ci: rename nixpkgs input (#3741 )

Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com>
nix: boostrap "v2" tree (#3740 )
2025-04-05 13:35:59 -04:00 · 2025-04-04 11:19:37 +02:00 · 2025-04-04 10:22:28 +02:00 · 2025-04-04 08:37:49 +02:00 · 2025-04-04 08:27:22 +02:00 · 2025-04-04 08:15:19 +02:00
682 changed files with 61015 additions and 10059 deletions
--- a/.bazelversion
+++ b/.bazelversion
@ -1 +1 @@
-7.3.2
+7.4.1
--- a/.github/actions/artifact_download/action.yml
+++ b/.github/actions/artifact_download/action.yml
@ -28,7 +28,7 @@ runs:
      run: echo "directory=$(mktemp -d)" >> "$GITHUB_OUTPUT"

    - name: Download the artifact
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}
--- a/.github/actions/artifact_upload/action.yml
+++ b/.github/actions/artifact_upload/action.yml
@ -69,7 +69,7 @@ runs:
        done

    - name: Upload archive as artifact
-      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: ${{ inputs.name }}
        path: ${{ steps.tempdir.outputs.directory }}/archive.7z
--- a/.github/actions/build_cli/action.yml
+++ b/.github/actions/build_cli/action.yml
@ -79,7 +79,7 @@ runs:
    # once it has the functionality
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

    - name: Install Rekor
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
--- a/.github/actions/build_micro_service/action.yml
+++ b/.github/actions/build_micro_service/action.yml
@ -42,7 +42,7 @@ runs:

    - name: Docker metadata
      id: meta
-      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
      with:
        images: |
          ghcr.io/${{ github.repository }}/${{ inputs.name }}
@ -62,7 +62,7 @@ runs:

    - name: Build and push container image
      id: build-micro-service
-      uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+      uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
      with:
        context: .
        file: ${{ inputs.dockerfile }}
--- a/.github/actions/cdbg_deploy/action.yml
+++ b/.github/actions/cdbg_deploy/action.yml
@ -61,7 +61,7 @@ runs:

    - name: Login to AWS (IAM service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -80,7 +80,7 @@ runs:

    - name: Login to AWS (Cluster service principal)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/check_measurements_reproducibility/action.yml
+++ b/.github/actions/check_measurements_reproducibility/action.yml
@ -0,0 +1,58 @@
+name: Check measurements reproducibility
+description: Check if the measurements of a given release are reproducible.
+
+inputs:
+  version:
+    type: string
+    description: The version of the measurements that are downloaded from the CDN.
+    required: true
+  ref:
+    type: string
+    description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ inputs.ref }}
+        path: ./release
+
+    - name: Set up bazel
+      uses: ./.github/actions/setup_bazel_nix
+      with:
+        useCache: "false"
+        nixTools: |
+          systemdUkify
+          jq
+          jd-diff-patch
+          moreutils
+
+    - name: Build images
+      id: build-images
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        # Build required binaries
+        pushd release
+        bazel build //image/system:stable
+        echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+        popd
+
+    - name: Download measurements
+      shell: bash
+      run: |
+        curl -fsLO https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ inputs.version }}/image/measurements.json
+    
+    - name: Cleanup release measurements and generate our own
+      shell: bash
+      run: |
+        ${{ github.action_path }}/create_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
+        
+    - name: Compare measurements
+      shell: bash
+      run: |
+        ${{ github.action_path }}/compare_measurements.sh "${{ steps.build-images.outputs.buildPath }}"
--- a/.github/actions/check_measurements_reproducibility/compare_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/compare_measurements.sh
@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# no -e since we need to collect errors later
+# no -u since it interferes with checking associative arrays
+set -o pipefail
+shopt -s extglob
+
+declare -A errors
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  echo "Their measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_their-measurements.json
+  echo "Own measurements for $attestationVariant:"
+  ts "  " < "$attestationVariant"_own-measurements.json
+
+  diff="$(jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json)"
+  if [[ -n $diff ]]; then
+    errors["$attestationVariant"]="$diff"
+  fi
+done
+
+for attestationVariant in "${!errors[@]}"; do
+  echo "Failed to reproduce measurements for $attestationVariant:"
+  echo "${errors["$attestationVariant"]}" | ts "  "
+done
+
+if [[ ${#errors[@]} -ne 0 ]]; then
+  exit 1
+fi
--- a/.github/actions/check_measurements_reproducibility/create_measurements.sh
+++ b/.github/actions/check_measurements_reproducibility/create_measurements.sh
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+set -euo pipefail
+shopt -s extglob
+
+for directory in "$1"/system/!(mkosi_wrapper.sh); do
+  dirname="$(basename "$directory")"
+  csp="$(echo "$dirname" | cut -d_ -f1)"
+  attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+  # This jq filter selects the measurements for the correct CSP and attestation variant
+  # and then removes all `warnOnly: true` measurements.
+  jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+    '
+      .list.[]
+      | select(
+        .attestationVariant == $attestation_variant
+        and (.csp | ascii_downcase) == $csp
+      )
+      | .measurements
+      | to_entries
+      | map(select(.value.warnOnly | not))
+      | from_entries
+      | del(.[] .warnOnly)
+  ' \
+    measurements.json > "$attestationVariant"_their-measurements.json
+
+  bazel run --run_under "sudo --preserve-env" //image/measured-boot/cmd -- "$directory/constellation" /dev/stdout | jq '.measurements' > ./"$attestationVariant"_own-measurements.json
+done
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@ -257,9 +257,9 @@ runs:
      continue-on-error: true
      uses: ./.github/actions/artifact_upload
      with:
-        name: serial-logs-${{ inputs.artifactNameSuffix }}
-        path: >
-          !(terraform).log
+        name: debug-logs-${{ inputs.artifactNameSuffix }}
+        path: |
+          *.log
        encryptionSecret: ${{ inputs.encryptionSecret }}

    - name: Prepare terraform state folders
@ -268,9 +268,12 @@ runs:
      run: |
        mkdir to-zip
        cp -r constellation-terraform to-zip
-        cp -r constellation-iam-terraform to-zip
+        # constellation-iam-terraform is optional
+        if [ -d constellation-iam-terraform ]; then
+          cp -r constellation-iam-terraform to-zip
+        fi
        rm -f to-zip/constellation-terraform/plan.zip
-        rm -rf to-zip/constellation-terraform/.terraform to-zip/constellation-iam-terraform/.terraform
+        rm -rf to-zip/*/.terraform

    - name: Upload terraform state
      if: always()
--- a/.github/actions/constellation_destroy/action.yml
+++ b/.github/actions/constellation_destroy/action.yml
@ -67,7 +67,7 @@ runs:

    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
--- a/.github/actions/constellation_iam_create/action.yml
+++ b/.github/actions/constellation_iam_create/action.yml
@ -42,6 +42,15 @@ inputs:
  gcpZone:
    description: "The GCP zone to deploy Constellation in."
    required: false
+  #
+  # STACKIT specific inputs
+  #
+  stackitZone:
+    description: "The STACKIT zone to deploy Constellation in."
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false

 runs:
  using: "composite"
@ -93,6 +102,7 @@ runs:
          --tf-log=DEBUG \
          --yes ${extraFlags}

+    # TODO(@3u13r): Replace deprecated --serviceAccountID with --prefix
    - name: Constellation iam create gcp
      shell: bash
      if: inputs.cloudProvider == 'gcp'
@ -104,3 +114,13 @@ runs:
          --update-config \
          --tf-log=DEBUG \
          --yes
+
+    - name: Set STACKIT-specific configuration
+      shell: bash
+      if: inputs.cloudProvider == 'stackit'
+      env:
+        STACKIT_PROJECT_ID: ${{ inputs.stackitProjectID }}
+      run: |
+        yq eval -i "(.provider.openstack.stackitProjectID) = \"${STACKIT_PROJECT_ID}\"" constellation-conf.yaml
+        yq eval -i "(.provider.openstack.availabilityZone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
+        yq eval -i "(.nodeGroups.[].zone) = \"${{ inputs.stackitZone }}\"" constellation-conf.yaml
--- a/.github/actions/constellation_iam_destroy/action.yml
+++ b/.github/actions/constellation_iam_destroy/action.yml
@ -23,7 +23,7 @@ runs:

    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
--- a/.github/actions/container_registry_login/action.yml
+++ b/.github/actions/container_registry_login/action.yml
@ -17,7 +17,7 @@ runs:
  steps:
    - name: Use docker for logging in
      if: runner.os != 'macOS'
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
      with:
        registry: ${{ inputs.registry }}
        username: ${{ inputs.username }}
--- a/.github/actions/container_sbom/action.yml
+++ b/.github/actions/container_sbom/action.yml
@ -19,7 +19,7 @@ runs:
  steps:
    - name: Install Cosign
      if: inputs.cosignPublicKey != '' && inputs.cosignPrivateKey != '' && inputs.cosignPassword != ''
-      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

    - name: Download Syft & Grype
      uses: ./.github/actions/install_syft_grype
--- a/.github/actions/deploy_logcollection/action.yml
+++ b/.github/actions/deploy_logcollection/action.yml
@ -67,7 +67,7 @@ runs:
    # Make sure that helm is installed
    # This is not always the case, e.g. on MacOS runners
    - name: Install Helm
-      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+      uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
      with:
        version: v3.9.0

--- a/.github/actions/download_release_binaries/action.yml
+++ b/.github/actions/download_release_binaries/action.yml
@ -5,51 +5,51 @@ runs:
  using: "composite"
  steps:
    - name: Download CLI binaries darwin-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: constellation-darwin-amd64

    - name: Download CLI binaries darwin-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: constellation-darwin-arm64

    - name: Download CLI binaries linux-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: constellation-linux-amd64

    - name: Download CLI binaries linux-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: constellation-linux-arm64

    - name: Download CLI binaries windows-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: constellation-windows-amd64

    - name: Download Terraform module
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: terraform-module

    - name: Download Terraform provider binary darwin-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: terraform-provider-constellation-darwin-amd64

    - name: Download Terraform provider binary darwin-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: terraform-provider-constellation-darwin-arm64

    - name: Download Terraform provider binary linux-amd64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: terraform-provider-constellation-linux-amd64

    - name: Download Terraform provider binary linux-arm64
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        name: terraform-provider-constellation-linux-arm64
--- a/.github/actions/e2e_attestationconfigapi/action.yml
+++ b/.github/actions/e2e_attestationconfigapi/action.yml
@ -19,7 +19,7 @@ runs:
      uses: ./.github/actions/setup_bazel_nix

