attestation: hardcode measurements for v2.19.3

deps: update versions to v2.19.3
chore: update version.txt to v2.19.3
2025-04-25 09:39:22 -04:00 · 2024-11-25 10:01:59 +00:00 · 2024-11-25 09:28:53 +00:00 · 2024-11-25 09:28:34 +00:00 · 2024-11-25 10:27:43 +01:00 · 2024-11-25 10:21:20 +01:00
821 changed files with 10337 additions and 61303 deletions
--- a/.bazelversion
+++ b/.bazelversion
@ -1 +1 @@
-7.6.0
+7.3.2
--- a/.github/actions/artifact_download/action.yml
+++ b/.github/actions/artifact_download/action.yml
@ -28,7 +28,7 @@ runs:
      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"
    - name: Download the artifact
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}
--- a/.github/actions/artifact_upload/action.yml
+++ b/.github/actions/artifact_upload/action.yml
@ -69,7 +69,7 @@ runs:
        done
    - name: Upload archive as artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@ -79,7 +79,7 @@ runs:
    # once it has the functionality
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
    - name: Install Rekor
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@ -42,7 +42,7 @@ runs:
    - name: Docker metadata
      id: meta
-      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
      with:
        images: |
          ghcr.io/${{ github.repository }}/${{ inputs.name }}
@ -62,7 +62,7 @@ runs:
    - name: Build and push container image
      id: build-micro-service
-      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
      with:
        context: .
        file: ${{ inputs.dockerfile }}
--- a/.github/actions/cdbg_deploy/action.yml
+++ b/.github/actions/cdbg_deploy/action.yml
@ -61,7 +61,7 @@ runs:
    - name: Login to AWS (IAM service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -80,7 +80,7 @@ runs:
    - name: Login to AWS (Cluster service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/check_measurements_reproducibility/action.yml
+++ b/.github/actions/check_measurements_reproducibility/action.yml
@ -1,64 +0,0 @@
 name: Check measurements reproducibility
 description: Check if the measurements of a given release are reproducible.
 inputs:
  version:
    type: string
    description: The version of the measurements that are downloaded from the CDN.
    required: true
  ref:
    type: string
    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
    required: true
 runs:
  using: "composite"
  steps:
    - name: Checkout
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ inputs.ref }}
        path: ./release
    - name: Set up bazel
      uses: ./.github/actions/setup_bazel_nix
      with:
        useCache: "false"
        nixTools: |
          systemdUkify
          jq
          jd-diff-patch
          moreutils
    - name: Allow unrestricted user namespaces
      shell: bash
      run: |
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
        sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
    - name: Build images
      id: build-images
      shell: bash
      run: |
        set -euo pipefail
        # Build required binaries
        pushd release
        bazel build //image/system:stable
        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
        popd
    - name: Download measurements
      shell: bash
      run: |
        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
    - name: Cleanup release measurements and generate our own
      shell: bash
      run: |
        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
    - name: Compare measurements
      shell: bash
      run: |
        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
--- a/.github/actions/check_measurements_reproducibility/compare_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/compare_measurements.sh
@ -1,31 +0,0 @@
 #!/usr/bin/env bash
 # no -e since we need to collect errors later
 # no -u since it interferes with checking associative arrays
 set -o pipefail
 shopt -s extglob
 declare -A errors
 for directory in "$1"/system/!(mkosi_wrapper.sh); do
  dirname="$(basename "$directory")"
  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
  echo "Their measurements for $attestationVariant:"
  ts "  " < "$attestationVariant"_their-measurements.json
  echo "Own measurements for $attestationVariant:"
  ts "  " < "$attestationVariant"_own-measurements.json
  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
  if [[ -n $diff ]]; then
    errors["$attestationVariant"]="$diff"
  fi
 done
 for attestationVariant in "${!errors[@]}"; do
  echo "Failed to reproduce measurements for $attestationVariant:"
  echo "${errors["$attestationVariant"]}" | ts "  "
 done
 if [[ ${#errors[@]} -ne 0 ]]; then
  exit 1
 fi
--- a/.github/actions/check_measurements_reproducibility/create_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/create_measurements.sh
@ -1,28 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 shopt -s extglob
 for directory in "$1"/system/!(mkosi_wrapper.sh); do
  dirname="$(basename "$directory")"
  csp="$(echo "$dirname" | cut -d_ -f1)"
  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
  # This jq filter selects the measurements for the correct CSP and attestation variant
  # and then removes all `warnOnly: true` measurements.
  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
    '
      .list.[]
      | select(
        .attestationVariant == $attestation_variant
        and (.csp | ascii_downcase) == $csp
      )
      | .measurements
      | to_entries
      | map(select(.value.warnOnly | not))
      | from_entries
      | del(.[] .warnOnly)
  ' \
    measurements.json > "$attestationVariant"_their-measurements.json
  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
 done
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -257,9 +257,9 @@ runs:
      continue-on-error: true
      uses: ./.github/actions/artifact_upload
      with:
-        name: debug-logs-${{ inputs.artifactNameSuffix }}
+        name: serial-logs-${{ inputs.artifactNameSuffix }}
-        path: |
+        path: >
-          *.log
+          !(terraform).log
        encryptionSecret: ${{ inputs.encryptionSecret }}
    - name: Prepare terraform state folders
@ -268,12 +268,9 @@ runs:
      run: |
        mkdir to-zip
        cp -r constellation-terraform to-zip
-        # constellation-iam-terraform is optional
+        cp -r constellation-iam-terraform to-zip
        if [ -d constellation-iam-terraform ]; then
          cp -r constellation-iam-terraform to-zip
        fi
        rm -f to-zip/constellation-terraform/plan.zip
-        rm -rf to-zip/*/.terraform
+        rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform
    - name: Upload terraform state
      if: always()
--- a/.github/actions/constellation_destroy/action.yml
+++ b/.github/actions/constellation_destroy/action.yml
@ -67,7 +67,7 @@ runs:
    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/constellation_iam_create/action.yml
+++ b/.github/actions/constellation_iam_create/action.yml
@ -42,15 +42,6 @@ inputs:
  gcpZone:
    description: "The GCP zone to deploy Constellation in."
    required: false
  #
  # STACKIT specific inputs
  #
  stackitZone:
    description: "The STACKIT zone to deploy Constellation in."
    required: false
  stackitProjectID:
    description: "The STACKIT project ID to deploy Constellation in."
    required: false
 runs:
  using: "composite"
@ -102,7 +93,6 @@ runs:
          --tf-log=DEBUG \
          --yes ${extraFlags}
    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
    - name: Constellation iam create gcp
      shell: bash
      if: inputs.cloudProvider == 'gcp'
@ -114,13 +104,3 @@ runs:
          --update-config \
          --tf-log=DEBUG \
          --yes
    - name: Set STACKIT-specific configuration
      shell: bash
      if: inputs.cloudProvider == 'stackit'
      env:
        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
      run: |
        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
--- a/.github/actions/constellation_iam_destroy/action.yml
+++ b/.github/actions/constellation_iam_destroy/action.yml
@ -23,7 +23,7 @@ runs:
    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
--- a/.github/actions/container_registry_login/action.yml
+++ b/.github/actions/container_registry_login/action.yml
@ -17,7 +17,7 @@ runs:
  steps:
    - name: Use docker for logging in
      if: runner.os != 'macOS'
-      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.username }}
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -19,7 +19,7 @@ runs:
  steps:
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
    - name: Download Syft & Grype
      uses: ./.github/actions/install_syft_grype
--- a/.github/actions/deploy_logcollection/action.yml
+++ b/.github/actions/deploy_logcollection/action.yml
@ -67,7 +67,7 @@ runs:
    # Make sure that helm is installed
    # This is not always the case, e.g. on MacOS runners
    - name: Install Helm
-      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
      with:
        version: v3.9.0
--- a/.github/actions/download_release_binaries/action.yml
+++ b/.github/actions/download_release_binaries/action.yml
@ -5,51 +5,51 @@ runs:
  using: "composite"
  steps:
    - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-darwin-amd64
    - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-darwin-arm64
    - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-linux-amd64
    - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-linux-arm64
    - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: constellation-windows-amd64
    - name: Download Terraform module
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-module
    - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-darwin-amd64
    - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-darwin-arm64
    - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-linux-amd64
    - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
      with:
        name: terraform-provider-constellation-linux-arm64
--- a/.github/actions/e2e_attestationconfigapi/action.yml
+++ b/.github/actions/e2e_attestationconfigapi/action.yml
@ -19,7 +19,7 @@ runs:
      uses: ./.github/actions/setup_bazel_nix
    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
        aws-region: eu-west-1
--- a/.github/actions/e2e_autoscaling/action.yml
+++ b/.github/actions/e2e_autoscaling/action.yml
@ -82,30 +82,7 @@ runs:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        worker_count=${{ steps.worker_count.outputs.worker_count }}
-
+        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
        cat <<EOF | kubectl apply -f -
        kind: Deployment
        apiVersion: apps/v1
        metadata:
          name: nginx
          namespace: default
        spec:
          replicas: $(( 110 * (worker_count + 1) + 55 ))
          strategy:
            rollingUpdate:
              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
          selector:
            matchLabels:
              app: nginx
          template:
            metadata:
              labels:
                app: nginx
            spec:
              containers:
              - name: nginx
                image: nginx
        EOF
    - name: Wait for autoscaling and check result
      shell: bash
--- a/.github/actions/e2e_benchmark/action.yml
+++ b/.github/actions/e2e_benchmark/action.yml
@ -32,9 +32,9 @@ runs:
  steps:
    - name: Setup python
-      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
      with:
-        python-version: "3.13"
+        python-version: "3.10"
    - name: Install kubestr
      shell: bash
@ -48,7 +48,7 @@ runs:
        install kubestr /usr/local/bin
    - name: Checkout k8s-bench-suite
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        fetch-depth: 0
        repository: "edgelesssys/k8s-bench-suite"
@ -166,7 +166,7 @@ runs:
        encryptionSecret: ${{ inputs.encryptionSecret }}
    - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
        aws-region: us-east-2
--- a/.github/actions/e2e_benchmark/evaluate/requirements.txt
+++ b/.github/actions/e2e_benchmark/evaluate/requirements.txt
@ -1,3 +1,3 @@
-numpy ==2.2.4
+numpy ==1.26.4
-matplotlib ==3.10.1
+matplotlib ==3.8.3
-Pillow ==11.2.1
+Pillow ==10.3.0
--- a/.github/actions/e2e_cleanup_timeframe/action.yml
+++ b/.github/actions/e2e_cleanup_timeframe/action.yml
@ -11,18 +11,12 @@ inputs:
  azure_credentials:
    description: "Credentials authorized to create Constellation on Azure."
