strip_prefix = "aws-load-balancer-controller-2.12.0",
-        build_file_content = """
-filegroup(
-    srcs = ["docs/install/iam_policy.json"],
-    name = "lb_policy",
-    visibility = ["//visibility:public"],
-)
-        """,
-        type = "tar.gz",
-        sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
-    )
--- a/3rdparty/gcp-guest-agent/Dockerfile
+++ b/3rdparty/gcp-guest-agent/Dockerfile
@ -1,4 +1,4 @@
-FROM ubuntu:24.04@sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02 as build
+FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as build

 # Install packages
 RUN apt-get update && apt-get install -y \
@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
    git

 # Install Go
-ARG GO_VER=1.24.2
+ARG GO_VER=1.22.3
 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
    tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
    rm go${GO_VER}.linux-amd64.tar.gz
--- a/MODULE.bazel
+++ b/MODULE.bazel
@ -1,6 +1,6 @@
 module(name = "constellation")

-bazel_dep(name = "aspect_bazel_lib", version = "2.14.0")
+bazel_dep(name = "aspect_bazel_lib", version = "2.9.2")

 bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib.yq()
@ -8,27 +8,21 @@ use_repo(bazel_lib, "jq_toolchains")
 use_repo(bazel_lib, "yq_toolchains")

 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "gazelle", version = "0.42.0")
-bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0")
-bazel_dep(name = "rules_cc", version = "0.1.1")
-bazel_dep(name = "rules_go", version = "0.53.0", repo_name = "io_bazel_rules_go")
-bazel_dep(name = "rules_pkg", version = "1.1.0")
-bazel_dep(name = "rules_proto", version = "7.1.0")
-bazel_dep(name = "rules_python", version = "1.3.0")
+bazel_dep(name = "gazelle", version = "0.39.1")
+bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
+bazel_dep(name = "rules_cc", version = "0.0.13")
+bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
+bazel_dep(name = "rules_proto", version = "6.0.2")
+bazel_dep(name = "rules_python", version = "0.36.0")

-bazel_dep(name = "buildifier_prebuilt", version = "8.0.1", dev_dependency = True)
+bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)

 go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(
    name = "go_sdk",
    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
-    version = "1.24.2",
-)
-
-python = use_extension("@rules_python//python/extensions:python.bzl", "python")
-python.toolchain(
-    ignore_root_user_error = True,
-    python_version = "3.11",
+    version = "1.23.2",
 )

 # the use_repo rule needs to list all top-level go dependencies
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/WORKSPACE.bzlmod
+++ b/WORKSPACE.bzlmod
@ -234,10 +234,6 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"

 node_maintainance_operator_deps()

-load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
-
-aws_load_balancer_controller_deps()
-
 # CI deps
 load("//bazel/toolchains:ci_deps.bzl", "ci_deps")

--- a/bazel/bazelrc/ci.bazelrc
+++ b/bazel/bazelrc/ci.bazelrc
@ -62,10 +62,6 @@ build --remote_local_fallback
 # Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
 build --grpc_keepalive_time=30s

-# Use fallbacks in case proxy.golang.org is not reachable.
-# Docs: https://go.dev/ref/mod#goproxy-protocol
-common '--repo_env=GOPROXY=https://proxy.golang.org|https://goproxy.io|direct'
-

 ######################################
 # Edgeless specific                  #
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@ -1,7 +1,7 @@
 load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test")
 load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun")
 load("@gazelle//:def.bzl", "gazelle")
-load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host")
+load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host")
 load("//bazel/ci:proto_targets.bzl", "proto_targets")
 load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template")

@ -514,14 +514,16 @@ multirun(
 )

 multirun(
-    name = "parallel_checks",
+    name = "check",
    testonly = True,
    commands = [
        ":gazelle_check",
        ":buildifier_check",
+        ":golangci_lint",
        ":terraform_check",
        ":golicenses_check",
        ":license_header_check",
+        ":govulncheck",
        ":deps_mirror_check",
        ":proto_targets_check",
        ":unused_gh_actions",
@ -540,25 +542,11 @@ multirun(
    visibility = ["//visibility:public"],
 )