    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubTestResourceAPI
        aws-region: eu-west-1
--- a/.github/actions/e2e_autoscaling/action.yml
+++ b/.github/actions/e2e_autoscaling/action.yml
@ -82,7 +82,30 @@ runs:
        KUBECONFIG: ${{ inputs.kubeconfig }}
      run: |
        worker_count=${{ steps.worker_count.outputs.worker_count }}
-        kubectl create -n default deployment nginx --image=nginx --replicas $(( 110 * (worker_count + 1) + 55 ))
+
+        cat <<EOF | kubectl apply -f -
+        kind: Deployment
+        apiVersion: apps/v1
+        metadata:
+          name: nginx
+          namespace: default
+        spec:
+          replicas: $(( 110 * (worker_count + 1) + 55 ))
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0 # Ensure "kubectl wait" actually waits for all pods to be ready
+          selector:
+            matchLabels:
+              app: nginx
+          template:
+            metadata:
+              labels:
+                app: nginx
+            spec:
+              containers:
+              - name: nginx
+                image: nginx
+        EOF

    - name: Wait for autoscaling and check result
      shell: bash
--- a/.github/actions/e2e_benchmark/action.yml
+++ b/.github/actions/e2e_benchmark/action.yml
@ -32,7 +32,7 @@ runs:

  steps:
    - name: Setup python
-      uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
      with:
        python-version: "3.10"

@ -48,7 +48,7 @@ runs:
        install kubestr /usr/local/bin

    - name: Checkout k8s-bench-suite
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        repository: "edgelesssys/k8s-bench-suite"
@ -166,7 +166,7 @@ runs:
        encryptionSecret: ${{ inputs.encryptionSecret }}

    - name: Assume AWS role to retrieve and update benchmarks in S3
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionUpdateBenchmarks
        aws-region: us-east-2
--- a/.github/actions/e2e_benchmark/evaluate/requirements.txt
+++ b/.github/actions/e2e_benchmark/evaluate/requirements.txt
@ -1,3 +1,3 @@
-numpy ==1.26.4
-matplotlib ==3.8.3
-Pillow ==10.3.0
+numpy ==2.2.4
+matplotlib ==3.10.1
+Pillow ==11.1.0
--- a/.github/actions/e2e_cleanup_timeframe/action.yml
+++ b/.github/actions/e2e_cleanup_timeframe/action.yml
@ -11,12 +11,18 @@ inputs:
  azure_credentials:
    description: "Credentials authorized to create Constellation on Azure."
    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false

 runs:
  using: "composite"
  steps:
    - name: Authenticate AWS
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EDestroy
        aws-region: eu-central-1
@ -31,6 +37,16 @@ runs:
      with:
        service_account: "destroy-e2e@constellation-e2e.iam.gserviceaccount.com"

+    - name: Login to OpenStack
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{ inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
    - name: Install tools
      uses: ./.github/actions/setup_bazel_nix
      with:
--- a/.github/actions/e2e_emergency_ssh/action.yml
+++ b/.github/actions/e2e_emergency_ssh/action.yml
@ -0,0 +1,68 @@
+name: Emergency ssh
+description: "Verify that an emergency ssh connection can be established."
+
+inputs:
+  kubeconfig:
+    description: "The kubeconfig file for the cluster."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Test emergency ssh
+      shell: bash
+      env:
+        KUBECONFIG: ${{ inputs.kubeconfig }}
+      run: |
+        set -euo pipefail
+
+        # Activate emergency ssh access to the cluster
+        pushd ./constellation-terraform
+        echo "emergency_ssh = true" >> terraform.tfvars
+        terraform apply -auto-approve
+        lb="$(terraform output -raw loadbalancer_address)"
+        popd
+
+        # write ssh config
+        cat > ssh_config <<EOF
+        Host $lb
+          ProxyJump none
+
+        Host *
+          StrictHostKeyChecking no
+          UserKnownHostsFile=/dev/null
+          IdentityFile ./access-key
+          PreferredAuthentications publickey
+          CertificateFile=constellation_cert.pub
+          User root
+          ProxyJump $lb
+        EOF
+
+        for i in {1..26}; do
+          if [[ "$i" -eq 26 ]]; then
+            echo "Port 22 never became reachable"
+            exit 1
+          fi
+          echo "Waiting until port 22 is reachable: $i/25"
+          if nc -z -w 25 "$lb" 22; then
+            break
+          fi
+        done
+
+        # generate and try keypair
+        ssh-keygen -t ecdsa -q -N "" -f ./access-key
+        constellation ssh --debug --key ./access-key.pub
+        internalIPs="$(kubectl get nodes -o=jsonpath='{.items[*].status.addresses}' | jq -r '.[] | select(.type == "InternalIP") | .address')"
+        for ip in $internalIPs; do
+          for i in {1..26}; do
+            if [[ "$i" -eq 26 ]]; then
+              echo "Failed to connect to $ip over $lb"
+              exit 1
+            fi
+            echo "Trying connection to $ip over $lb: $i/25"
+            if ssh -F ssh_config -o BatchMode=yes $ip true; then
+              echo "Connected to $ip successfully"
+              break
+            fi
+          done
+        done
--- a/.github/actions/e2e_mini/action.yml
+++ b/.github/actions/e2e_mini/action.yml
@ -25,7 +25,7 @@ runs:
  using: "composite"
  steps:
    - name: Install terraform
-      uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+      uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
      with:
        terraform_wrapper: false

--- a/.github/actions/e2e_sonobuoy/action.yml
+++ b/.github/actions/e2e_sonobuoy/action.yml
@ -70,7 +70,7 @@ runs:

    - name: Publish test results
      if: (!env.ACT) && contains(inputs.sonobuoyTestSuiteCmd, '--plugin e2e')
-      uses: mikepenz/action-junit-report@db71d41eb79864e25ab0337e395c352e84523afe # v4.3.1
+      uses: mikepenz/action-junit-report@97744eca465b8df9e6e33271cb155003f85327f1 # v5.5.0
      with:
        report_paths: "**/junit_01.xml"
        fail_on_failure: true
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@ -56,7 +56,7 @@ inputs:
    description: "Azure credentials authorized to create an IAM configuration."
    required: true
  test:
-    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade]."
+    description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, sonobuoy conformance, autoscaling, lb, perf-bench, verify, recover, malicious join, nop, upgrade, emergency ssh]."
    required: true
  sonobuoyTestSuiteCmd:
    description: "The sonobuoy test suite to run."
@ -93,6 +93,15 @@ inputs:
  encryptionSecret:
    description: "The secret to use for decrypting the artifact."
    required: true
+  openStackCloudsYaml:
+    description: "The contents of ~/.config/openstack/clouds.yaml"
+    required: false
+  stackitUat:
+    description: "The UAT for STACKIT"
+    required: false
+  stackitProjectID:
+    description: "The STACKIT project ID to deploy Constellation in."
+    required: false

 outputs:
  kubeconfig:
@ -106,7 +115,7 @@ runs:
  using: "composite"
  steps:
    - name: Check input
-      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade"]'), inputs.test))
+      if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "sonobuoy conformance", "autoscaling", "perf-bench", "verify", "lb", "recover", "malicious join", "s3proxy", "nop", "upgrade", "emergency ssh"]'), inputs.test))
      shell: bash
      run: |
        echo "::error::Invalid input for test field: ${{ inputs.test }}"
@ -140,6 +149,8 @@ runs:

    - name: Setup bazel
      uses: ./.github/actions/setup_bazel_nix
+      with:
+        nixTools: terraform

    - name: Log in to the Container registry
      uses: ./.github/actions/container_registry_login
@ -216,7 +227,7 @@ runs:

    - name: Login to AWS (IAM role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
        aws-region: eu-central-1
@ -229,12 +240,30 @@ runs:
      with:
        azure_credentials: ${{ inputs.azureIAMCreateCredentials }}

+    - name: Login to OpenStack
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_openstack
+      with:
+        clouds_yaml: ${{inputs.openStackCloudsYaml }}
+
+    - name: Login to STACKIT
+      if: inputs.cloudProvider == 'stackit'
+      uses: ./.github/actions/login_stackit
+      with:
+        serviceAccountToken: ${{ inputs.stackitUat }}
+
    - name: Create prefix
      id: create-prefix
      shell: bash
      run: |
        uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
        uuid=${uuid%%-*}
+
+        # GCP has a 6 character limit the additional uuid prefix since the full prefix length has a maximum of 24
+        if [[ ${{ inputs.cloudProvider }} == 'gcp' ]]; then
+          uuid=${uuid:0:6}
+        fi
+
        echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
        echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT

@ -244,7 +273,7 @@ runs:
      with:
        attestationVariant: ${{ inputs.attestationVariant }}

-    - name: Create IAM configuration
+    - name: Create Constellation config and IAM
      id: constellation-iam-create
      uses: ./.github/actions/constellation_iam_create
      with:
@ -256,6 +285,8 @@ runs:
        azureRegion: ${{ inputs.regionZone || steps.pick-az-region.outputs.region  }}
        gcpProjectID: ${{ inputs.gcpProject }}
        gcpZone: ${{ inputs.regionZone || 'europe-west3-b' }}
+        stackitZone: ${{ inputs.regionZone || 'eu01-2' }}
+        stackitProjectID: ${{ inputs.stackitProjectID }}
        kubernetesVersion: ${{ inputs.kubernetesVersion }}
        additionalTags: "workflow=${{ github.run_id }}"

@ -267,7 +298,7 @@ runs:

    - name: Login to AWS (Cluster role)
      if: inputs.cloudProvider == 'aws'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
        aws-region: eu-central-1
@ -421,3 +452,9 @@ runs:
        s3AccessKey: ${{ inputs.s3AccessKey }}
        s3SecretKey: ${{ inputs.s3SecretKey }}
        githubToken: ${{ inputs.githubToken }}
+    
+    - name: Run emergency ssh test
+      if: inputs.test == 'emergency ssh'
+      uses: ./.github/actions/e2e_emergency_ssh
+      with:
+        kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
--- a/.github/actions/e2e_verify/action.yml
+++ b/.github/actions/e2e_verify/action.yml
@ -82,7 +82,7 @@ runs:

    - name: Login to AWS
      if: github.ref_name == 'main'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
        aws-region: eu-central-1
--- a/.github/actions/find_latest_image/action.yml
+++ b/.github/actions/find_latest_image/action.yml
@ -26,19 +26,19 @@ runs:
  steps:
    - name: Checkout head
      if: inputs.imageVersion == '' && inputs.git-ref == 'head'
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

    - name: Checkout ref
      if: inputs.imageVersion == '' && inputs.git-ref != 'head'
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ inputs.git-ref }}

    - name: Login to AWS
      if: inputs.imageVersion == ''
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/login_azure/action.yml
+++ b/.github/actions/login_azure/action.yml
@ -10,6 +10,6 @@ runs:
    # As described at:
    # https://github.com/Azure/login#configure-deployment-credentials
    - name: Login to Azure
-      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+      uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
      with:
        creds: ${{ inputs.azure_credentials }}
--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@ -20,11 +20,11 @@ runs:
        echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"

    - name: Authorize GCP access
-      uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
      with:
-        workload_identity_provider: projects/796962942582/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
+        workload_identity_provider: projects/1052692473304/locations/global/workloadIdentityPools/constellation-ci-pool/providers/constellation-ci-provider
        service_account: ${{ inputs.service_account }}