    required: true
  openStackCloudsYaml:
    description: "The contents of ~/.config/openstack/clouds.yaml"
    required: false
  stackitUat:
    description: "The UAT for STACKIT"
    required: false
 runs:
  using: "composite"
  steps:
    - name: Authenticate AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
        aws-region: eu-central-1
@ -37,16 +31,6 @@ runs:
      with:
        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"
    - name: Login to OpenStack
      uses: ./.github/actions/login_openstack
      with:
        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
    - name: Login to STACKIT
      uses: ./.github/actions/login_stackit
      with:
        serviceAccountToken: ${{ inputs.stackitUat }}
    - name: Install tools
      uses: ./.github/actions/setup_bazel_nix
      with:
--- a/.github/actions/e2e_emergency_ssh/action.yml
+++ b/.github/actions/e2e_emergency_ssh/action.yml
@ -1,68 +0,0 @@
 name: Emergency ssh
 description: "Verify that an emergency ssh connection can be established."
 inputs:
  kubeconfig:
    description: "The kubeconfig file for the cluster."
    required: true
 runs:
  using: "composite"
  steps:
    - name: Test emergency ssh
      shell: bash
      env:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        set -euo pipefail
        # Activate emergency ssh access to the cluster
        pushd ./constellation-terraform
        echo "emergency_ssh = true" >> terraform.tfvars
        terraform apply -auto-approve
        lb="$(terraform output -raw loadbalancer_address)"
        popd
        # write ssh config
        cat > ssh_config <<EOF
        Host $lb
          ProxyJump none
        Host *
          StrictHostKeyChecking no
          UserKnownHostsFile=/dev/null
          IdentityFile ./access-key
          PreferredAuthentications publickey
          CertificateFile=constellation_cert.pub
          User root
          ProxyJump $lb
        EOF
        for i in {1..26}; do
          if [[ "$i" -eq 26 ]]; then
            echo "Port 22 never became reachable"
            exit 1
          fi
          echo "Waiting until port 22 is reachable: $i/25"
          if nc -z -w 25 "$lb" 22; then
            break
          fi
        done
        # generate and try keypair
        ssh-keygen -t ecdsa -q -N "" -f ./access-key
        constellation ssh --debug --key ./access-key.pub
        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
        for ip in $internalIPs; do
          for i in {1..26}; do
            if [[ "$i" -eq 26 ]]; then
              echo "Failed to connect to $ip over $lb"
              exit 1
            fi
            echo "Trying connection to $ip over $lb: $i/25"
            if ssh -F ssh_config -o BatchMode=yes $ip true; then
              echo "Connected to $ip successfully"
              break
            fi
          done
        done
--- a/.github/actions/e2e_mini/action.yml
+++ b/.github/actions/e2e_mini/action.yml
@ -25,7 +25,7 @@ runs:
  using: "composite"
  steps:
    - name: Install terraform
-      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+      uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
      with:
        terraform_wrapper: false
--- a/.github/actions/e2e_sonobuoy/action.yml
+++ b/.github/actions/e2e_sonobuoy/action.yml
@ -70,7 +70,7 @@ runs:
    - name: Publish test results
      if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@cf701569b05ccdd861a76b8607a66d76f6fd4857 # v5.5.1
+      uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
      with:
        report_paths: "**/junit_01.xml"
        fail_on_failure: true
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -56,7 +56,7 @@ inputs:
    description: "Azure credentials authorized to create an IAM configuration."
    required: true
  test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
    required: true
  sonobuoyTestSuiteCmd:
    description: "The sonobuoy test suite to run."
@ -93,15 +93,6 @@ inputs:
  encryptionSecret:
    description: "The secret to use for decrypting the artifact."
    required: true
  openStackCloudsYaml:
    description: "The contents of ~/.config/openstack/clouds.yaml"
    required: false
  stackitUat:
    description: "The UAT for STACKIT"
    required: false
  stackitProjectID:
    description: "The STACKIT project ID to deploy Constellation in."
    required: false
 outputs:
  kubeconfig:
@ -115,7 +106,7 @@ runs:
  using: "composite"
  steps:
    - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
      shell: bash
      run: |
        echo "::error::Invalid input for test field: ${{ inputs.test }}"
@ -149,8 +140,6 @@ runs:
    - name: Setup bazel
      uses: ./.github/actions/setup_bazel_nix
      with:
        nixTools: terraform
    - name: Log in to the Container registry
      uses: ./.github/actions/container_registry_login
@ -227,7 +216,7 @@ runs:
    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -240,30 +229,12 @@ runs:
      with:
        azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
    - name: Login to OpenStack
      if: inputs.cloudProvider == 'stackit'
      uses: ./.github/actions/login_openstack
      with:
        clouds_yaml: ${{inputs.openStackCloudsYaml }}
    - name: Login to STACKIT
      if: inputs.cloudProvider == 'stackit'
      uses: ./.github/actions/login_stackit
      with:
        serviceAccountToken: ${{ inputs.stackitUat }}
    - name: Create prefix
      id: create-prefix
      shell: bash
      run: |
        uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
        uuid=${uuid%%-*}
        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
          uuid=${uuid:0:6}
        fi
        echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
        echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
@ -273,7 +244,7 @@ runs:
      with:
        attestationVariant: ${{ inputs.attestationVariant }}
-    - name: Create Constellation config and IAM
+    - name: Create IAM configuration
      id: constellation-iam-create
      uses: ./.github/actions/constellation_iam_create
      with:
@ -285,8 +256,6 @@ runs:
        azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
        gcpProjectID: ${{ inputs.gcpProject }}
        gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
        stackitProjectID: ${{ inputs.stackitProjectID }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
        additionalTags: "workflow=${{ github.run_id }}"
@ -298,7 +267,7 @@ runs:
    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
@ -452,9 +421,3 @@ runs:
        s3AccessKey: ${{ inputs.s3AccessKey }}
        s3SecretKey: ${{ inputs.s3SecretKey }}
        githubToken: ${{ inputs.githubToken }}
    - name: Run emergency ssh test
      if: inputs.test == 'emergency ssh'
      uses: ./.github/actions/e2e_emergency_ssh
      with:
        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
--- a/.github/actions/e2e_verify/action.yml
+++ b/.github/actions/e2e_verify/action.yml
@ -82,7 +82,7 @@ runs:
    - name: Login to AWS
      if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
        aws-region: eu-central-1
--- a/.github/actions/find_latest_image/action.yml
+++ b/.github/actions/find_latest_image/action.yml
@ -26,19 +26,19 @@ runs:
  steps:
    - name: Checkout head
      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
    - name: Checkout ref
      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ inputs.git-ref }}
    - name: Login to AWS
      if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/login_azure/action.yml
+++ b/.github/actions/login_azure/action.yml
@ -10,6 +10,6 @@ runs:
    # As described at:
    # https://github.com/Azure/login#configure-deployment-credentials
    - name: Login to Azure
-      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
      with:
        creds: ${{ inputs.azure_credentials }}
--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@ -20,11 +20,11 @@ runs:
        echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
    - name: Authorize GCP access
-      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
      with:
        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
        service_account: ${{ inputs.service_account }}
    # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
    - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
--- a/.github/actions/login_stackit/action.yml
+++ b/.github/actions/login_stackit/action.yml
@ -1,16 +0,0 @@
 name: STACKIT login
 description: "Login to STACKIT"
 inputs:
  serviceAccountToken:
    description: "Credentials authorized to create Constellation on STACKIT."
    required: true
 runs:
  using: "composite"
  steps:
    - name: Login to STACKIT
      env:
        UAT: ${{ inputs.serviceAccountToken }}
      shell: bash
      run: |
          mkdir -p ~/.stackit
          echo "${UAT}" > ~/.stackit/credentials.json
--- a/.github/actions/notify_stackit/action.yml
+++ b/.github/actions/notify_stackit/action.yml
@ -1,19 +0,0 @@
 name: Notify STACKIT
 description: "Notify STACKIT about test failure"
 inputs:
  slackToken:
    description: "Slack access token."