-multirun(
-    name = "check",
-    testonly = True,
-    commands = [
-        ":parallel_checks",
-        ":golangci_lint",
-        ":govulncheck",
-    ],
-    jobs = 1,  # execute sequentially to avoid running into memory issues on our CI runners
-    stop_on_error = False,
-    visibility = ["//visibility:public"],
-)
-
 multirun(
    name = "generate_files",
    commands = [
        ":terraform_gen",
        "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
-        "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
        ":go_generate",
        ":proto_generate",
    ],
--- a/bazel/ci/go_bin_for_host.bzl
+++ b/bazel/ci/go_bin_for_host.bzl
@ -1,29 +0,0 @@
-"""
-Go toolchain for the host platformS
-Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl
-"""
-
-load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS")
-
-GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain"
-
-def _ensure_target_cfg(ctx):
-    if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path:
-        fail("exec not found")
-
-def _go_bin_for_host_impl(ctx):
-    _ensure_target_cfg(ctx)
-    sdk = ctx.toolchains[GO_TOOLCHAIN].sdk
-    sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list())
-    return [
-        DefaultInfo(
-            files = depset([sdk.go]),
-            runfiles = sdk_files,
-        ),
-    ]
-
-go_bin_for_host = rule(
-    implementation = _go_bin_for_host_impl,
-    toolchains = [GO_TOOLCHAIN],
-    exec_compatible_with = HOST_CONSTRAINTS,
-)
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -63,8 +63,6 @@ license_report() {

        github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;;

-        github.com/edgelesssys/go-tdx-qpl) ;;
-
        *)
          not_allowed
          ;;
@ -73,6 +71,8 @@ license_report() {

      Unknown)
        case ${pkg} in
+        github.com/edgelesssys/go-tdx-qpl/*) ;;
+
        *)
          not_allowed
          ;;
--- a/bazel/ci/govulncheck.sh.in
+++ b/bazel/ci/govulncheck.sh.in
@ -27,16 +27,11 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
 PATH=$(dirname "${go}"):${PATH}

 check_module() {
-  excluded_osvs=(
-    "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
-    "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
-  )
-
  # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
  CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
-    "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
+    "${jq}" -sr '
        (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | 
-        map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
+        map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
        group_by(.osv) | 
        map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
        if length > 0 then halt_error(1) else .[] end'
--- a/bazel/ci/terraform.sh.in
+++ b/bazel/ci/terraform.sh.in
@ -46,6 +46,7 @@ excludeDirs=(
 excludeLockDirs=(
  "build"
  "terraform-provider-constellation"
+  "terraform/legacy-module"
 )

 excludeCheckDirs=(
@ -142,7 +143,6 @@ check() {
    done
    echo "This may take 5-10 min..."
    for module in "${terraformLockModules[@]}"; do
-      echo "Generating lock file for ${module}"
      ${terraform} -chdir="${module}" init > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null
--- a/bazel/proto/rules.bzl
+++ b/bazel/proto/rules.bzl
@ -5,14 +5,17 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927
 """

 load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
-load("@io_bazel_rules_go//go:def.bzl", "GoInfo")
+load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context")
 load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler")

 def _output_go_library_srcs_impl(ctx):
+    go = go_context(ctx)
+
    srcs_of_library = []
    importpath = ""
    for src in ctx.attr.deps:
-        lib = src[GoInfo]
+        lib = src[GoLibrary]
+        go_src = go.library_to_source(go, ctx.attr, lib, False)
        if importpath and lib.importpath != importpath:
            fail(
                "importpath of all deps must match, got {} and {}",
@ -20,7 +23,7 @@ def _output_go_library_srcs_impl(ctx):
                lib.importpath,
            )
        importpath = lib.importpath
-        srcs_of_library.extend(lib.srcs)
+        srcs_of_library.extend(go_src.srcs)

    if len(srcs_of_library) != 1:
        fail("expected exactly one src for library, got {}", len(srcs_of_library))
@ -51,7 +54,7 @@ output_go_library_srcs = rule(
            default = "@io_bazel_rules_go//proto:go_proto",
        ),
        "deps": attr.label_list(
-            providers = [GoInfo],
+            providers = [GoLibrary],
            aspects = [],
        ),
        "out": attr.output(
--- a/bazel/release/artifacts/BUILD.bazel
+++ b/bazel/release/artifacts/BUILD.bazel
@ -70,5 +70,5 @@ go_test(
    env = platform_container_sums_paths | platform_clis_paths,
    # keep
    x_defs = {"runsUnder": "bazel"},
-    deps = ["@io_bazel_rules_go//go/runfiles"],
+    deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"],
 )
--- a/bazel/toolchains/ci_deps.bzl
+++ b/bazel/toolchains/ci_deps.bzl
@ -97,41 +97,41 @@ def _actionlint_deps():
        name = "com_github_rhysd_actionlint_linux_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
+        sha256 = "37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_linux_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
+        sha256 = "5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
+        sha256 = "33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
+        sha256 = "b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
    )