    # Even if preinstalled in Github Actions runner image, this setup does some magic authentication required for gsutil.
    - name: Set up Cloud SDK
-      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
--- a/.github/actions/login_stackit/action.yml
+++ b/.github/actions/login_stackit/action.yml
@ -0,0 +1,16 @@
+name: STACKIT login
+description: "Login to STACKIT"
+inputs:
+  serviceAccountToken:
+    description: "Credentials authorized to create Constellation on STACKIT."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Login to STACKIT
+      env:
+        UAT: ${{ inputs.serviceAccountToken }}
+      shell: bash
+      run: |
+          mkdir -p ~/.stackit
+          echo "${UAT}" > ~/.stackit/credentials.json
--- a/.github/actions/notify_stackit/action.yml
+++ b/.github/actions/notify_stackit/action.yml
@ -0,0 +1,19 @@
+name: Notify STACKIT
+description: "Notify STACKIT about test failure"
+inputs:
+  slackToken:
+    description: "Slack access token."
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Notify STACKIT
+      env:
+        SLACK_TOKEN: ${{ inputs.slackToken }}
+      shell: bash
+      run: |
+          curl -X POST \
+            -H "Authorization: Bearer $SLACK_TOKEN" \
+            -H "Content-type: application/json; charset=utf-8" \
+            -d "{\"channel\":\"C0827BT59SM\",\"text\":\"E2E test failed: $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\"}" \
+            https://slack.com/api/chat.postMessage
--- a/.github/actions/publish_helmchart/action.yml
+++ b/.github/actions/publish_helmchart/action.yml
@ -13,7 +13,7 @@ runs:
  using: "composite"
  steps:
    - name: Checkout
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        repository: edgelesssys/helm
        ref: main
@ -29,7 +29,7 @@ runs:
        echo version=$(yq eval ".version" ${{ inputs.chartPath }}/Chart.yaml) | tee -a $GITHUB_OUTPUT

    - name: Create pull request
-      uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
      with:
        path: helm
        branch: "release/s3proxy/${{ steps.update-chart-version.outputs.version }}"
--- a/.github/actions/select_image/action.yml
+++ b/.github/actions/select_image/action.yml
@ -18,7 +18,7 @@ runs:
  using: "composite"
  steps:
    - name: Login to AWS
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
      with:
        role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
        aws-region: eu-central-1
--- a/.github/actions/setup_bazel_nix/action.yml
+++ b/.github/actions/setup_bazel_nix/action.yml
@ -75,6 +75,7 @@ runs:
            echo "$RUNNER_ARCH not supported"
            exit 1
        fi
+        echo "nixVersion=$(cat "${{ github.workspace }}/.nixversion")" | tee -a "$GITHUB_OUTPUT"
        echo "::endgroup::"

    - name: Install current Bash on macOS
@ -114,6 +115,8 @@ runs:
    - name: Install nix
      if: steps.check_inputs.outputs.nixPreinstalled == 'false'
      uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+      with:
+        install_url: "https://releases.nixos.org/nix/nix-${{ steps.check_inputs.outputs.nixVersion }}/install"

    - name: Set $USER if not set
      shell: bash
@ -218,7 +221,7 @@ runs:
        { tools, repository, rev }:
        let
          repoFlake = builtins.getFlake ("github:" + repository + "/" + rev);
-          nixpkgs = repoFlake.inputs.nixpkgsUnstable;
+          nixpkgs = repoFlake.inputs.nixpkgs;
          pkgs = import nixpkgs { system = builtins.currentSystem; };
          toolPkgs = map (p: pkgs.${p}) tools;
        in
--- a/.github/actions/terraform_apply/action.yml
+++ b/.github/actions/terraform_apply/action.yml
@ -29,6 +29,9 @@ runs:
          "gcpSEVSNP")
            attestationVariant="gcp-sev-snp"
            ;;
+          "qemuVTPM")
+            attestationVariant="qemu-vtpm"
+            ;;
          *)
            echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
            exit 1
@ -44,7 +47,7 @@ runs:
            }
            random = {
              source  = "hashicorp/random"
-              version = "3.6.2"
+              version = "3.7.1"
            }
          }
        }
@ -106,6 +109,16 @@ runs:
            project_id          = "$(yq '.infrastructure.gcp.projectID' constellation-state.yaml)"
            service_account_key = sensitive("$(cat $(yq '.provider.gcp.serviceAccountKeyPath' constellation-conf.yaml) | base64 -w0)")
          }
+          openstack = {
+            cloud                      = "stackit"
+            clouds_yaml_path           = "~/.config/openstack/clouds.yaml"
+            floating_ip_pool_id        = "970ace5c-458f-484a-a660-0903bcfd91ad"
+            deploy_yawol_load_balancer = true
+            yawol_image_id             = "bcd6c13e-75d1-4c3f-bf0f-8f83580cc1be"
+            yawol_flavor_id            = "3b11b27e-6c73-470d-b595-1d85b95a8cdf"
+            network_id                 = "$(yq '.infrastructure.networkID' constellation-state.yaml)"
+            subnet_id                  = "$(yq '.infrastructure.subnetID' constellation-state.yaml)"
+          }
          network_config = {
            ip_cidr_node    = "$(yq '.infrastructure.ipCidrNode' constellation-state.yaml)"
            ip_cidr_service = "$(yq '.serviceCIDR' constellation-conf.yaml)"
--- a/.github/actions/upload_terraform_module/action.yml
+++ b/.github/actions/upload_terraform_module/action.yml
@ -15,7 +15,7 @@ runs:
        zip -r terraform-module.zip terraform-module

    - name: Upload artifact
-      uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: terraform-module
        path: terraform-module.zip
--- a/.github/workflows/assign_reviewer.yml
+++ b/.github/workflows/assign_reviewer.yml
@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'dependencies') && toJson(github.event.pull_request.requested_reviewers) == '[]' &&  github.event.pull_request.user.login == 'renovate[bot]'
    steps:
-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Pick assignee
      id: pick-assignee
      uses: ./.github/actions/pick_assignee
--- a/.github/workflows/aws-snp-launchmeasurement.yml
+++ b/.github/workflows/aws-snp-launchmeasurement.yml
@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
    - name: Checkout repository
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        ref: ${{ github.head_ref }}
        path: constellation
@ -21,7 +21,7 @@ jobs:

    - name: Download Firmware release
      id: download-firmware
-      uses: robinraju/release-downloader@a96f54c1b5f5e09e47d9504526e96febd949d4c2 # v1.11
+      uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
      with:
        repository: aws/uefi
        latest: true
@ -44,7 +44,7 @@ jobs:
        echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
        popd || exit 1

-    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        repository: virtee/sev-snp-measure-go.git
        ref: e42b6f8991ed5a671d5d1e02a6b61f6373f9f8d8
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@ -22,7 +22,7 @@ jobs:
    runs-on: [arc-runner-set]
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-ccm-gcp.yml
+++ b/.github/workflows/build-ccm-gcp.yml
@ -19,24 +19,24 @@ jobs:
      latest: ${{ steps.find-latest.outputs.latest }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
          fetch-depth: 0

      - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
-          go-version: "1.23.2"
+          go-version: "1.24.1"
          cache: false

      - name: Install Crane
        run: |
-          go install github.com/google/go-containerregistry/cmd/crane@latest
+          go install github.com/google/go-containerregistry/cmd/crane@c195f151efe3369874c72662cd69ad43ee485128 # v0.20.2

      - name: Find versions
        id: find-versions
@ -65,10 +65,10 @@ jobs:
        version: ${{ fromJson(needs.find-ccm-versions.outputs.versions) }}
    steps:
      - name: Checkout Constellation
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Checkout kubernetes/cloud-provider-gcp
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: "kubernetes/cloud-provider-gcp"
          path: "cloud-provider-gcp"
@ -76,7 +76,7 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: |
            ghcr.io/edgelesssys/cloud-provider-gcp
@ -113,7 +113,7 @@ jobs:

      - name: Build and push container image
        id: build
-        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: ./cloud-provider-gcp
          push: ${{ github.ref_name == 'main' }}
--- a/.github/workflows/build-gcp-guest-agent.yml
+++ b/.github/workflows/build-gcp-guest-agent.yml
@ -69,7 +69,7 @@ jobs:

      - name: Checkout GoogleCloudPlatform/guest-agent
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: "GoogleCloudPlatform/guest-agent"
          ref: refs/tags/${{ steps.latest-release.outputs.latest }}
@ -77,7 +77,7 @@ jobs:

      - name: Checkout Constellation
        if: steps.needs-build.outputs.out == 'true'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: "constellation"
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -85,7 +85,7 @@ jobs:
      - name: Docker meta
        id: meta
        if: steps.needs-build.outputs.out == 'true'
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
        with:
          images: |
            ${{ env.REGISTRY }}/edgelesssys/gcp-guest-agent
@ -114,7 +114,7 @@ jobs:
      - name: Build and push container image
        if: steps.needs-build.outputs.out == 'true'
        id: build
-        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6.5.0
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
        with:
          context: ./guest-agent
          file: ./constellation/3rdparty/gcp-guest-agent/Dockerfile
--- a/.github/workflows/build-libvirt-container.yml
+++ b/.github/workflows/build-libvirt-container.yml
@ -19,7 +19,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup bazel
        uses: ./.github/actions/setup_bazel_nix
--- a/.github/workflows/build-logcollector-images.yml
+++ b/.github/workflows/build-logcollector-images.yml
@ -20,7 +20,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/build-os-image-scheduled.yml
+++ b/.github/workflows/build-os-image-scheduled.yml
@ -59,15 +59,15 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.head_ref }}
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}

      - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
-          go-version: "1.23.2"
+          go-version: "1.24.1"
          cache: false

      - name: Determine version
@ -97,7 +97,7 @@ jobs:
        run: rm -f internal/attestation/measurements/measurement-generator/generate

      - name: Create pull request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          branch: "image/automated/update-measurements-${{ github.run_number }}"
          base: main
@ -120,7 +120,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.head_ref }}

--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@ -59,7 +59,7 @@ jobs:
      cliApiBasePath: ${{ steps.image-version.outputs.cliApiBasePath }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -138,7 +138,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -147,7 +147,7 @@ jobs:
          useCache: "false"

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
@ -167,6 +167,12 @@ jobs:
        with:
          clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}

+      - name: Allow unrestricted user namespaces
+        shell: bash
+        run: |
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          
      - name: Build and upload
        id: build
        shell: bash
--- a/.github/workflows/check-links.yml
+++ b/.github/workflows/check-links.yml
@ -20,12 +20,12 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Link Checker
-        uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
+        uses: lycheeverse/lychee-action@f613c4a64e50d792e0b31ec34bbcbba12263c6a6 # v2.3.0
        with:
          args: "--config ./.lychee.toml './**/*.md' './**/*.html'"
          fail: true
--- a/.github/workflows/check-measurements-reproducibility.yml
+++ b/.github/workflows/check-measurements-reproducibility.yml
@ -0,0 +1,25 @@
+name: Check measurements reproducibility
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        type: string
+        description: The version of the measurements that are downloaded from the CDN.
+        required: true
+      ref:
+        type: string
+        description: The git ref to check out. You probably want this to be the tag of the release you are testing.
+        required: true
+
+jobs:
+  check-reproducibility:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ github.event.inputs.version }}
+          ref: ${{ github.event.inputs.ref }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -34,17 +34,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup Go environment
        if: matrix.language == 'go'
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
-          go-version: "1.23.2"
+          go-version: "1.24.1"
          cache: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/init@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
        with:
          languages: ${{ matrix.language }}