    required: true
 runs:
  using: "composite"
  steps:
    - name: Notify STACKIT
      env:
        SLACK_TOKEN: ${{ inputs.slackToken }}
      shell: bash
      run: |
          curl -X POST \
            -H "Authorization: Bearer $SLACK_TOKEN" \
            -H "Content-type: application/json; charset=utf-8" \
            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
            https://slack.com/api/chat.postMessage
--- a/.github/actions/publish_helmchart/action.yml
+++ b/.github/actions/publish_helmchart/action.yml
@ -13,7 +13,7 @@ runs:
  using: "composite"
  steps:
    - name: Checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: edgelesssys/helm
        ref: main
@ -29,7 +29,7 @@ runs:
        echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT
    - name: Create pull request
-      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
      with:
        path: helm
        branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
--- a/.github/actions/select_image/action.yml
+++ b/.github/actions/select_image/action.yml
@ -18,7 +18,7 @@ runs:
  using: "composite"
  steps:
    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/setup_bazel_nix/action.yml
+++ b/.github/actions/setup_bazel_nix/action.yml
@ -75,7 +75,6 @@ runs:
            echo "$RUNNER_ARCH not supported"
            exit 1
        fi
        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
        echo "::endgroup::"
    - name: Install current Bash on macOS
@ -114,9 +113,7 @@ runs:
    - name: Install nix
      if: steps.check_inputs.outputs.nixPreinstalled == 'false'
-      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
      with:
        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"
    - name: Set $USER if not set
      shell: bash
@ -221,7 +218,7 @@ runs:
        { tools, repository, rev }:
        let
          repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgs;
+          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
          pkgs = import nixpkgs { system = builtins.currentSystem; };
          toolPkgs = map (p: pkgs.${p}) tools;
        in
--- a/.github/actions/terraform_apply/action.yml
+++ b/.github/actions/terraform_apply/action.yml
@ -29,9 +29,6 @@ runs:
          "gcpSEVSNP")
            attestationVariant="gcp-sev-snp"
            ;;
          "qemuVTPM")
            attestationVariant="qemu-vtpm"
            ;;
          *)
            echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
            exit 1
@ -47,7 +44,7 @@ runs:
            }
            random = {
              source  = "hashicorp/random"
-              version = "3.7.2"
+              version = "3.6.2"
            }
          }
        }
@ -109,16 +106,6 @@ runs:
            project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
            service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
          }
          openstack = {
            cloud                      = "stackit"
            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
            deploy_yawol_load_balancer = true
            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
          }
          network_config = {
            ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
            ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
--- a/.github/actions/upload_terraform_module/action.yml
+++ b/.github/actions/upload_terraform_module/action.yml
@ -15,7 +15,7 @@ runs:
        zip -r terraform-module.zip terraform-module
    - name: Upload artifact
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
      with:
        name: terraform-module
        path: terraform-module.zip
--- a/.github/workflows/assign_reviewer.yml
+++ b/.github/workflows/assign_reviewer.yml
@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' &&  github.event.pull_request.user.login == 'renovate[bot]'
    steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
    - name: Pick assignee
      id: pick-assignee
      uses: ./.github/actions/pick_assignee
--- a/.github/workflows/aws-snp-launchmeasurement.yml
+++ b/.github/workflows/aws-snp-launchmeasurement.yml
@ -11,17 +11,17 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        ref: ${{ github.head_ref }}
        path: constellation
    - name: Install Nix
-      uses: cachix/install-nix-action@d1ca217b388ee87b2507a9a93bf01368bde7cec2 # v31
+      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
    - name: Download Firmware release
      id: download-firmware
-      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
+      uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
      with:
        repository: aws/uefi
        latest: true
@ -44,7 +44,7 @@ jobs:
        echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
        popd || exit 1
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      with:
        repository: virtee/sev-snp-measure-go.git
        ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: [arc-runner-set]
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@ -19,24 +19,24 @@ jobs:
      latest: ${{ steps.find-latest.outputs.latest }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
          fetch-depth: 0
      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false
      - name: Install Crane
        run: |
-          go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2
+          go install github.com/google/go-containerregistry/cmd/crane@latest
      - name: Find versions
        id: find-versions
@ -65,10 +65,10 @@ jobs:
        version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
@ -76,7 +76,7 @@ jobs:
      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            ghcr.io/edgelesssys/cloud-provider-gcp
@ -113,7 +113,7 @@ jobs:
      - name: Build and push container image
        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
        with:
          context: ./cloud-provider-gcp
          push: ${{ github.ref_name == 'main' }}
--- a/.github/workflows/build-gcp-guest-agent.yml
+++ b/.github/workflows/build-gcp-guest-agent.yml
@ -69,7 +69,7 @@ jobs:
      - name: Checkout GoogleCloudPlatform/guest-agent
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: "GoogleCloudPlatform/guest-agent"
          ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:
      - name: Checkout Constellation
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          path: "constellation"
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -85,7 +85,7 @@ jobs:
      - name: Docker meta
        id: meta
        if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@ -114,7 +114,7 @@ jobs:
      - name: Build and push container image
        if: steps.needs-build.outputs.out == 'true'
        id: build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
        with:
          context: ./guest-agent
          file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
--- a/.github/workflows/build-libvirt-container.yml
+++ b/.github/workflows/build-libvirt-container.yml
@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
--- a/.github/workflows/build-logcollector-images.yml
+++ b/.github/workflows/build-logcollector-images.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
--- a/.github/workflows/build-os-image-scheduled.yml
+++ b/.github/workflows/build-os-image-scheduled.yml
@ -59,15 +59,15 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}
      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false
      - name: Determine version
@ -97,7 +97,7 @@ jobs:
        run: rm -f internal/attestation/measurements/measurement-generator/generate
      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: "image/automated/update-measurements-${{ github.run_number }}"
          base: main
@ -120,7 +120,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -59,7 +59,7 @@ jobs:
      cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -138,7 +138,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -147,7 +147,7 @@ jobs:
          useCache: "false"
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
@ -167,12 +167,6 @@ jobs:
        with:
          clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
      - name: Allow unrestricted user namespaces
        shell: bash
        run: |
          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
      - name: Build and upload
        id: build
        shell: bash
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@ -20,12 +20,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Link Checker
-        uses: lycheeverse/lychee-action@1d97d84f0bc547f7b25f4c2170d87d810dc2fb2c # v2.4.0
+        uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
        with:
          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
          fail: true
--- a/.github/workflows/check-measurements-reproducibility.yml
+++ b/.github/workflows/check-measurements-reproducibility.yml
@ -1,25 +0,0 @@
 name: Check measurements reproducibility
 on:
  workflow_dispatch:
    inputs:
      version:
        type: string
        description: The version of the measurements that are downloaded from the CDN.
        required: true
      ref:
        type: string
        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
        required: true
 jobs:
  check-reproducibility:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Check reproducibility
        uses: ./.github/actions/check_measurements_reproducibility
        with:
          version: ${{ github.event.inputs.version }}
          ref: ${{ github.event.inputs.ref }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -34,17 +34,17 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Setup Go environment
        if: matrix.language == 'go'
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: false
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          languages: ${{ matrix.language }}
@ -63,6 +63,6 @@ jobs:
          echo "::endgroup::"
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/docs-vale.yml
+++ b/.github/workflows/docs-vale.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      # Work around https://github.com/errata-ai/vale-action/issues/128.
@ -25,8 +25,7 @@ jobs:
          python3 -m venv "$venv"
          echo "$venv/bin" >> "$GITHUB_PATH"
      - name: Vale
-        uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
+        uses: errata-ai/vale-action@91ac403e8d26f5aa1b3feaa86ca63065936a85b6 # tag=reviewdog
        with:
          files: docs/docs
          fail_on_error: true
          version: 3.9.3
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@ -72,7 +72,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -92,8 +92,8 @@ jobs:
          cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if: ${{ matrix.os != 'windows' }}
+        if : ${{ matrix.os != 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -101,8 +101,8 @@ jobs:
            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
      - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if: ${{ matrix.os == 'windows' }}
+        if : ${{ matrix.os == 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -133,7 +133,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -149,16 +149,16 @@ jobs:
          targetArch: ${{ matrix.arch }}
      - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if: ${{ matrix.os != 'windows' }}
+        if : ${{ matrix.os != 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
      - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if: ${{ matrix.os == 'windows' }}
+        if : ${{ matrix.os == 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -169,7 +169,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -187,7 +187,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -219,7 +219,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -227,7 +227,7 @@ jobs:
        uses: ./.github/actions/download_release_binaries
      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom
@ -256,12 +256,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
      - name: Download Syft & Grype
        uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
          COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
      - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: constellation.spdx.sbom
          path: constellation.spdx.sbom
      - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: constellation.spdx.sbom.sig
          path: constellation.spdx.sbom.sig
@ -316,14 +316,14 @@ jobs:
      - provenance-subjects
    # This must not be pinned to digest. See:
    # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
  provenance-verify:
    runs-on: ubuntu-24.04
    env:
-      SLSA_VERIFIER_VERSION: "2.7.0"
+      SLSA_VERIFIER_VERSION: "2.5.1"
    needs:
      - build-cli
      - provenance
@ -332,7 +332,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -340,12 +340,12 @@ jobs:
        uses: ./.github/actions/download_release_binaries
      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom
      - name: Download provenance
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}
@ -405,7 +405,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -418,17 +418,17 @@ jobs:
        uses: ./.github/actions/download_release_binaries
      - name: Download CLI SBOM
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom
      - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation.spdx.sbom.sig
      - name: Download Constellation provenance
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}
@ -472,7 +472,7 @@ jobs:
      - name: Create release with artifacts
        id: create-release
        # GitHub endorsed release project. See: https://github.com/actions/create-release
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          draft: true
          generate_release_notes: true
@ -487,7 +487,7 @@ jobs:
            terraform-module.zip
      - name: Create Terraform provider release with artifcats
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
        with:
          draft: true
          generate_release_notes: false
--- a/.github/workflows/e2e-attestationconfigapi.yml
+++ b/.github/workflows/e2e-attestationconfigapi.yml
@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          # Don't trigger in forks, use head on pull requests, use default otherwise.