 def _gofumpt_deps():
@ -181,41 +181,41 @@ def _tfsec_deps():
        name = "com_github_aquasecurity_tfsec_linux_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
+        sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_linux_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
+        sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
+        sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
+        sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
    )

 def _golangci_lint_deps():
@ -223,45 +223,45 @@ def _golangci_lint_deps():
        name = "com_github_golangci_golangci_lint_linux_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.0.2-linux-amd64",
+        strip_prefix = "golangci-lint-1.61.0-linux-amd64",
        type = "tar.gz",
-        sha256 = "89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
+        sha256 = "77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_linux_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.0.2-linux-arm64",
+        strip_prefix = "golangci-lint-1.61.0-linux-arm64",
        type = "tar.gz",
-        sha256 = "789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
+        sha256 = "af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.0.2-darwin-amd64",
+        strip_prefix = "golangci-lint-1.61.0-darwin-amd64",
        type = "tar.gz",
-        sha256 = "a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
+        sha256 = "5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.0.2-darwin-arm64",
+        strip_prefix = "golangci-lint-1.61.0-darwin-arm64",
        type = "tar.gz",
-        sha256 = "664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
+        sha256 = "544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
    )

 def _buf_deps():
@ -270,44 +270,44 @@ def _buf_deps():
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/ce439b98c0e655ba1821fc529442f677135a9a44206a85cf2081a445bde02554",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Linux-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "ce439b98c0e655ba1821fc529442f677135a9a44206a85cf2081a445bde02554",
+        sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
    )
    http_archive(
        name = "com_github_bufbuild_buf_linux_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/fb980e62f55a0d705f555124b5b250a6234deae67b3a493b1844fed8cb48f012",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Linux-aarch64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "fb980e62f55a0d705f555124b5b250a6234deae67b3a493b1844fed8cb48f012",
+        sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_amd64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/ff3aedaa8bf53c3ae53bf863bb6141a23ef9e2ef750016ab217b0466ab3e89be",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Darwin-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "ff3aedaa8bf53c3ae53bf863bb6141a23ef9e2ef750016ab217b0466ab3e89be",
+        sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/b11d5afda7f58a44a6520b798902b1263aba921b0989cb156ecf2acc8eb1ce31",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "b11d5afda7f58a44a6520b798902b1263aba921b0989cb156ecf2acc8eb1ce31",
+        sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
    )

 def _talos_docgen_deps():
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
 def containter_image_deps():
    oci_pull(
        name = "distroless_static",
-        digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
+        digest = "sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea",
        image = "gcr.io/distroless/static",
        platforms = [
            "linux/amd64",
@ -16,6 +16,6 @@ def containter_image_deps():
    )
    oci_pull(
        name = "libvirtd_base",
-        digest = "sha256:10bc5281807d06e333f363dd27ccc8159884d706a6d738d6f54a925c483bdce3",
+        digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7",
        image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
    )
--- a/bazel/toolchains/nixpkgs_deps.bzl
+++ b/bazel/toolchains/nixpkgs_deps.bzl
@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def nixpkgs_deps():
    http_archive(
        name = "io_tweag_rules_nixpkgs",
-        sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
-        strip_prefix = "rules_nixpkgs-0.13.0",
+        sha256 = "f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
+        strip_prefix = "rules_nixpkgs-705ee3b26cf49e990cddbbe6f60510fa46d50904",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
-            "https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
+            "https://github.com/tweag/rules_nixpkgs/archive/705ee3b26cf49e990cddbbe6f60510fa46d50904.tar.gz",
        ],
        type = "tar.gz",
    )
--- a/bazel/toolchains/oci_deps.bzl
+++ b/bazel/toolchains/oci_deps.bzl
@ -7,13 +7,14 @@ def oci_deps():
    # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed.
    http_archive(
        name = "rules_oci",
-        strip_prefix = "rules_oci-2.2.5",
+        strip_prefix = "rules_oci-2.0.1",
        type = "tar.gz",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
-            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/f70f07f9d0d6c275d7ec7d3c7f236d9b552ba3205e8f37df9c1125031cf967cc",
+            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.0.1/rules_oci-v2.0.1.tar.gz",
        ],
-        sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
+        sha256 = "acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
        patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"],
        patch_args = ["-p1"],
    )
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
edgelessci	97ae5d8dd0	attestation: hardcode measurements for v2.19.0	2024-10-18 11:57:14 +00:00
edgelessci	681216b577	deps: update versions to v2.19.0	2024-10-18 11:21:12 +00:00
edgelessci	cbd5d93121	chore: update version.txt to v2.19.0	2024-10-18 11:21:00 +00:00
 @ -1 +1 @@
 .6.0
 .3.2