@ -63,6 +63,6 @@ jobs:
          echo "::endgroup::"

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/analyze@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
        with:
          category: "/language:${{ matrix.language }}"
--- a/.github/workflows/docs-vale.yml
+++ b/.github/workflows/docs-vale.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
      # Work around https://github.com/errata-ai/vale-action/issues/128.
@ -25,7 +25,8 @@ jobs:
          python3 -m venv "$venv"
          echo "$venv/bin" >> "$GITHUB_PATH"
      - name: Vale
-        uses: errata-ai/vale-action@91ac403e8d26f5aa1b3feaa86ca63065936a85b6 # tag=reviewdog
+        uses: errata-ai/vale-action@2690bc95f0ed3cb5220492575af09c51b04fbea9 # tag=reviewdog
        with:
          files: docs/docs
          fail_on_error: true
+          version: 3.9.3
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@ -72,7 +72,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -92,8 +92,8 @@ jobs:
          cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload CLI as artifact (unix)
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -101,8 +101,8 @@ jobs:
            build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig

      - name: Upload CLI as artifact (windows)
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
        with:
          name: constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -133,7 +133,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -149,16 +149,16 @@ jobs:
          targetArch: ${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (unix)
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if : ${{ matrix.os != 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os != 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
            build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}

      - name: Upload Terraform Provider Binary as artifact (windows)
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        if : ${{ matrix.os == 'windows' }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: ${{ matrix.os == 'windows' }}
        with:
          name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
          path: |
@ -169,7 +169,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -187,7 +187,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -219,7 +219,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -227,7 +227,7 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: constellation.spdx.sbom

@ -256,12 +256,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

      - name: Install Cosign
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

      - name: Download Syft & Grype
        uses: ./.github/actions/install_syft_grype
@ -296,13 +296,13 @@ jobs:
          COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Upload Constellation CLI SBOM
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: constellation.spdx.sbom
          path: constellation.spdx.sbom

      - name: Upload Constellation CLI SBOM's signature
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: constellation.spdx.sbom.sig
          path: constellation.spdx.sbom.sig
@ -316,14 +316,14 @@ jobs:
      - provenance-subjects
    # This must not be pinned to digest. See:
    # https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"

  provenance-verify:
    runs-on: ubuntu-24.04
    env:
-      SLSA_VERIFIER_VERSION: "2.5.1"
+      SLSA_VERIFIER_VERSION: "2.7.0"
    needs:
      - build-cli
      - provenance
@ -332,7 +332,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -340,12 +340,12 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: constellation.spdx.sbom

      - name: Download provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}

@ -405,7 +405,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -418,17 +418,17 @@ jobs:
        uses: ./.github/actions/download_release_binaries

      - name: Download CLI SBOM
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: constellation.spdx.sbom

      - name: Download Constellation CLI SBOM's signature
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: constellation.spdx.sbom.sig

      - name: Download Constellation provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: ${{ needs.provenance.outputs.provenance-name }}

@ -472,7 +472,7 @@ jobs:
      - name: Create release with artifacts
        id: create-release
        # GitHub endorsed release project. See: https://github.com/actions/create-release
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          draft: true
          generate_release_notes: true
@ -487,7 +487,7 @@ jobs:
            terraform-module.zip

      - name: Create Terraform provider release with artifcats
-        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
        with:
          draft: true
          generate_release_notes: false
--- a/.github/workflows/e2e-attestationconfigapi.yml
+++ b/.github/workflows/e2e-attestationconfigapi.yml
@ -26,7 +26,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # Don't trigger in forks, use head on pull requests, use default otherwise.
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || github.event.pull_request.head.sha || '' }}
--- a/.github/workflows/e2e-cleanup-weekly.yml
+++ b/.github/workflows/e2e-cleanup-weekly.yml
@ -4,7 +4,7 @@ on:
  schedule:
    - cron: "0 0 * * 0" # At 00:00 every Sunday UTC
  workflow_dispatch:
-    
+

 jobs:
  cleanup:
@ -14,7 +14,7 @@ jobs:
      id-token: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Cleanup
        uses: ./.github/actions/e2e_cleanup_timeframe
@ -22,3 +22,5 @@ jobs:
          ghToken: ${{ secrets.GITHUB_TOKEN }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
          azure_credentials: ${{ secrets.AZURE_E2E_DESTROY_CREDENTIALS }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
--- a/.github/workflows/e2e-mini.yml
+++ b/.github/workflows/e2e-mini.yml
@ -29,12 +29,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.event.workflow_run.head_branch || github.head_ref }}

      - name: Azure login OIDC
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-daily.yml
+++ b/.github/workflows/e2e-test-daily.yml
@ -21,7 +21,7 @@ jobs:
      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -45,7 +45,7 @@ jobs:
      fail-fast: false
      max-parallel: 5
      matrix:
-        kubernetesVersion: ["1.28"] # should be default
+        kubernetesVersion: ["1.30"] # This should correspond to the current default k8s minor.
        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
        refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
        test: ["sonobuoy quick"]
@ -59,7 +59,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -159,12 +159,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Azure login OIDC
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test-internal-lb.yml
+++ b/.github/workflows/e2e-test-internal-lb.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-12"
+          - "macos-latest"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,7 +41,6 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-marketplace-image.yml
+++ b/.github/workflows/e2e-test-marketplace-image.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-12"
+          - "macos-latest"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,7 +41,6 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.28"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
--- a/.github/workflows/e2e-test-provider-example.yml
+++ b/.github/workflows/e2e-test-provider-example.yml
@ -71,7 +71,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref || github.head_ref }}

@ -154,7 +154,7 @@ jobs:

      - name: Login to AWS (IAM + Cluster role)
        if: steps.determine.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
          aws-region: eu-central-1
@ -337,12 +337,12 @@ jobs:
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
          terraform init
          if [[ "${{ inputs.attestationVariant }}" == "azure-sev-snp" ]]; then
-            terraform apply -target module.azure_iam -auto-approve
-            terraform apply -target module.azure_infrastructure -auto-approve
+            timeout 1h terraform apply -target module.azure_iam -auto-approve
+            timeout 1h terraform apply -target module.azure_infrastructure -auto-approve
            ${{ github.workspace }}/build/constellation maa-patch "$(terraform output -raw maa_url)"
-            terraform apply -target constellation_cluster.azure_example -auto-approve
+            timeout 1h terraform apply -target constellation_cluster.azure_example -auto-approve
          else
-            terraform apply -auto-approve
+            timeout 1h terraform apply -auto-approve
          fi

      - name: Cleanup Terraform Cluster on failure
@ -353,7 +353,7 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve
+          terraform destroy -auto-approve -lock=false

      - name: Add Provider to local Terraform registry # needed if release version was used before
        if: inputs.providerVersion != ''
@ -407,7 +407,7 @@ jobs:
        shell: bash
        run: |
          terraform init --upgrade
-          terraform apply -auto-approve
+          timeout 1h terraform apply -auto-approve

      - name: Assert upgrade successful
        working-directory: ${{ github.workspace }}/cluster
@ -475,11 +475,11 @@ jobs:
        shell: bash
        run: |
          terraform init
-          terraform destroy -auto-approve
+          terraform destroy -auto-approve -lock=false

      - name: Notify about failure
        if: |
-          failure() &&
+          (failure() || cancelled()) &&
          github.ref == 'refs/heads/main' &&
          github.event_name == 'schedule'
        continue-on-error: true
--- a/.github/workflows/e2e-test-release.yml
+++ b/.github/workflows/e2e-test-release.yml
@ -73,53 +73,53 @@ jobs:

          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"

          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"
          - test: "sonobuoy full"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            runner: "ubuntu-24.04"
            clusterCreation: "cli"

@ -306,11 +306,11 @@ jobs:
          # - test: "verify"
          #  attestationVariant: "azure-sev-snp"
          #  kubernetes-version: "v1.30"
-          #  runner: "macos-12"
+          #  runner: "macos-latest"
          - test: "recover"
            attestationVariant: "gcp-sev-es"
            kubernetes-version: "v1.30"
-            runner: "macos-12"
+            runner: "macos-latest"
            clusterCreation: "cli"
    runs-on: ${{ matrix.runner }}
    permissions:
@ -326,7 +326,7 @@ jobs:
        run: brew install coreutils kubectl bash

      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.ref || github.head_ref }}
@ -342,7 +342,7 @@ jobs:

      - name: Set up gcloud CLI (macOS)
        if: steps.split-attestationVariant.outputs.provider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4