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
--- a/.github/workflows/e2e-cleanup-weekly.yml
+++ b/.github/workflows/e2e-cleanup-weekly.yml
@ -4,7 +4,7 @@ on:
  schedule:
    - cron: "0 0 * * 0" # At 00:00 every Sunday UTC
  workflow_dispatch:
-
+    
 jobs:
  cleanup:
@ -14,7 +14,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Cleanup
        uses: ./.github/actions/e2e_cleanup_timeframe
@ -22,5 +22,3 @@ jobs:
          ghToken: ${{ secrets.GITHUB_TOKEN }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
          azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
--- a/.github/workflows/e2e-mini.yml
+++ b/.github/workflows/e2e-mini.yml
@ -29,12 +29,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}
      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -21,7 +21,7 @@ jobs:
      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -45,7 +45,7 @@ jobs:
      fail-fast: false
      max-parallel: 5
      matrix:
-        kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
+        kubernetesVersion: ["1.28"] # should be default
        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
        refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
        test: ["sonobuoy quick"]
@ -59,7 +59,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -159,12 +159,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-internal-lb.yml
+++ b/.github/workflows/e2e-test-internal-lb.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-marketplace-image.yml
+++ b/.github/workflows/e2e-test-marketplace-image.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-provider-example.yml
+++ b/.github/workflows/e2e-test-provider-example.yml
@ -71,7 +71,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.ref || github.head_ref }}
@ -154,7 +154,7 @@ jobs:
      - name: Login to AWS (IAM + Cluster role)
        if: steps.determine.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
          aws-region: eu-central-1
@ -337,12 +337,12 @@ jobs:
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
          terraform init
          if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
-            timeout 1h terraform apply -target module.azure_iam -auto-approve
+            terraform apply -target module.azure_iam -auto-approve
-            timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
+            terraform apply -target module.azure_infrastructure -auto-approve
            ${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
-            timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
+            terraform apply -target constellation_cluster.azure_example -auto-approve
          else
-            timeout 1h terraform apply -auto-approve
+            terraform apply -auto-approve
          fi
      - name: Cleanup Terraform Cluster on failure
@ -353,7 +353,7 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve -lock=false
+          terraform destroy -auto-approve
      - name: Add Provider to local Terraform registry # needed if release version was used before
        if: inputs.providerVersion != ''
@ -407,7 +407,7 @@ jobs:
        shell: bash
        run: |
          terraform init --upgrade
-          timeout 1h terraform apply -auto-approve
+          terraform apply -auto-approve
      - name: Assert upgrade successful
        working-directory: ${{ github.workspace }}/cluster
@ -475,11 +475,11 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve -lock=false
+          terraform destroy -auto-approve
      - name: Notify about failure
        if: |
-          (failure() || cancelled()) &&
+          failure() &&
          github.ref == 'refs/heads/main' &&
          github.event_name == 'schedule'
        continue-on-error: true
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -73,53 +73,53 @@ jobs:
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
@ -306,11 +306,11 @@ jobs:
          # - test: "verify"
          #  attestationVariant: "azure-sev-snp"
          #  kubernetes-version: "v1.30"
-          #  runner: "macos-latest"
+          #  runner: "macos-12"
          - test: "recover"
            attestationVariant: "gcp-sev-es"
            kubernetes-version: "v1.30"
-            runner: "macos-latest"
+            runner: "macos-12"
            clusterCreation: "cli"
    runs-on: ${{ matrix.runner }}
    permissions:
@ -326,7 +326,7 @@ jobs:
        run: brew install coreutils kubectl bash
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref || github.head_ref }}
@ -342,7 +342,7 @@ jobs:
      - name: Set up gcloud CLI (macOS)
        if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
      - name: Run E2E test
        id: e2e_test
@ -409,7 +409,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.22.0"]
+        fromVersion: ["v2.18.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
--- a/.github/workflows/e2e-test-stackit.yml
+++ b/.github/workflows/e2e-test-stackit.yml
@ -1,153 +0,0 @@
 name: e2e test STACKIT
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *" # Every day at midnight.
 jobs:
  find-latest-image:
    name: Find latest image
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      contents: read
    outputs:
      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Select relevant image
        id: select-image-action
        uses: ./.github/actions/select_image
        with:
          osImage: "ref/release/stream/stable/?"
      - name: Relabel output
        id: relabel-output
        shell: bash
        run: |
          ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
          stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
          echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
  e2e-stackit:
    strategy:
      fail-fast: false
      max-parallel: 6
      matrix:
        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
        clusterCreation: [ "cli", "terraform" ]
        test: [ "sonobuoy quick" ]
    runs-on: ubuntu-24.04
    permissions:
      id-token: write
      checks: write
      contents: read
      packages: write
      actions: write
    needs: [find-latest-image]
    steps:
      - name: Check out repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
        with:
          nixTools: terraform
      - name: Run E2E test
        id: e2e_test
        uses: ./.github/actions/e2e_test
        with:
          workerNodesCount: "1"
          controlNodesCount: "1"
          cloudProvider: stackit
          attestationVariant: qemu-vtpm
          osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
          isDebugImage: false
          cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
          kubernetesVersion: ${{ matrix.kubernetesVersion }}
          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
          gcpProject: constellation-e2e
          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
          test: ${{ matrix.test }}
          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          registry: ghcr.io
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
          fetchMeasurements: false
          clusterCreation: ${{ matrix.clusterCreation }}
          s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
          s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
      - name: Always terminate cluster
        if: always()
        uses: ./.github/actions/constellation_destroy
        with:
          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
          clusterCreation: ${{ matrix.clusterCreation }}
          cloudProvider: stackit
          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
          gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
      - name: Always delete IAM configuration
        if: always()
        uses: ./.github/actions/constellation_iam_destroy
        with:
          cloudProvider: stackit
          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
      - name: Update tfstate
        if: always()
        env:
          GH_TOKEN: ${{ github.token }}
        uses: ./.github/actions/update_tfstate
        with:
          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
          runID: ${{ github.run_id }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
      - name: Notify about failure
        if: |
          failure() &&
          github.ref == 'refs/heads/main' &&
          github.event_name == 'schedule'
        continue-on-error: true
        uses: ./.github/actions/notify_e2e_failure
        with:
          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
          refStream: "ref/release/stream/stable/?"
          test: ${{ matrix.test }}
          kubernetesVersion: ${{ matrix.kubernetesVersion }}
          provider: stackit
          attestationVariant: qemu-vtpm
          clusterCreation: ${{ matrix.clusterCreation }}
      - name: Notify STACKIT
        if: |
          failure() &&
          github.ref == 'refs/heads/main' &&
          github.event_name == 'schedule'
        continue-on-error: true
        uses: ./.github/actions/notify_stackit
        with:
          slackToken: ${{ secrets.SLACK_TOKEN }}
--- a/.github/workflows/e2e-test-terraform-provider.yml
+++ b/.github/workflows/e2e-test-terraform-provider.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,6 +41,7 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
        default: "1.28"
        required: true
      releaseVersion:
        description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -10,7 +10,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
    name: Find latest image
    runs-on: ubuntu-24.04
    permissions:
@ -22,7 +22,7 @@ jobs:
      image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -51,33 +51,6 @@ jobs:
          # Tests on main-debug refStream
          #
          # Emergency SSH test on latest k8s version
          - test: "emergency ssh"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "emergency ssh"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "emergency ssh"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "emergency ssh"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "emergency ssh"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          # Sonobuoy full test on latest k8s version
          - test: "sonobuoy full"
            refStream: "ref/main/stream/debug/?"
@ -116,55 +89,56 @@ jobs:
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.28"
            clusterCreation: "cli"
          # verify test on latest k8s version
          - test: "verify"
            refStream: "ref/main/stream/debug/?"