      - name: Run E2E test
        id: e2e_test
@ -409,7 +409,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.18.0"]
+        fromVersion: ["v2.22.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
--- a/.github/workflows/e2e-test-stackit.yml
+++ b/.github/workflows/e2e-test-stackit.yml
@ -0,0 +1,153 @@
+name: e2e test STACKIT
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *" # Every day at midnight.
+
+jobs:
+  find-latest-image:
+    name: Find latest image
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: read
+    outputs:
+      image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Select relevant image
+        id: select-image-action
+        uses: ./.github/actions/select_image
+        with:
+          osImage: "ref/release/stream/stable/?"
+
+      - name: Relabel output
+        id: relabel-output
+        shell: bash
+        run: |
+          ref=$(echo 'ref/release/stream/stable/?' | cut -d/ -f2)
+          stream=$(echo 'ref/release/stream/stable/?' | cut -d/ -f4)
+
+          echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
+
+  e2e-stackit:
+    strategy:
+      fail-fast: false
+      max-parallel: 6
+      matrix:
+        kubernetesVersion: [ "1.29", "1.30", "1.31" ]
+        clusterCreation: [ "cli", "terraform" ]
+        test: [ "sonobuoy quick" ]
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      checks: write
+      contents: read
+      packages: write
+      actions: write
+    needs: [find-latest-image]
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
+
+      - name: Setup bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          nixTools: terraform
+
+      - name: Run E2E test
+        id: e2e_test
+        uses: ./.github/actions/e2e_test
+        with:
+          workerNodesCount: "1"
+          controlNodesCount: "1"
+          cloudProvider: stackit
+          attestationVariant: qemu-vtpm
+          osImage: ${{ needs.find-latest-image.outputs.image-release-stable }}
+          isDebugImage: false
+          cliVersion: ${{ needs.find-latest-image.outputs.image-release-stable || '' }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
+          awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
+          awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
+          gcpProject: constellation-e2e
+          gcpClusterCreateServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+          gcpIAMCreateServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+          test: ${{ matrix.test }}
+          azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          registry: ghcr.io
+          githubToken: ${{ secrets.GITHUB_TOKEN }}
+          cosignPassword: ${{ secrets.COSIGN_PASSWORD }}
+          cosignPrivateKey: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          fetchMeasurements: false
+          clusterCreation: ${{ matrix.clusterCreation }}
+          s3AccessKey: ${{ secrets.AWS_ACCESS_KEY_ID_S3PROXY }}
+          s3SecretKey: ${{ secrets.AWS_SECRET_ACCESS_KEY_S3PROXY }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}
+
+      - name: Always terminate cluster
+        if: always()
+        uses: ./.github/actions/constellation_destroy
+        with:
+          kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
+          clusterCreation: ${{ matrix.clusterCreation }}
+          cloudProvider: stackit
+          azureClusterDeleteCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
+          gcpClusterDeleteServiceAccount: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Always delete IAM configuration
+        if: always()
+        uses: ./.github/actions/constellation_iam_destroy
+        with:
+          cloudProvider: stackit
+          azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
+          gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
+
+      - name: Update tfstate
+        if: always()
+        env:
+          GH_TOKEN: ${{ github.token }}
+        uses: ./.github/actions/update_tfstate
+        with:
+          name: terraform-state-${{ steps.e2e_test.outputs.namePrefix }}
+          runID: ${{ github.run_id }}
+          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+
+      - name: Notify about failure
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_e2e_failure
+        with:
+          projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
+          refStream: "ref/release/stream/stable/?"
+          test: ${{ matrix.test }}
+          kubernetesVersion: ${{ matrix.kubernetesVersion }}
+          provider: stackit
+          attestationVariant: qemu-vtpm
+          clusterCreation: ${{ matrix.clusterCreation }}
+
+      - name: Notify STACKIT
+        if: |
+          failure() &&
+          github.ref == 'refs/heads/main' &&
+          github.event_name == 'schedule'
+        continue-on-error: true
+        uses: ./.github/actions/notify_stackit
+        with:
+          slackToken: ${{ secrets.SLACK_TOKEN }}
--- a/.github/workflows/e2e-test-terraform-provider.yml
+++ b/.github/workflows/e2e-test-terraform-provider.yml
@ -23,7 +23,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-12"
+          - "macos-latest"
        default: "ubuntu-24.04"
      test:
        description: "The test to run."
@ -41,7 +41,6 @@ on:
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.28"
        required: true
      releaseVersion:
        description: "Version of a released provider to download. Leave empty to build the provider from the checked out ref."
--- a/.github/workflows/e2e-test-weekly.yml
+++ b/.github/workflows/e2e-test-weekly.yml
@ -10,7 +10,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        refStream: ["ref/main/stream/nightly/?","ref/main/stream/debug/?", "ref/release/stream/stable/?"]
+        refStream: ["ref/main/stream/nightly/?", "ref/main/stream/debug/?", "ref/release/stream/stable/?"]
    name: Find latest image
    runs-on: ubuntu-24.04
    permissions:
@ -22,7 +22,7 @@ jobs:
      image-main-nightly: ${{ steps.relabel-output.outputs.image-main-nightly }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -51,6 +51,33 @@ jobs:
          # Tests on main-debug refStream
          #

+          # Emergency SSH test on latest k8s version
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-es"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "azure-tdx"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+          - test: "emergency ssh"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "aws-sev-snp"
+            kubernetes-version: "v1.30"
+            clusterCreation: "cli"
+
          # Sonobuoy full test on latest k8s version
          - test: "sonobuoy full"
            refStream: "ref/main/stream/debug/?"
@ -89,56 +116,55 @@ jobs:
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"

          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"
          - test: "sonobuoy quick"
            refStream: "ref/main/stream/debug/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.28"
+            kubernetes-version: "v1.29"
            clusterCreation: "cli"

-
          # verify test on latest k8s version
          - test: "verify"
            refStream: "ref/main/stream/debug/?"
@ -290,27 +316,27 @@ jobs:
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-es"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "gcp-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "azure-tdx"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"
          - test: "verify"
            refStream: "ref/release/stream/stable/?"
            attestationVariant: "aws-sev-snp"
-            kubernetes-version: "v1.29"
+            kubernetes-version: "v1.30"
            clusterCreation: "cli"

    runs-on: ubuntu-24.04
@ -323,7 +349,7 @@ jobs:
    needs: [find-latest-image]
    steps:
      - name: Check out repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
@ -420,7 +446,7 @@ jobs:
      fail-fast: false
      max-parallel: 1
      matrix:
-        fromVersion: ["v2.18.0"]
+        fromVersion: ["v2.22.0"]
        attestationVariant: ["gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
    name: Run upgrade tests
    secrets: inherit
@ -448,12 +474,12 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Azure login OIDC
-        uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
        with:
          client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@ -16,6 +16,7 @@ on:
          - "azure-sev-snp"
          - "azure-tdx"
          - "aws-sev-snp"
+          - "stackit-qemu-vtpm"
        default: "azure-sev-snp"
        required: true
      runner:
@ -23,7 +24,7 @@ on:
        type: choice
        options:
          - "ubuntu-24.04"
-          - "macos-12"
+          - "macos-latest"
        default: "ubuntu-24.04"
      test:
        description: "The test to run. The conformance test is only supported for clusterCreation=cli."
@ -39,11 +40,12 @@ on:
          - "recover"
          - "malicious join"
          - "s3proxy"
+          - "emergency ssh"
          - "nop"
        required: true
      kubernetesVersion:
        description: "Kubernetes version to create the cluster from."
-        default: "1.29"
+        default: "1.30"
        required: true
      cliVersion:
        description: "Version of a released CLI to download. Leave empty to build the CLI from the checked out ref."
@ -137,6 +139,7 @@ jobs:
      workerNodes: ${{ steps.split-nodeCount.outputs.workerNodes }}
      controlPlaneNodes: ${{ steps.split-nodeCount.outputs.controlPlaneNodes }}
      cloudProvider: ${{ steps.split-attestationVariant.outputs.cloudProvider }}
+      attestationVariant: ${{ steps.split-attestationVariant.outputs.attestationVariant }}
    steps:
      - name: Split nodeCount
        id: split-nodeCount
@ -161,6 +164,12 @@ jobs:
          attestationVariant="${{ inputs.attestationVariant }}"
          cloudProvider="${attestationVariant%%-*}"

+          # special case for STACKIT, as there's no special attestation variant for it
+          if [[ "${cloudProvider}" == "stackit" ]]; then
+            attestationVariant="qemu-vtpm"
+          fi
+
+          echo "attestationVariant=${attestationVariant}" | tee -a "$GITHUB_OUTPUT"
          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"

  find-latest-image:
@ -175,13 +184,13 @@ jobs:
    steps:
      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.git-ref }}

@ -212,19 +221,19 @@ jobs:

      - name: Checkout head
        if: inputs.git-ref == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.git-ref != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.git-ref }}

      - name: Set up gcloud CLI (macOS)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'gcp' && runner.os == 'macOS'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+        uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4

      - name: Run manual E2E test
        id: e2e_test
@ -233,7 +242,7 @@ jobs:
          workerNodesCount: ${{ needs.generate-input-parameters.outputs.workerNodes }}
          controlNodesCount: ${{ needs.generate-input-parameters.outputs.controlPlaneNodes }}
          cloudProvider: ${{ needs.generate-input-parameters.outputs.cloudProvider }}
-          attestationVariant: ${{ inputs.attestationVariant }}
+          attestationVariant: ${{ needs.generate-input-parameters.outputs.attestationVariant }}
          machineType: ${{ inputs.machineType }}
          regionZone: ${{ inputs.regionZone }}
          gcpProject: constellation-e2e
@ -262,6 +271,9 @@ jobs:
          marketplaceImageVersion: ${{ inputs.marketplaceImageVersion }}
          force: ${{ inputs.force }}
          encryptionSecret: ${{ secrets.ARTIFACT_ENCRYPT_PASSWD }}
+          openStackCloudsYaml: ${{ secrets.STACKIT_CI_CLOUDS_YAML }}
+          stackitUat: ${{ secrets.STACKIT_CI_UAT }}
+          stackitProjectID: ${{ secrets.STACKIT_CI_PROJECT_ID }}

      - name: Always terminate cluster
        if: always()
--- a/.github/workflows/e2e-upgrade.yml
+++ b/.github/workflows/e2e-upgrade.yml
@ -132,57 +132,6 @@ jobs:

          echo "cloudProvider=${cloudProvider}" | tee -a "$GITHUB_OUTPUT"

-  build-target-cli:
-    name: Build upgrade target version CLI
-    runs-on: ubuntu-24.04
-    permissions:
-      id-token: write
-      checks: write
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout
-        if: inputs.gitRef == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0
-          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
-
-      - name: Checkout ref
-        if: inputs.gitRef != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          fetch-depth: 0
-          ref: ${{ inputs.gitRef }}
-
-      - name: Setup Bazel & Nix
-        uses: ./.github/actions/setup_bazel_nix
-
-      - name: Log in to the Container registry
-        uses: ./.github/actions/container_registry_login
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Simulate patch upgrade
-        if: inputs.simulatedTargetVersion != ''
-        run: |
-          echo ${{ inputs.simulatedTargetVersion }} > version.txt
-
-      - name: Build CLI
-        uses: ./.github/actions/build_cli
-        with:
-          enterpriseCLI: true
-          outputPath: "build/constellation"
-          push: true
-
-      - name: Upload CLI binary
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
-        with:
-          name: constellation-upgrade-${{ inputs.attestationVariant }}
-          path: build/constellation
-
  create-cluster:
    name: Create upgrade origin version cluster
    runs-on: ubuntu-24.04
@ -198,14 +147,14 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -279,19 +228,18 @@ jobs:
      packages: write
    needs:
      - generate-input-parameters
-      - build-target-cli
      - create-cluster
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}
@ -299,8 +247,34 @@ jobs:
      - name: Setup Bazel & Nix
        uses: ./.github/actions/setup_bazel_nix

+      - name: Log in to the Container registry
+        uses: ./.github/actions/container_registry_login
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # applying the version manipulation here so that the upgrade test tool is also on the simulated target version
+      - name: Simulate patch upgrade
+        if: inputs.simulatedTargetVersion != ''
+        run: |
+          echo ${{ inputs.simulatedTargetVersion }} > version.txt
+
+      - name: Build CLI
+        uses: ./.github/actions/build_cli
+        with:
+          enterpriseCLI: true
+          outputPath: "build/constellation"
+          push: true
+
+      - name: Upload CLI binary # is needed for the cleanup step
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: constellation-upgrade-${{ inputs.attestationVariant }}
+          path: build/constellation
+
      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
@ -322,7 +296,7 @@ jobs:

      - name: Login to AWS (IAM role)
        if: needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
          aws-region: eu-central-1
@ -335,11 +309,6 @@ jobs:
        with:
          azure_credentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}

-      - name: Download CLI
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: constellation-upgrade-${{ inputs.attestationVariant }}
-          path: build