@ -316,27 +290,27 @@ jobs:
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.30"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
    runs-on: ubuntu-24.04
@ -349,7 +323,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -446,7 +420,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.22.0"]
+        fromVersion: ["v2.18.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
@ -474,12 +448,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Azure login OIDC
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -16,7 +16,6 @@ on:
          - "azure-sev-snp"
          - "azure-tdx"
          - "aws-sev-snp"
          - "stackit-qemu-vtpm"
        default: "azure-sev-snp"
        required: true
      runner:
@ -24,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-latest"
+          - "macos-12"
        default: "ubuntu-24.04"
      test:
        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
@ -40,12 +39,11 @@ on:
          - "recover"
          - "malicious join"
          - "s3proxy"
          - "emergency ssh"
          - "nop"
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.30"
+        default: "1.29"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@ -139,7 +137,6 @@ jobs:
      workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
      controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
      cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
      attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
    steps:
      - name: Split nodeCount
        id: split-nodeCount
@ -164,12 +161,6 @@ jobs:
          attestationVariant="${{ inputs.attestationVariant }}"
          cloudProvider="${attestationVariant%%-*}"
          # special case for STACKIT, as there's no special attestation variant for it
          if [[ "${cloudProvider}" == "stackit" ]]; then
            attestationVariant="qemu-vtpm"
          fi
          echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"
  find-latest-image:
@ -184,13 +175,13 @@ jobs:
    steps:
      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.git-ref }}
@ -221,19 +212,19 @@ jobs:
      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ inputs.git-ref }}
      - name: Set up gcloud CLI (macOS)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
      - name: Run manual E2E test
        id: e2e_test
@ -242,7 +233,7 @@ jobs:
          workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
          controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
-          attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
+          attestationVariant: ${{ inputs.attestationVariant }}
          machineType: ${{ inputs.machineType }}
          regionZone: ${{ inputs.regionZone }}
          gcpProject: constellation-e2e
@ -271,9 +262,6 @@ jobs:
          marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
          force: ${{ inputs.force }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
      - name: Always terminate cluster
        if: always()
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@ -147,14 +147,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -232,14 +232,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -268,13 +268,13 @@ jobs:
          push: true
      - name: Upload CLI binary # is needed for the cleanup step
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build/constellation
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
@ -296,7 +296,7 @@ jobs:
      - name: Login to AWS (IAM role)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
          aws-region: eu-central-1
@ -347,7 +347,7 @@ jobs:
      - name: Login to AWS (Cluster role)
        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
          aws-region: eu-central-1
@ -411,20 +411,20 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
      - name: Download CLI
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build
--- a/.github/workflows/e2e-windows.yml
+++ b/.github/workflows/e2e-windows.yml
@ -21,7 +21,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -45,23 +45,23 @@ jobs:
          push: true
      - name: Upload CLI artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          path: build/constellation.exe
          name: "constell-exe"
  e2e-test:
    name: E2E Test Windows
-    runs-on: windows-2025
+    runs-on: windows-2022
    needs: build-cli
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Download CLI artifact
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          name: "constell-exe"
@ -186,7 +186,7 @@ jobs:
      inputs.scheduled
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@ -26,7 +26,7 @@ jobs:
      WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          fetch-depth: 0 # fetch all history
@ -49,7 +49,7 @@ jobs:
      latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Override latest
        if: github.event.inputs.latest == 'true'
@ -123,7 +123,7 @@ jobs:
      contents: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Remove temporary branch
        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -137,12 +137,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - uses: ./.github/actions/setup_bazel_nix
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
--- a/.github/workflows/purge-main.yml
+++ b/.github/workflows/purge-main.yml
@ -18,12 +18,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ github.head_ref }}
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -1,79 +0,0 @@
 name: 'Release: on-publish'
 on:
  release:
    types:
      - published
  workflow_dispatch:
    inputs:
      tag:
        description: 'Semantic version tag of the release (vX.Y.Z).'
        required: true
 jobs:
  post-release-actions:
    runs-on: ubuntu-24.04
    permissions:
      issues: write
    env:
      FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
      GH_TOKEN: ${{ github.token }}
    steps:
      - name: Mark milestone as complete
        run: |
          milestones=$(gh api \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            /repos/edgelesssys/constellation/milestones)
          current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
          echo "current milestone: ${current_milestone}"
          if [[ -z "${current_milestone}" ]]; then
            echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
            exit 0
          fi
          current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
          echo "current milestone state: ${current_milestone_state}"
          if [[ "${current_milestone_state}" != "open" ]]; then
            echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
            exit 0
          fi
          milestone_number=$(echo "${current_milestone}" | jq -r '.number')
          echo "milestone number: ${milestone_number}"
          if [[ -z "${milestone_number}" ]]; then
            echo "failed parsing milestone number"
            exit 1
          fi
          gh api \
            --method PATCH \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            "/repos/edgelesssys/constellation/milestones/${milestone_number}" \
            -f state=closed
      - name: Create next milestone
        run: |
          WITHOUT_V=${FULL_VERSION#v}
          PART_MAJOR=${WITHOUT_V%%.*}
          PART_MINOR=${WITHOUT_V#*.}
          PART_MINOR=${PART_MINOR%%.*}
          NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
          gh api \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            /repos/edgelesssys/constellation/milestones |
            jq -r '.[].title' | \
            grep -xqF "${NEXT_MINOR}" && exit 0
          gh api \
            --method POST \
            -H "Accept: application/vnd.github+json" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            /repos/edgelesssys/constellation/milestones \
            -f title="${NEXT_MINOR}" \
            -f state='open' \
            -f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,7 +33,7 @@ jobs:
      RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
      WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
      - name: Working branch
        run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -72,9 +72,10 @@ jobs:
            echo "WORKING_BRANCH=${WORKING_BRANCH}"
          } | tee -a "$GITHUB_OUTPUT"
-  update-main-branch:
+  docs:
-    name: Update main branch with release changes
+    name: Create docs release (from main)
    runs-on: ubuntu-24.04
    if: inputs.kind == 'minor'
    needs: verify-inputs
    permissions:
      contents: write
@ -84,55 +85,30 @@ jobs:
      MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
      BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: main
      - name: Configure git
        run: |
          git config --global user.name "edgelessci"
          git config --global user.email "edgelessci@users.noreply.github.com"
      - name: Create docs release
        if: inputs.kind == 'minor'
        working-directory: docs
        run: |
-          npm ci
+          npm install
          npm run docusaurus docs:version "${MAJOR_MINOR}"
          git add .
          git commit -am "docs: release ${MAJOR_MINOR}"
          # Clean up auxiliary files, so next steps run on a clean tree
          git clean -fdx :/
      - name: Update version.txt
        if: inputs.kind == 'minor'
        run: |
          pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
          echo "${pre_release_version}" > version.txt
          git add version.txt
          git commit -m "chore: update version.txt to ${pre_release_version}"
      - name: Update CI for new version
        run: |
          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml
      - name: Create docs pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: ${{ env.BRANCH }}
          base: main
-          title: "Post ${{ env.VERSION }} release updates to main"
+          title: "docs: add release ${{ env.VERSION }}"
          body: |
            :robot: *This is an automated PR.* :robot:
            The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
-          commit-message: "chore: update CI for ${{ env.VERSION }}"
+            It releases a new version of the documentation.
          commit-message: "docs: add release ${{ env.VERSION }}"
          committer: edgelessci <edgelessci@users.noreply.github.com>
          author: edgelessci <edgelessci@users.noreply.github.com>
          labels: no changelog
          assignees: ${{ github.actor }}
          reviewers: ${{ github.actor }}
          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}
@ -147,7 +123,7 @@ jobs:
      WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -185,7 +161,7 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
@ -239,17 +215,6 @@ jobs:
      stream: "stable"
      ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
  check-measurements-reproducibility:
    name: Check measurements reproducibility
    needs: [verify-inputs, os-image]
    runs-on: ubuntu-24.04
    steps:
      - name: Check reproducibility
        uses: ./.github/actions/check_measurements_reproducibility
        with:
          version: ${{ inputs.version }}
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
  update-hardcoded-measurements:
    name: Update hardcoded measurements (in the CLI)
    needs: [verify-inputs, os-image]
@ -261,14 +226,14 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: true
      - name: Build generateMeasurements tool
--- a/.github/workflows/reproducible-builds.yml
+++ b/.github/workflows/reproducible-builds.yml
@ -1,9 +1,8 @@
 # Verify that Constellation builds are reproducible.
 #
-# The build-* jobs' matrix has three dimensions: a list of targets to build, a
+# The build-* jobs' matrix has two dimensions: a list of targets to build and
-# list of runners to build on and a method of installing dependencies. The
+# a list of runners to build on. The produced binaries and OS images are
-# produced binaries and OS images are expected to be bit-for-bit identical,
+# expected to be bit-for-bit identical, regardless of the chosen build runner.
 # without any dependencies on the runtime setup details.
 #
 # The compare-* jobs only have the target dimension. They obtain the built
 # targets from all runners and check that there are no diffs between them.
@ -13,9 +12,6 @@ on:
  workflow_dispatch:
  schedule:
    - cron: "45 06 * * 1" # Every Monday at 6:45am
  pull_request:
    paths:
      - .github/workflows/reproducible-builds.yml
 jobs:
  build-binaries:
@ -28,39 +24,19 @@ jobs:
            - "cli_enterprise_linux_amd64"
            - "cli_enterprise_linux_arm64"
            - "cli_enterprise_windows_amd64"
-          runner:
+          runner: ["ubuntu-22.04", "ubuntu-20.04"]
            - "ubuntu-24.04"
            - "ubuntu-22.04"
          deps:
            - conventional
            - eccentric
    env:
        bazel_target: "//cli:${{ matrix.target }}"
-        binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+        binary: "${{ matrix.target }}-${{ matrix.runner }}"
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-      - name: Setup dependencies
+      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
        if: matrix.deps == 'conventional'
      - name: Setup dependencies (eccentric)
        if: matrix.deps == 'eccentric'
        run: |
          bazelVersion=$(cat .bazelversion)
          mkdir -p "$HOME/.local/bin"
          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
          chmod a+x "$HOME/.local/bin/bazel"
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
          nixVersion=$(cat .nixversion)
          chmod a+x "$HOME/.local/bin/nix-installer"
          "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"
      - name: Build
        shell: bash
@ -81,15 +57,15 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
      - name: Upload binary artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
-          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"
      - name: Upload hash artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
-          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
+          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
  build-osimages:
@ -101,26 +77,14 @@ jobs:
            - "aws_aws-nitro-tpm_console"
            - "qemu_qemu-vtpm_debug"
            - "gcp_gcp-sev-snp_nightly"
-          runner: ["ubuntu-24.04", "ubuntu-22.04"]
+          runner: ["ubuntu-22.04", "ubuntu-20.04"]
    env:
        bazel_target: "//image/system:${{ matrix.target }}"
        binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Remove security hardening features
        if: matrix.runner == 'ubuntu-24.04'