      - name: Download Working Directory (Pre-test)
        uses: ./.github/actions/artifact_download
@ -378,7 +347,7 @@ jobs:

      - name: Login to AWS (Cluster role)
        if: always() && needs.generate-input-parameters.outputs.cloudProvider == 'aws'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
          aws-region: eu-central-1
@ -404,15 +373,9 @@ jobs:
          echo "K8s target: $KUBERNETES"
          echo "Microservice target: $MICROSERVICES"

-          if [[ -n ${MICROSERVICES} ]]; then
-            MICROSERVICES_FLAG="--target-microservices=$MICROSERVICES"
-          fi
-          if [[ -n ${KUBERNETES} ]]; then
-            KUBERNETES_FLAG="--target-kubernetes=$KUBERNETES"
-          fi
-
          sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
-          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" "$KUBERNETES_FLAG" "$MICROSERVICES_FLAG"
+          CLI=$(realpath ./build/constellation)
+          bazel run --test_timeout=14400 //e2e/internal/upgrade:upgrade_test -- --want-worker "$WORKERNODES" --want-control "$CONTROLNODES" --target-image "$IMAGE" --target-kubernetes "$KUBERNETES" --target-microservices "$MICROSERVICES" --cli "$CLI"

      - name: Remove Terraform plugin cache
        if: always()
@ -448,20 +411,20 @@ jobs:
    steps:
      - name: Checkout
        if: inputs.gitRef == 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Checkout ref
        if: inputs.gitRef != 'head'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          ref: ${{ inputs.gitRef }}

      - name: Download CLI
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: constellation-upgrade-${{ inputs.attestationVariant }}
          path: build
--- a/.github/workflows/e2e-windows.yml
+++ b/.github/workflows/e2e-windows.yml
@ -21,7 +21,7 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -45,7 +45,7 @@ jobs:
          push: true

      - name: Upload CLI artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          path: build/constellation.exe
          name: "constell-exe"
@ -56,12 +56,12 @@ jobs:
    needs: build-cli
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download CLI artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          name: "constell-exe"

@ -186,7 +186,7 @@ jobs:
      inputs.scheduled
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@ -26,7 +26,7 @@ jobs:
      WORKING_BRANCH: ${{ env.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # fetch all history

@ -49,7 +49,7 @@ jobs:
      latest: ${{ steps.input-passthrough.outputs.latest }}${{ steps.check-last-release.outputs.latest }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Override latest
        if: github.event.inputs.latest == 'true'
@ -123,7 +123,7 @@ jobs:
      contents: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Remove temporary branch
        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"
@ -137,12 +137,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - uses: ./.github/actions/setup_bazel_nix

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GitHubConstellationImagePipeline
          aws-region: eu-central-1
--- a/.github/workflows/purge-main.yml
+++ b/.github/workflows/purge-main.yml
@ -18,12 +18,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.head_ref }}

      - name: Login to AWS
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -0,0 +1,79 @@
+name: 'Release: on-publish'
+
+on:
+  release:
+    types:
+      - published
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Semantic version tag of the release (vX.Y.Z).'
+        required: true
+
+jobs:
+  post-release-actions:
+    runs-on: ubuntu-24.04
+    permissions:
+      issues: write
+    env:
+      FULL_VERSION: ${{ github.event.release.tag_name }}${{ github.event.inputs.tag }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Mark milestone as complete
+        run: |
+          milestones=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones)
+
+          current_milestone=$(echo "${milestones}" | jq -r ".[] | select(.title == \"${FULL_VERSION}\")")
+          echo "current milestone: ${current_milestone}"
+          if [[ -z "${current_milestone}" ]]; then
+            echo "milestone ${FULL_VERSION} does not exist, nothing to do..."
+            exit 0
+          fi
+
+          current_milestone_state=$(echo "${current_milestone}" | jq -r '.state')
+          echo "current milestone state: ${current_milestone_state}"
+          if [[ "${current_milestone_state}" != "open" ]]; then
+            echo "milestone ${FULL_VERSION} is already closed, nothing to do..."
+            exit 0
+          fi
+
+          milestone_number=$(echo "${current_milestone}" | jq -r '.number')
+          echo "milestone number: ${milestone_number}"
+          if [[ -z "${milestone_number}" ]]; then
+            echo "failed parsing milestone number"
+            exit 1
+          fi
+
+          gh api \
+            --method PATCH \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/edgelesssys/constellation/milestones/${milestone_number}" \
+            -f state=closed
+
+      - name: Create next milestone
+        run: |
+          WITHOUT_V=${FULL_VERSION#v}
+          PART_MAJOR=${WITHOUT_V%%.*}
+          PART_MINOR=${WITHOUT_V#*.}
+          PART_MINOR=${PART_MINOR%%.*}
+          NEXT_MINOR=v${PART_MAJOR}.$((PART_MINOR + 1)).0
+
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones |
+            jq -r '.[].title' | \
+            grep -xqF "${NEXT_MINOR}" && exit 0
+
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/edgelesssys/constellation/milestones \
+            -f title="${NEXT_MINOR}" \
+            -f state='open' \
+            -f "due_on=$(date -d '2 months' +'%Y-%m-%dT00:00:00Z')"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,7 +33,7 @@ jobs:
      RELEASE_BRANCH: ${{ steps.version-info.outputs.RELEASE_BRANCH }}
      WORKING_BRANCH: ${{ steps.version-info.outputs.WORKING_BRANCH }}
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Working branch
        run: echo "WORKING_BRANCH=$(git branch --show-current)" | tee -a "$GITHUB_ENV"
@ -72,10 +72,9 @@ jobs:
            echo "WORKING_BRANCH=${WORKING_BRANCH}"
          } | tee -a "$GITHUB_OUTPUT"

-  docs:
-    name: Create docs release (from main)
+  update-main-branch:
+    name: Update main branch with release changes
    runs-on: ubuntu-24.04
-    if: inputs.kind == 'minor'
    needs: verify-inputs
    permissions:
      contents: write
@ -85,30 +84,55 @@ jobs:
      MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
      BRANCH: docs/${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: main

+      - name: Configure git
+        run: |
+          git config --global user.name "edgelessci"
+          git config --global user.email "edgelessci@users.noreply.github.com"
+
      - name: Create docs release
+        if: inputs.kind == 'minor'
        working-directory: docs
        run: |
-          npm install
+          npm ci
          npm run docusaurus docs:version "${MAJOR_MINOR}"
+          git add .
+          git commit -am "docs: release ${MAJOR_MINOR}"
+          # Clean up auxiliary files, so next steps run on a clean tree
+          git clean -fdx :/
+
+      - name: Update version.txt
+        if: inputs.kind == 'minor'
+        run: |
+          pre_release_version="v${{ needs.verify-inputs.outputs.PART_MAJOR }}.$((${{ needs.verify-inputs.outputs.PART_MINOR }} + 1)).0-pre"
+          echo "${pre_release_version}" > version.txt
+          git add version.txt
+          git commit -m "chore: update version.txt to ${pre_release_version}"
+
+      - name: Update CI for new version
+        run: |
+          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-release.yml
+          sed -i 's/fromVersion: \["[^"]*"\]/fromVersion: ["${{ inputs.version }}"]/g' .github/workflows/e2e-test-weekly.yml

      - name: Create docs pull request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          branch: ${{ env.BRANCH }}
          base: main
-          title: "docs: add release ${{ env.VERSION }}"
+          title: "Post ${{ env.VERSION }} release updates to main"
          body: |
            :robot: *This is an automated PR.* :robot:

            The PR is triggered as part of the automated release process of version ${{ env.VERSION }}.
-            It releases a new version of the documentation.
-          commit-message: "docs: add release ${{ env.VERSION }}"
+          commit-message: "chore: update CI for ${{ env.VERSION }}"
          committer: edgelessci <edgelessci@users.noreply.github.com>
+          author: edgelessci <edgelessci@users.noreply.github.com>
          labels: no changelog
+          assignees: ${{ github.actor }}
+          reviewers: ${{ github.actor }}
          # We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.CI_COMMIT_PUSH_PR || '' }}

@ -123,7 +147,7 @@ jobs:
      WORKING_BRANCH: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -161,7 +185,7 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

@ -215,6 +239,17 @@ jobs:
      stream: "stable"
      ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

+  check-measurements-reproducibility:
+    name: Check measurements reproducibility
+    needs: [verify-inputs, os-image]
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check reproducibility
+        uses: ./.github/actions/check_measurements_reproducibility
+        with:
+          version: ${{ inputs.version }}
+          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
+
  update-hardcoded-measurements:
    name: Update hardcoded measurements (in the CLI)
    needs: [verify-inputs, os-image]
@ -226,14 +261,14 @@ jobs:
      WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}

      - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
-          go-version: "1.23.2"
+          go-version: "1.24.1"
          cache: true

      - name: Build generateMeasurements tool
--- a/.github/workflows/reproducible-builds.yml
+++ b/.github/workflows/reproducible-builds.yml
@ -1,8 +1,9 @@
 # Verify that Constellation builds are reproducible.
 #
-# The build-* jobs' matrix has two dimensions: a list of targets to build and
-# a list of runners to build on. The produced binaries and OS images are
-# expected to be bit-for-bit identical, regardless of the chosen build runner.
+# The build-* jobs' matrix has three dimensions: a list of targets to build, a
+# list of runners to build on and a method of installing dependencies. The
+# produced binaries and OS images are expected to be bit-for-bit identical,
+# without any dependencies on the runtime setup details.
 #
 # The compare-* jobs only have the target dimension. They obtain the built
 # targets from all runners and check that there are no diffs between them.
@ -12,6 +13,9 @@ on:
  workflow_dispatch:
  schedule:
    - cron: "45 06 * * 1" # Every Monday at 6:45am
+  pull_request:
+    paths:
+      - .github/workflows/reproducible-builds.yml

 jobs:
  build-binaries:
@ -24,19 +28,39 @@ jobs:
            - "cli_enterprise_linux_amd64"
            - "cli_enterprise_linux_arm64"
            - "cli_enterprise_windows_amd64"
-          runner: ["ubuntu-22.04", "ubuntu-20.04"]
+          runner:
+            - "ubuntu-24.04"
+            - "ubuntu-22.04"
+          deps:
+            - conventional
+            - eccentric
    env:
        bazel_target: "//cli:${{ matrix.target }}"
-        binary: "${{ matrix.target }}-${{ matrix.runner }}"
+        binary: "${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
    runs-on: ${{ matrix.runner }}
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

-      - name: Setup bazel
+      - name: Setup dependencies
        uses: ./.github/actions/setup_bazel_nix
+        if: matrix.deps == 'conventional'
+
+      - name: Setup dependencies (eccentric)
+        if: matrix.deps == 'eccentric'
+        run: |
+          bazelVersion=$(cat .bazelversion)
+          mkdir -p "$HOME/.local/bin"
+          curl -fsSL -o "$HOME/.local/bin/bazel" "https://github.com/bazelbuild/bazel/releases/download/$bazelVersion/bazel-$bazelVersion-linux-x86_64"
+          chmod a+x "$HOME/.local/bin/bazel"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+          curl -fsSL -o "$HOME/.local/bin/nix-installer" https://github.com/DeterminateSystems/nix-installer/releases/download/v3.2.1/nix-installer-x86_64-linux # renovate:github-release
+          nixVersion=$(cat .nixversion)
+          chmod a+x "$HOME/.local/bin/nix-installer"
+          "$HOME/.local/bin/nix-installer" install --no-confirm --nix-package-url "https://releases.nixos.org/nix/nix-$nixVersion/nix-$nixVersion-x86_64-linux.tar.xz"

      - name: Build
        shell: bash
@ -57,15 +81,15 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}"
+          name: "binaries-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
+          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}-${{ matrix.deps }}"
          path: "${{ env.binary }}.sha256"

  build-osimages:
@ -77,14 +101,26 @@ jobs:
            - "aws_aws-nitro-tpm_console"
            - "qemu_qemu-vtpm_debug"
            - "gcp_gcp-sev-snp_nightly"
-          runner: ["ubuntu-22.04", "ubuntu-20.04"]
+          runner: ["ubuntu-24.04", "ubuntu-22.04"]
    env:
        bazel_target: "//image/system:${{ matrix.target }}"
        binary: "osimage-${{ matrix.target }}-${{ matrix.runner }}"
    runs-on: ${{ matrix.runner }}
    steps:
+      - name: Remove security hardening features
+        if: matrix.runner == 'ubuntu-24.04'
+        shell: bash
+        run: |
+          # Taken from https://github.com/systemd/mkosi/blob/fcacc94b9f72d9b6b1f03779b0c6e07209ceb54b/action.yaml#L42-L57.
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          # This command fails with a non-zero error code even though it unloads the apparmor profiles.
+          # https://gitlab.com/apparmor/apparmor/-/issues/403
+          sudo aa-teardown || true
+          sudo apt-get remove -y apparmor
+
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -110,13 +146,13 @@ jobs:
        run: shasum -a 256 "${binary}" | tee "${binary}.sha256"

      - name: Upload binary artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: "osimages-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}"

      - name: Upload hash artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: "sha256sums-${{ matrix.target }}-${{ matrix.runner }}"
          path: "${{ env.binary }}.sha256"
@ -134,12 +170,12 @@ jobs:
            - "cli_enterprise_windows_amd64"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download binaries
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          pattern: "binaries-${{ matrix.target }}-*"
          merge-multiple: true
@ -168,12 +204,12 @@ jobs:
              - "gcp_gcp-sev-snp_nightly"
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Download os images
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          pattern: "osimages-${{ matrix.target }}-*"
          merge-multiple: true
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -18,25 +18,25 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
        with:
          results_file: results.sarif
          results_format: sarif
          publish_results: true

      - name: Upload artifact
-        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13
        with:
          sarif_file: results.sarif
--- a/.github/workflows/sync-terraform-docs.yml
+++ b/.github/workflows/sync-terraform-docs.yml
@ -18,14 +18,14 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout constellation repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
          path: constellation

      - name: Checkout terraform-provider-constellation repo
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: edgelesssys/terraform-provider-constellation
          ref: main
@ -40,7 +40,7 @@ jobs:

      - name: Create pull request
        id: create-pull-request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          path: terraform-provider-constellation
          branch: "feat/docs/update"
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@ -25,7 +25,7 @@ jobs:
      CTEST_OUTPUT_ON_FAILURE: True
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-operator-codegen.yml
+++ b/.github/workflows/test-operator-codegen.yml
@ -21,14 +21,14 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

      - name: Setup Go environment
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
-          go-version: "1.23.2"
+          go-version: "1.24.1"
          cache: true

      - name: Run code generation
--- a/.github/workflows/test-tfsec.yml
+++ b/.github/workflows/test-tfsec.yml
@ -23,7 +23,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

--- a/.github/workflows/test-tidy.yml
+++ b/.github/workflows/test-tidy.yml
@ -17,7 +17,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          # No token available for forks, so we can't push changes
@ -37,7 +37,7 @@ jobs:

      - name: Assume AWS role to upload Bazel dependencies to S3
        if: startsWith(github.head_ref, 'renovate/')
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
--- a/.github/workflows/test-unittest.yml
+++ b/.github/workflows/test-unittest.yml
@ -30,7 +30,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          fetch-depth: 0
@ -49,7 +49,7 @@ jobs:
          rm -rf awscliv2.zip aws

      - name: Login to AWS (IAM role)
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubActionGocoverage
          aws-region: eu-central-1
@ -69,7 +69,7 @@ jobs:

      - name: Comment coverage
        if: steps.coverage.outputs.uploadable == 'true' && github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1
        with:
          header: coverage
          path: coverage_diff.md
--- a/.github/workflows/update-rpms.yml
+++ b/.github/workflows/update-rpms.yml
@ -13,12 +13,12 @@ jobs:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          token: ${{ secrets.CI_COMMIT_PUSH_PR }}

      - name: Assume AWS role to upload Bazel dependencies to S3
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationMirrorWrite
          aws-region: eu-central-1
@ -39,7 +39,7 @@ jobs:
          fi

      - name: Create pull request
-        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          branch: "image/automated/update-rpms-${{ github.run_number }}"
          base: main
--- a/.github/workflows/versionsapi.yml
+++ b/.github/workflows/versionsapi.yml
@ -115,7 +115,7 @@ jobs:
    steps:
      - name: Check out repository
        id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}

@ -149,21 +149,21 @@ jobs:

      - name: Login to AWS without write access
        if: steps.check-rights.outputs.write == 'false'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRead
          aws-region: eu-central-1

      - name: Login to AWS with write access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'false'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIWrite
          aws-region: eu-central-1

      - name: Login to AWS with write and image remove access
        if: steps.check-rights.outputs.write == 'true' && steps.check-rights.outputs.auth == 'true'
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
        with:
          role-to-assume: arn:aws:iam::795746500882:role/GithubConstellationVersionsAPIRemove
          aws-region: eu-central-1
--- a/.golangci.yml
+++ b/.golangci.yml
@ -1,53 +1,65 @@
+version: "2"
 run:
-  timeout: 10m
  build-tags:
    - integration
    - e2e
  modules-download-mode: readonly
-
 output:
  formats:
-    - format: tab
+    tab:
      path: stdout
-  sort-results: true
-
+      colors: false
 linters:
  enable:
-    # Default linters
-    - errcheck
-    - gosimple
-    - govet
-    - ineffassign
-    - staticcheck
-    - typecheck
-    - unused
-    # Additional linters
    - bodyclose
+    - copyloopvar
    - errname
-    - exportloopref
    - godot
-    - gofmt
-    - gofumpt
    - misspell
    - noctx
    - revive
-    - tenv
    - unconvert
    - unparam
+    - usetesting
+  settings:
+    errcheck:
+      exclude-functions:
+        - (*go.uber.org/zap.Logger).Sync
+        - (*google.golang.org/grpc.Server).Serve
+  exclusions:
+    generated: lax
+    presets:
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - 3rdparty/node-maintenance-operator
+    rules:
+    # TODO(burgerdev): these exclusions have been added to ease migration to v2 and should eventually be addressed.
+    - linters: ["staticcheck"]
+      text: "QF1008: could remove embedded field"
+    - linters: ["staticcheck"]
+      text: "QF1001: could apply De Morgan's law"
+    - linters: ["staticcheck"]
+      text: "ST1005: error strings should not be capitalized"
+    - linters: ["revive"]
+      text: "package-comments: package comment should be of the form"
+    - linters: ["revive"]
+      text: "package-comments: should have a package comment"
+    - linters: ["staticcheck"]
+      text: "QF1012: Use fmt.Fprintf"
+    - linters: ["staticcheck"]
+      text: "ST1019"

+      
 issues:
  max-issues-per-linter: 0
  max-same-issues: 20
-  exclude-dirs:
-    - 3rdparty/node-maintenance-operator
-  include:
-    - EXC0012
-    - EXC0014
-
-linters-settings:
-  errcheck:
-    # List of functions to exclude from checking, where each entry is a single function to exclude.
-    # See https://github.com/kisielk/errcheck#excluding-functions for details.
-    exclude-functions:
-      - (*go.uber.org/zap.Logger).Sync
-      - (*google.golang.org/grpc.Server).Serve
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+  exclusions:
+    generated: lax
+    paths:
+      - 3rdparty/node-maintenance-operator
--- a/.nixversion
+++ b/.nixversion
@ -0,0 +1 @@
+2.25.2
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/BUILD.bazel
@ -0,0 +1,13 @@
+load("//bazel/sh:def.bzl", "sh_template")
+
+sh_template(
+    name = "pull_files",
+    data = [
+        "@com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy",
+    ],
+    substitutions = {
+        "@@POLICY_SRC@@": "$(rootpath @com_github_kubernetes_sigs_aws_load_balancer_controller//:lb_policy)",
+    },
+    template = "pull_files.sh",
+    visibility = ["//visibility:public"],
+)
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/pull_files.sh
@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+###### script header ######
+
+lib=$(realpath @@BASE_LIB@@) || exit 1
+stat "${lib}" >> /dev/null || exit 1
+
+# shellcheck source=../../../bazel/sh/lib.bash
+if ! source "${lib}"; then
+  echo "Error: could not find import"
+  exit 1
+fi
+
+controller_policy_source="@@POLICY_SRC@@"
+
+###### script body ######
+
+controller_policy_real_source=$(realpath "${controller_policy_source}")
+
+cd "${BUILD_WORKSPACE_DIRECTORY}" # needs to be done after realpath
+
+targetDir="terraform/infrastructure/iam/aws/alb_policy.json"
+
+cp "${controller_policy_real_source}" "${targetDir}"
--- a/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
+++ b/3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller/source.bzl
@ -0,0 +1,22 @@
+"""A module defining the source of the AWS load balancer controller."""
+
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+def aws_load_balancer_controller_deps():
+    http_archive(
+        name = "com_github_kubernetes_sigs_aws_load_balancer_controller",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
+            "https://github.com/kubernetes-sigs/aws-load-balancer-controller/archive/refs/tags/v2.12.0.tar.gz",
+        ],
+        strip_prefix = "aws-load-balancer-controller-2.12.0",
+        build_file_content = """
+filegroup(
+    srcs = ["docs/install/iam_policy.json"],
+    name = "lb_policy",
+    visibility = ["//visibility:public"],
+)
+        """,
+        type = "tar.gz",
+        sha256 = "422af7c03ebc73e1be6aea563475ec9ea6396071fa03158b9a3984aa621b8cb1",
+    )
--- a/3rdparty/gcp-guest-agent/Dockerfile
+++ b/3rdparty/gcp-guest-agent/Dockerfile
@ -1,4 +1,4 @@
-FROM ubuntu:22.04@sha256:58b87898e82351c6cf9cf5b9f3c20257bb9e2dcf33af051e12ce532d7f94e3fe as build
+FROM ubuntu:24.04@sha256:72297848456d5d37d1262630108ab308d3e9ec7ed1c3286a32fe09856619a782 as build