        shell: bash
        run: |
          # Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
          # This command fails with a non-zero error code even though it unloads the apparmor profiles.
          # https://gitlab.com/apparmor/apparmor/-/issues/403
          sudo aa-teardown || true
          sudo apt-get remove -y apparmor
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -146,13 +110,13 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"
      - name: Upload binary artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"
      - name: Upload hash artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
@ -170,12 +134,12 @@ jobs:
            - "cli_enterprise_windows_amd64"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Download binaries
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          pattern: "binaries-${{ matrix.target }}-*"
          merge-multiple: true
@ -204,12 +168,12 @@ jobs:
              - "gcp_gcp-sev-snp_nightly"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Download os images
-        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          pattern: "osimages-${{ matrix.target }}-*"
          merge-multiple: true
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -18,25 +18,25 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false
      - name: Run analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true
      - name: Upload artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5
      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sync-terraform-docs.yml
+++ b/.github/workflows/sync-terraform-docs.yml
@ -18,14 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout constellation repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
          path: constellation
      - name: Checkout terraform-provider-constellation repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          repository: edgelesssys/terraform-provider-constellation
          ref: main
@ -40,7 +40,7 @@ jobs:
      - name: Create pull request
        id: create-pull-request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          path: terraform-provider-constellation
          branch: "feat/docs/update"
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@ -25,7 +25,7 @@ jobs:
      CTEST_OUTPUT_ON_FAILURE: True
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
--- a/.github/workflows/test-operator-codegen.yml
+++ b/.github/workflows/test-operator-codegen.yml
@ -21,14 +21,14 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      - name: Setup Go environment
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
        with:
-          go-version: "1.24.2"
+          go-version: "1.23.2"
          cache: true
      - name: Run code generation
--- a/.github/workflows/test-tfsec.yml
+++ b/.github/workflows/test-tfsec.yml
@ -23,7 +23,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
--- a/.github/workflows/test-tidy.yml
+++ b/.github/workflows/test-tidy.yml
@ -17,7 +17,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          # No token available for forks, so we can't push changes
@ -37,7 +37,7 @@ jobs:
      - name: Assume AWS role to upload Bazel dependencies to S3
        if: startsWith(github.head_ref, 'renovate/')
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
--- a/.github/workflows/test-unittest.yml
+++ b/.github/workflows/test-unittest.yml
@ -30,7 +30,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
@ -49,7 +49,7 @@ jobs:
          rm -rf awscliv2.zip aws
      - name: Login to AWS (IAM role)
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
          aws-region: eu-central-1
@ -69,7 +69,7 @@ jobs:
      - name: Comment coverage
        if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
        with:
          header: coverage
          path: coverage_diff.md
--- a/.github/workflows/update-rpms.yml
+++ b/.github/workflows/update-rpms.yml
@ -13,12 +13,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}
      - name: Assume AWS role to upload Bazel dependencies to S3
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
@ -39,7 +39,7 @@ jobs:
          fi
      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
        with:
          branch: "image/automated/update-rpms-${{ github.run_number }}"
          base: main
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -115,7 +115,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -149,21 +149,21 @@ jobs:
      - name: Login to AWS without write access
        if: steps.check-rights.outputs.write == 'false'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
      - name: Login to AWS with write access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
          aws-region: eu-central-1
      - name: Login to AWS with write and image remove access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
          aws-region: eu-central-1
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,65 +1,53 @@
 version: "2"
 run:
  timeout: 10m
  build-tags:
    - integration
    - e2e
  modules-download-mode: readonly
 output:
  formats:
-    tab:
+    - format: tab
      path: stdout
-      colors: false
+  sort-results: true
 linters:
  enable:
    # Default linters
    - errcheck
    - gosimple
    - govet
    - ineffassign
    - staticcheck
    - typecheck
    - unused
    # Additional linters
    - bodyclose
    - copyloopvar
    - errname
    - exportloopref
    - godot
    - gofmt
    - gofumpt
    - misspell
    - noctx
    - revive
    - tenv
    - unconvert
    - unparam
    - usetesting
  settings:
    errcheck:
      exclude-functions:
        - (*go.uber.org/zap.Logger).Sync
        - (*google.golang.org/grpc.Server).Serve
  exclusions:
    generated: lax
    presets:
      - common-false-positives
      - legacy
      - std-error-handling
    paths:
      - 3rdparty/node-maintenance-operator
    rules:
    # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed.
    - linters: ["staticcheck"]
      text: "QF1008: could remove embedded field"
    - linters: ["staticcheck"]
      text: "QF1001: could apply De Morgan's law"
    - linters: ["staticcheck"]
      text: "ST1005: error strings should not be capitalized"
    - linters: ["revive"]
      text: "package-comments: package comment should be of the form"
    - linters: ["revive"]
      text: "package-comments: should have a package comment"
    - linters: ["staticcheck"]
      text: "QF1012: Use fmt.Fprintf"
    - linters: ["staticcheck"]
      text: "ST1019"
 issues:
  max-issues-per-linter: 0
  max-same-issues: 20
-formatters:
+  exclude-dirs:
-  enable:
+    - 3rdparty/node-maintenance-operator
-    - gofmt
+  include:
-    - gofumpt
+    - EXC0012
-  exclusions:
+    - EXC0014
-    generated: lax
+
-    paths:
+linters-settings:
-      - 3rdparty/node-maintenance-operator
+  errcheck:
    # List of functions to exclude from checking, where each entry is a single function to exclude.
    # See https://github.com/kisielk/errcheck#excluding-functions for details.
    exclude-functions:
      - (*go.uber.org/zap.Logger).Sync
      - (*google.golang.org/grpc.Server).Serve
--- a/.nixversion
+++ b/.nixversion
@ -1 +0,0 @@
 2.25.2
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
@ -1,13 +0,0 @@
 load("//bazel/sh:def.bzl", "sh_template")
 sh_template(
    name = "pull_files",
    data = [
        "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
    ],
    substitutions = {
        "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
    },
    template = "pull_files.sh",
    visibility = ["//visibility:public"],
 )
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
@ -1,24 +0,0 @@
 #!/usr/bin/env bash
 ###### script header ######
 lib=$(realpath @@BASE_LIB@@) || exit 1
 stat "${lib}" >> /dev/null || exit 1
 # shellcheck source=../../../bazel/sh/lib.bash
 if ! source "${lib}"; then
  echo "Error: could not find import"
  exit 1
 fi
 controller_policy_source="@@POLICY_SRC@@"
 ###### script body ######
 controller_policy_real_source=$(realpath "${controller_policy_source}")
 cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
 targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
 cp "${controller_policy_real_source}" "${targetDir}"
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
@ -1,22 +0,0 @@
 """A module defining the source of the AWS load balancer controller."""
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def aws_load_balancer_controller_deps():
    http_archive(
        name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
        urls = [
            "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
        ],
        strip_prefix = "aws-load-balancer-controller-2.12.0",
        build_file_content = """
 filegroup(
    srcs = ["docs/install/iam_policy.json"],
    name = "lb_policy",
    visibility = ["//visibility:public"],
 )
        """,
        type = "tar.gz",
        sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
    )
--- a/3rdparty/gcp-guest-agent/Dockerfile
+++ b/3rdparty/gcp-guest-agent/Dockerfile
@ -1,4 +1,4 @@
-FROM ubuntu:24.04@sha256:1e622c5f073b4f6bfad6632f2616c7f59ef256e96fe78bf6a595d1dc4376ac02 as build
+FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as build
 # Install packages
 RUN apt-get update && apt-get install -y \
@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
    git
 # Install Go
-ARG GO_VER=1.24.2
+ARG GO_VER=1.22.3
 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
    tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
    rm go${GO_VER}.linux-amd64.tar.gz
--- a/MODULE.bazel
+++ b/MODULE.bazel
@ -1,6 +1,6 @@
 module(name = "constellation")
-bazel_dep(name = "aspect_bazel_lib", version = "2.14.0")
+bazel_dep(name = "aspect_bazel_lib", version = "2.9.2")
 bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib.yq()
@ -8,27 +8,21 @@ use_repo(bazel_lib, "jq_toolchains")
 use_repo(bazel_lib, "yq_toolchains")
 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "gazelle", version = "0.42.0")
+bazel_dep(name = "gazelle", version = "0.39.1")
-bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0")
+bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
-bazel_dep(name = "rules_cc", version = "0.1.1")
+bazel_dep(name = "rules_cc", version = "0.0.13")
-bazel_dep(name = "rules_go", version = "0.53.0", repo_name = "io_bazel_rules_go")
+bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go")
-bazel_dep(name = "rules_pkg", version = "1.1.0")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
-bazel_dep(name = "rules_proto", version = "7.1.0")
+bazel_dep(name = "rules_proto", version = "6.0.2")
-bazel_dep(name = "rules_python", version = "1.3.0")
+bazel_dep(name = "rules_python", version = "0.36.0")
-bazel_dep(name = "buildifier_prebuilt", version = "8.0.1", dev_dependency = True)
+bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(
    name = "go_sdk",
    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
-    version = "1.24.2",
+    version = "1.23.2",
 )
 python = use_extension("@rules_python//python/extensions:python.bzl", "python")
 python.toolchain(
    ignore_root_user_error = True,
    python_version = "3.11",
 )
 # the use_repo rule needs to list all top-level go dependencies
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/WORKSPACE.bzlmod
+++ b/WORKSPACE.bzlmod
@ -234,10 +234,6 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"
 node_maintainance_operator_deps()
 load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
 aws_load_balancer_controller_deps()
 # CI deps
 load("//bazel/toolchains:ci_deps.bzl", "ci_deps")
--- a/bazel/bazelrc/ci.bazelrc
+++ b/bazel/bazelrc/ci.bazelrc
@ -62,10 +62,6 @@ build --remote_local_fallback
 # Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
 build --grpc_keepalive_time=30s
 # Use fallbacks in case proxy.golang.org is not reachable.
 # Docs: https://go.dev/ref/mod#goproxy-protocol
 common '--repo_env=GOPROXY=https://proxy.golang.org|https://goproxy.io|direct'
 ######################################
 # Edgeless specific                  #
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@ -1,7 +1,7 @@
 load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test")
 load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun")
 load("@gazelle//:def.bzl", "gazelle")
-load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host")
+load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host")
 load("//bazel/ci:proto_targets.bzl", "proto_targets")
 load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template")
@ -514,14 +514,16 @@ multirun(
 )
 multirun(
-    name = "parallel_checks",
+    name = "check",
    testonly = True,
    commands = [
        ":gazelle_check",
        ":buildifier_check",
        ":golangci_lint",
        ":terraform_check",
        ":golicenses_check",
        ":license_header_check",
        ":govulncheck",
        ":deps_mirror_check",
        ":proto_targets_check",
        ":unused_gh_actions",
@ -540,25 +542,11 @@ multirun(
    visibility = ["//visibility:public"],
 )
 multirun(
    name = "check",
    testonly = True,
    commands = [
        ":parallel_checks",
        ":golangci_lint",
        ":govulncheck",
    ],
    jobs = 1,  # execute sequentially to avoid running into memory issues on our CI runners
    stop_on_error = False,
    visibility = ["//visibility:public"],
 )
 multirun(
    name = "generate_files",
    commands = [
        ":terraform_gen",
        "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
        "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
        ":go_generate",
        ":proto_generate",
    ],
--- a/bazel/ci/go_bin_for_host.bzl
+++ b/bazel/ci/go_bin_for_host.bzl
@ -1,29 +0,0 @@
 """
 Go toolchain for the host platformS
 Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl
 """
 load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS")
 GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain"
 def _ensure_target_cfg(ctx):
    if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path:
        fail("exec not found")
 def _go_bin_for_host_impl(ctx):
    _ensure_target_cfg(ctx)
    sdk = ctx.toolchains[GO_TOOLCHAIN].sdk
    sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list())
    return [
        DefaultInfo(
            files = depset([sdk.go]),
            runfiles = sdk_files,
        ),
    ]
 go_bin_for_host = rule(
    implementation = _go_bin_for_host_impl,
    toolchains = [GO_TOOLCHAIN],
    exec_compatible_with = HOST_CONSTRAINTS,
 )
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -63,8 +63,6 @@ license_report() {
        github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;;
        github.com/edgelesssys/go-tdx-qpl) ;;
        *)
          not_allowed
          ;;
@ -73,6 +71,8 @@ license_report() {
      Unknown)
        case ${pkg} in
        github.com/edgelesssys/go-tdx-qpl/*) ;;
        *)
          not_allowed
          ;;
--- a/bazel/ci/govulncheck.sh.in
+++ b/bazel/ci/govulncheck.sh.in
@ -27,16 +27,11 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
 PATH=$(dirname "${go}"):${PATH}
 check_module() {
  excluded_osvs=(
    "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
    "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
  )
  # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
  CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
-    "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
+    "${jq}" -sr '
        (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | 
-        map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
+        map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
        group_by(.osv) | 
        map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
        if length > 0 then halt_error(1) else .[] end'
--- a/bazel/ci/terraform.sh.in
+++ b/bazel/ci/terraform.sh.in
@ -46,6 +46,7 @@ excludeDirs=(
 excludeLockDirs=(
  "build"
  "terraform-provider-constellation"
  "terraform/legacy-module"
 )
 excludeCheckDirs=(
@ -142,7 +143,6 @@ check() {
    done
    echo "This may take 5-10 min..."
    for module in "${terraformLockModules[@]}"; do
      echo "Generating lock file for ${module}"
      ${terraform} -chdir="${module}" init > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null
--- a/bazel/proto/rules.bzl
+++ b/bazel/proto/rules.bzl
@ -5,14 +5,17 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927
 """
 load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
-load("@io_bazel_rules_go//go:def.bzl", "GoInfo")
+load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context")
 load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler")
 def _output_go_library_srcs_impl(ctx):
    go = go_context(ctx)
    srcs_of_library = []
    importpath = ""
    for src in ctx.attr.deps:
-        lib = src[GoInfo]
+        lib = src[GoLibrary]
        go_src = go.library_to_source(go, ctx.attr, lib, False)
        if importpath and lib.importpath != importpath:
            fail(
                "importpath of all deps must match, got {} and {}",
@ -20,7 +23,7 @@ def _output_go_library_srcs_impl(ctx):
                lib.importpath,
            )
        importpath = lib.importpath
-        srcs_of_library.extend(lib.srcs)
+        srcs_of_library.extend(go_src.srcs)
    if len(srcs_of_library) != 1:
        fail("expected exactly one src for library, got {}", len(srcs_of_library))
@ -51,7 +54,7 @@ output_go_library_srcs = rule(
            default = "@io_bazel_rules_go//proto:go_proto",
        ),
        "deps": attr.label_list(
-            providers = [GoInfo],
+            providers = [GoLibrary],
            aspects = [],
        ),
        "out": attr.output(
--- a/bazel/release/artifacts/BUILD.bazel
+++ b/bazel/release/artifacts/BUILD.bazel
@ -70,5 +70,5 @@ go_test(
    env = platform_container_sums_paths | platform_clis_paths,
    # keep
    x_defs = {"runsUnder": "bazel"},
-    deps = ["@io_bazel_rules_go//go/runfiles"],
+    deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"],
 )
--- a/bazel/toolchains/ci_deps.bzl
+++ b/bazel/toolchains/ci_deps.bzl
@ -97,83 +97,83 @@ def _actionlint_deps():
        name = "com_github_rhysd_actionlint_linux_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
+        sha256 = "37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_linux_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
+        sha256 = "5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
+        sha256 = "33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
+        sha256 = "b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
    )
 def _gofumpt_deps():
    http_file(
        name = "com_github_mvdan_gofumpt_linux_amd64",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6",
-            "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_amd64",
+            "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_amd64",
        ],
        executable = True,
        downloaded_file_path = "gofumpt",
-        sha256 = "11604bbaf7321abcc2fca2c6a37b7e9198bb1e76e5a86f297c07201e8ab1fda9",
+        sha256 = "6ff459c1dcae3b0b00844c1a5a4a5b0f547237d8a4f3624aaea8d424aeef24c6",
    )
    http_file(
        name = "com_github_mvdan_gofumpt_linux_arm64",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3",
-            "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_linux_arm64",
+            "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_linux_arm64",
        ],
        executable = True,
        downloaded_file_path = "gofumpt",
-        sha256 = "787c1d3d4d20e6fe2b0bf06a5a913ac0f50343dbf9a71540724a2b8092a0e6ca",
+        sha256 = "00c18c88ef50437629626ba20d677f4648684cb280952814cdd887677d42cbd3",
    )
    http_file(
        name = "com_github_mvdan_gofumpt_darwin_amd64",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3",
-            "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_amd64",
+            "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_amd64",
        ],
        executable = True,
        downloaded_file_path = "gofumpt",
-        sha256 = "0dda6600cf263b703a5ad93e792b06180c36afdee9638617a91dd552f2c6fb3e",
+        sha256 = "b7d05e092da45c5ec96344ab635b1d6547c3e27c840ba39bc76989934efd7ce3",
    )
    http_file(
        name = "com_github_mvdan_gofumpt_darwin_arm64",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a",
-            "https://github.com/mvdan/gofumpt/releases/download/v0.8.0/gofumpt_v0.8.0_darwin_arm64",
+            "https://github.com/mvdan/gofumpt/releases/download/v0.7.0/gofumpt_v0.7.0_darwin_arm64",
        ],
        executable = True,
        downloaded_file_path = "gofumpt",
-        sha256 = "7e66e92b7a67d1d12839ab030fb7ae38e5e2273474af3762e67bc7fe9471fcd9",
+        sha256 = "08f23114760a090b090706d92b8c52b9875b9eb352d76c77aa354d6aa20b045a",
    )
 def _tfsec_deps():
@ -181,41 +181,41 @@ def _tfsec_deps():
        name = "com_github_aquasecurity_tfsec_linux_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_amd64.tar.gz",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
+        sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_linux_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_arm64.tar.gz",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
+        sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_amd64.tar.gz",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
+        sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_arm64.tar.gz",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
+        sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
    )
 def _golangci_lint_deps():
@ -223,45 +223,45 @@ def _golangci_lint_deps():
        name = "com_github_golangci_golangci_lint_linux_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/bc16fd1ef25bce2c600de0122600100ab26d6d75388cc5369c5bb916cb2b82e3",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.1.2/golangci-lint-2.1.2-linux-amd64.tar.gz",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.1.2-linux-amd64",
+        strip_prefix = "golangci-lint-1.61.0-linux-amd64",
        type = "tar.gz",
-        sha256 = "bc16fd1ef25bce2c600de0122600100ab26d6d75388cc5369c5bb916cb2b82e3",
+        sha256 = "77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_linux_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/46e86f1c4a94236e4d0bb35252c72939bed9f749897aaad54b576d430b1bb6d4",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.1.2/golangci-lint-2.1.2-linux-arm64.tar.gz",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.1.2-linux-arm64",
+        strip_prefix = "golangci-lint-1.61.0-linux-arm64",
        type = "tar.gz",
-        sha256 = "46e86f1c4a94236e4d0bb35252c72939bed9f749897aaad54b576d430b1bb6d4",
+        sha256 = "af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/ed02ba3ad28466d61d2ae2b80cc95671713fa842c353da37842b1b89e36cb3ce",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.1.2/golangci-lint-2.1.2-darwin-amd64.tar.gz",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.1.2-darwin-amd64",
+        strip_prefix = "golangci-lint-1.61.0-darwin-amd64",
        type = "tar.gz",
-        sha256 = "ed02ba3ad28466d61d2ae2b80cc95671713fa842c353da37842b1b89e36cb3ce",
+        sha256 = "5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/1cff60651d7c95a4248fa72f0dd020bffed1d2dc4dd8c2c77aee89a0731fa615",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
-            "https://github.com/golangci/golangci-lint/releases/download/v2.1.2/golangci-lint-2.1.2-darwin-arm64.tar.gz",
+            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-2.1.2-darwin-arm64",
+        strip_prefix = "golangci-lint-1.61.0-darwin-arm64",
        type = "tar.gz",
-        sha256 = "1cff60651d7c95a4248fa72f0dd020bffed1d2dc4dd8c2c77aee89a0731fa615",
+        sha256 = "544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
    )
 def _buf_deps():
@ -270,44 +270,44 @@ def _buf_deps():
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/ce439b98c0e655ba1821fc529442f677135a9a44206a85cf2081a445bde02554",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Linux-x86_64.tar.gz",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "ce439b98c0e655ba1821fc529442f677135a9a44206a85cf2081a445bde02554",
+        sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
    )
    http_archive(
        name = "com_github_bufbuild_buf_linux_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/fb980e62f55a0d705f555124b5b250a6234deae67b3a493b1844fed8cb48f012",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Linux-aarch64.tar.gz",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "fb980e62f55a0d705f555124b5b250a6234deae67b3a493b1844fed8cb48f012",
+        sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_amd64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/ff3aedaa8bf53c3ae53bf863bb6141a23ef9e2ef750016ab217b0466ab3e89be",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Darwin-x86_64.tar.gz",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "ff3aedaa8bf53c3ae53bf863bb6141a23ef9e2ef750016ab217b0466ab3e89be",
+        sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/b11d5afda7f58a44a6520b798902b1263aba921b0989cb156ecf2acc8eb1ce31",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
-            "https://github.com/bufbuild/buf/releases/download/v1.52.1/buf-Darwin-arm64.tar.gz",
+            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "b11d5afda7f58a44a6520b798902b1263aba921b0989cb156ecf2acc8eb1ce31",
+        sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
    )
 def _talos_docgen_deps():
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
 def containter_image_deps():
    oci_pull(
        name = "distroless_static",
-        digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
+        digest = "sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea",
        image = "gcr.io/distroless/static",
        platforms = [
            "linux/amd64",
@ -16,6 +16,6 @@ def containter_image_deps():
    )
    oci_pull(
        name = "libvirtd_base",
-        digest = "sha256:f23e0f587860c841adde25b1b4f0d99aa4fbce1c92b01b5b46ab5fa35980a135",
+        digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7",
        image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
    )
--- a/bazel/toolchains/linux_kernel.bzl
+++ b/bazel/toolchains/linux_kernel.bzl
@ -9,38 +9,38 @@ def kernel_rpms():
    http_file(
        name = "kernel_lts",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273",
-            "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-6.6.87-100.constellation.fc40.x86_64.rpm",
+            "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-6.6.30-100.constellation.fc40.x86_64.rpm",
        ],
        downloaded_file_path = "kernel-lts.rpm",
-        sha256 = "7834bc4bc7e088c98505956382884bdc670ab9a9283288b7fef04a43df31356e",
+        sha256 = "c87995e19c04e2f033e6db5e92bfcb845ac015722e776c09a7af4c82c86cd273",
    )
    http_file(
        name = "kernel_core_lts",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140",
-            "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-core-6.6.87-100.constellation.fc40.x86_64.rpm",
+            "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-core-6.6.30-100.constellation.fc40.x86_64.rpm",
        ],
        downloaded_file_path = "kernel-core-lts.rpm",
-        sha256 = "2763c699d1e2f9810421ac7af2e9c94c6f98533e83f2938c26f1d824e3559b97",
+        sha256 = "5692d862b0cc0c442c581e5f3dc9f3c36cabda0c29d3f62e9b6313a6ec88b140",
    )
    http_file(
        name = "kernel_modules_lts",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f",
-            "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-6.6.87-100.constellation.fc40.x86_64.rpm",
+            "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-6.6.30-100.constellation.fc40.x86_64.rpm",
        ],
        downloaded_file_path = "kernel-modules-lts.rpm",
-        sha256 = "a7604eec263f190db573d809d20336bbf75e46c51f5977f5db95bb88bfec56d3",
+        sha256 = "e1b697343b4f8ed8e992cd92860208dc1c28eb8b25a88f42f426326a0bbc307f",
    )
    http_file(
        name = "kernel_modules_core_lts",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626",
-            "https://cdn.confidential.cloud/constellation/kernel/6.6.87-100.constellation/kernel-modules-core-6.6.87-100.constellation.fc40.x86_64.rpm",
+            "https://cdn.confidential.cloud/constellation/kernel/6.6.30-100.constellation/kernel-modules-core-6.6.30-100.constellation.fc40.x86_64.rpm",
        ],
        downloaded_file_path = "kernel-modules-core-lts.rpm",
-        sha256 = "648fd503d7d54608fbd62ace87c4da098f72abbaac1ab7e343327fc24ccef7f8",
+        sha256 = "448c6b10d9ed02aed078ff77223f5e495b2041be12d92eb0e5ca5726a08e0626",
    )
    # mainline kernel
--- a/bazel/toolchains/nixpkgs_deps.bzl
+++ b/bazel/toolchains/nixpkgs_deps.bzl
@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def nixpkgs_deps():
    http_archive(
        name = "io_tweag_rules_nixpkgs",
-        sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
+        sha256 = "f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
-        strip_prefix = "rules_nixpkgs-0.13.0",
+        strip_prefix = "rules_nixpkgs-705ee3b26cf49e990cddbbe6f60510fa46d50904",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
-            "https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz",
+            "https://github.com/tweag/rules_nixpkgs/archive/705ee3b26cf49e990cddbbe6f60510fa46d50904.tar.gz",
        ],
        type = "tar.gz",
    )
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
edgelessci	80f048eb63	attestation: hardcode measurements for v2.19.3	2024-11-25 10:01:59 +00:00
edgelessci	f96267a2fd	deps: update versions to v2.19.3	2024-11-25 09:28:53 +00:00
edgelessci	ceafc737be	chore: update version.txt to v2.19.3	2024-11-25 09:28:34 +00:00
Daniel Weiße	2ce245c98d	ci: update workload identity provider url (#3483 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2024-11-25 10:27:43 +01:00
Daniel Weiße	fe9a1de205	deps: update google/go-sev-guest to v0.11.2-0.20241122022416-97a55186df28 (#3490 ) Signed-off-by: Daniel Weiße <dw@edgeless.systems>	2024-11-25 10:21:20 +01:00
edgelessci	140d7228f8	attestation: hardcode measurements for v2.19.2	2024-11-05 10:16:14 +00:00
edgelessci	d1075c84ba	deps: update versions to v2.19.2	2024-11-05 09:27:55 +00:00
edgelessci	5179f16379	chore: update version.txt to v2.19.2	2024-11-05 09:27:44 +00:00
Mauritz Uphoff	14d3d35dbc	config: only allow confidential instances on stackit (#3463 ) * cli: only allow confidential instances on stackit * review changes	2024-11-05 10:25:52 +01:00
3u13r	33f1a91f43	cli: also log applier debug messages to debug log file (#3457 ) * cli: also log applier debug messages to debug log file * cli: use debug logger instead of cliLogger	2024-11-04 09:09:44 +01:00
Adrian Stobbe	5196de1a66	terraform: fix security rule reconciliation on Azure (#3454 ) * fix security rule reconciliation on azure * fix simulated patch version upgrade	2024-11-04 09:09:26 +01:00
edgelessci	97ae5d8dd0	attestation: hardcode measurements for v2.19.0	2024-10-18 11:57:14 +00:00
edgelessci	681216b577	deps: update versions to v2.19.0	2024-10-18 11:21:12 +00:00
edgelessci	cbd5d93121	chore: update version.txt to v2.19.0	2024-10-18 11:21:00 +00:00