 # Install packages
 RUN apt-get update && apt-get install -y \
@ -6,7 +6,7 @@ RUN apt-get update && apt-get install -y \
    git

 # Install Go
-ARG GO_VER=1.22.3
+ARG GO_VER=1.23.6
 RUN wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz && \
    tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz && \
    rm go${GO_VER}.linux-amd64.tar.gz
--- a/MODULE.bazel
+++ b/MODULE.bazel
@ -1,6 +1,6 @@
 module(name = "constellation")

-bazel_dep(name = "aspect_bazel_lib", version = "2.9.2")
+bazel_dep(name = "aspect_bazel_lib", version = "2.14.0")

 bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib.yq()
@ -8,21 +8,27 @@ use_repo(bazel_lib, "jq_toolchains")
 use_repo(bazel_lib, "yq_toolchains")

 bazel_dep(name = "bazel_skylib", version = "1.7.1")
-bazel_dep(name = "gazelle", version = "0.39.1")
-bazel_dep(name = "hermetic_cc_toolchain", version = "3.1.1")
-bazel_dep(name = "rules_cc", version = "0.0.13")
-bazel_dep(name = "rules_go", version = "0.50.1", repo_name = "io_bazel_rules_go")
-bazel_dep(name = "rules_pkg", version = "0.10.1")
-bazel_dep(name = "rules_proto", version = "6.0.2")
-bazel_dep(name = "rules_python", version = "0.36.0")
+bazel_dep(name = "gazelle", version = "0.42.0")
+bazel_dep(name = "hermetic_cc_toolchain", version = "3.2.0")
+bazel_dep(name = "rules_cc", version = "0.1.1")
+bazel_dep(name = "rules_go", version = "0.53.0", repo_name = "io_bazel_rules_go")
+bazel_dep(name = "rules_pkg", version = "1.1.0")
+bazel_dep(name = "rules_proto", version = "7.1.0")
+bazel_dep(name = "rules_python", version = "1.3.0")

-bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
+bazel_dep(name = "buildifier_prebuilt", version = "8.0.1", dev_dependency = True)

 go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk")
 go_sdk.download(
    name = "go_sdk",
    patches = ["//3rdparty/bazel/org_golang:go_tls_max_handshake_size.patch"],
-    version = "1.23.2",
+    version = "1.23.6",
+)
+
+python = use_extension("@rules_python//python/extensions:python.bzl", "python")
+python.toolchain(
+    ignore_root_user_error = True,
+    python_version = "3.11",
 )

 # the use_repo rule needs to list all top-level go dependencies
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
--- a/WORKSPACE.bzlmod
+++ b/WORKSPACE.bzlmod
@ -234,6 +234,10 @@ load("//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:source.bzl"

 node_maintainance_operator_deps()

+load("//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:source.bzl", "aws_load_balancer_controller_deps")
+
+aws_load_balancer_controller_deps()
+
 # CI deps
 load("//bazel/toolchains:ci_deps.bzl", "ci_deps")

--- a/bazel/bazelrc/ci.bazelrc
+++ b/bazel/bazelrc/ci.bazelrc
@ -62,6 +62,10 @@ build --remote_local_fallback
 # Docs: https://bazel.build/reference/command-line-reference#flag--grpc_keepalive_time
 build --grpc_keepalive_time=30s

+# Use fallbacks in case proxy.golang.org is not reachable.
+# Docs: https://go.dev/ref/mod#goproxy-protocol
+common '--repo_env=GOPROXY=https://proxy.golang.org|https://goproxy.io|direct'
+

 ######################################
 # Edgeless specific                  #
--- a/bazel/ci/BUILD.bazel
+++ b/bazel/ci/BUILD.bazel
@ -1,7 +1,7 @@
 load("@buildifier_prebuilt//:rules.bzl", "buildifier", "buildifier_test")
 load("@com_github_ash2k_bazel_tools//multirun:def.bzl", "multirun")
 load("@gazelle//:def.bzl", "gazelle")
-load("@io_bazel_rules_go//go/private/rules:go_bin_for_host.bzl", "go_bin_for_host")
+load("//bazel/ci:go_bin_for_host.bzl", "go_bin_for_host")
 load("//bazel/ci:proto_targets.bzl", "proto_targets")
 load("//bazel/sh:def.bzl", "noop_warn", "repo_command", "sh_template")

@ -514,16 +514,14 @@ multirun(
 )

 multirun(
-    name = "check",
+    name = "parallel_checks",
    testonly = True,
    commands = [
        ":gazelle_check",
        ":buildifier_check",
-        ":golangci_lint",
        ":terraform_check",
        ":golicenses_check",
        ":license_header_check",
-        ":govulncheck",
        ":deps_mirror_check",
        ":proto_targets_check",
        ":unused_gh_actions",
@ -542,11 +540,25 @@ multirun(
    visibility = ["//visibility:public"],
 )

+multirun(
+    name = "check",
+    testonly = True,
+    commands = [
+        ":parallel_checks",
+        ":golangci_lint",
+        ":govulncheck",
+    ],
+    jobs = 1,  # execute sequentially to avoid running into memory issues on our CI runners
+    stop_on_error = False,
+    visibility = ["//visibility:public"],
+)
+
 multirun(
    name = "generate_files",
    commands = [
        ":terraform_gen",
        "//3rdparty/bazel/com_github_medik8s_node_maintainance_operator:pull_files",
+        "//3rdparty/bazel/com_github_kubernetes_sigs_aws_load_balancer_controller:pull_files",
        ":go_generate",
        ":proto_generate",
    ],
--- a/bazel/ci/go_bin_for_host.bzl
+++ b/bazel/ci/go_bin_for_host.bzl
@ -0,0 +1,29 @@
+"""
+Go toolchain for the host platformS
+Inspired by https://github.com/bazel-contrib/rules_go/blob/6e4fdcfeb1a333b54ab39ae3413d4ded46d8958d/go/private/rules/go_bin_for_host.bzl
+"""
+
+load("@local_config_platform//:constraints.bzl", "HOST_CONSTRAINTS")
+
+GO_TOOLCHAIN = "@io_bazel_rules_go//go:toolchain"
+
+def _ensure_target_cfg(ctx):
+    if "-exec" in ctx.bin_dir.path or "/host/" in ctx.bin_dir.path:
+        fail("exec not found")
+
+def _go_bin_for_host_impl(ctx):
+    _ensure_target_cfg(ctx)
+    sdk = ctx.toolchains[GO_TOOLCHAIN].sdk
+    sdk_files = ctx.runfiles([sdk.go] + sdk.headers.to_list() + sdk.libs.to_list() + sdk.srcs.to_list() + sdk.tools.to_list())
+    return [
+        DefaultInfo(
+            files = depset([sdk.go]),
+            runfiles = sdk_files,
+        ),
+    ]
+
+go_bin_for_host = rule(
+    implementation = _go_bin_for_host_impl,
+    toolchains = [GO_TOOLCHAIN],
+    exec_compatible_with = HOST_CONSTRAINTS,
+)
--- a/bazel/ci/golicenses.sh.in
+++ b/bazel/ci/golicenses.sh.in
@ -63,6 +63,8 @@ license_report() {

        github.com/edgelesssys/constellation/v2/operators/constellation-node-operator/api) ;;

+        github.com/edgelesssys/go-tdx-qpl) ;;
+
        *)
          not_allowed
          ;;
@ -71,8 +73,6 @@ license_report() {

      Unknown)
        case ${pkg} in
-        github.com/edgelesssys/go-tdx-qpl/*) ;;
-
        *)
          not_allowed
          ;;
--- a/bazel/ci/govulncheck.sh.in
+++ b/bazel/ci/govulncheck.sh.in
@ -27,11 +27,16 @@ submodules=$(${go} list -f '{{.Dir}}' -m)
 PATH=$(dirname "${go}"):${PATH}

 check_module() {
+  excluded_osvs=(
+    "GO-2025-3521" # Kubernetes GitRepo Volume Inadvertent Local Repository Access
+    "GO-2025-3547" # Kubernetes kube-apiserver Vulnerable to Race Condition
+  )
+
  # shellcheck disable=SC2016 # The $ sign in the single quoted string is correct.
  CGO_ENABLED=0 ${govulncheck} -C "$1" -format json "./..." |
-    "${jq}" -sr '
+    "${jq}" --argjson excluded "$(printf '"%s"\n' "${excluded_osvs[@]}" | jq -s)" -sr '
        (map(select(.osv) | {"key": .osv.id, "value": .osv.summary}) | from_entries) as $osvs | 
-        map(select( .finding and .finding.osv != "GO-2024-3166" ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
+        map(select( .finding and all($excluded[] != .finding.osv; .) ) | .finding | select( .trace[-1].module | startswith("github.com/edgelesssys/") )) |
        group_by(.osv) | 
        map( {"osv": .[0].osv, "summary": $osvs[.[0].osv], "traces": [.[] | [.trace[] | .module]]} ) |
        if length > 0 then halt_error(1) else .[] end'
--- a/bazel/ci/terraform.sh.in
+++ b/bazel/ci/terraform.sh.in
@ -46,7 +46,6 @@ excludeDirs=(
 excludeLockDirs=(
  "build"
  "terraform-provider-constellation"
-  "terraform/legacy-module"
 )

 excludeCheckDirs=(
@ -143,6 +142,7 @@ check() {
    done
    echo "This may take 5-10 min..."
    for module in "${terraformLockModules[@]}"; do
+      echo "Generating lock file for ${module}"
      ${terraform} -chdir="${module}" init > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_arm64 > /dev/null
      ${terraform} -chdir="${module}" providers lock -platform=linux_amd64 > /dev/null
--- a/bazel/proto/rules.bzl
+++ b/bazel/proto/rules.bzl
@ -5,17 +5,14 @@ based on https://github.com/bazelbuild/rules_go/issues/2111#issuecomment-1355927
 """

 load("@aspect_bazel_lib//lib:write_source_files.bzl", "write_source_files")
-load("@io_bazel_rules_go//go:def.bzl", "GoLibrary", "go_context")
+load("@io_bazel_rules_go//go:def.bzl", "GoInfo")
 load("@io_bazel_rules_go//proto:compiler.bzl", "GoProtoCompiler")

 def _output_go_library_srcs_impl(ctx):
-    go = go_context(ctx)
-
    srcs_of_library = []
    importpath = ""
    for src in ctx.attr.deps:
-        lib = src[GoLibrary]
-        go_src = go.library_to_source(go, ctx.attr, lib, False)
+        lib = src[GoInfo]
        if importpath and lib.importpath != importpath:
            fail(
                "importpath of all deps must match, got {} and {}",
@ -23,7 +20,7 @@ def _output_go_library_srcs_impl(ctx):
                lib.importpath,
            )
        importpath = lib.importpath
-        srcs_of_library.extend(go_src.srcs)
+        srcs_of_library.extend(lib.srcs)

    if len(srcs_of_library) != 1:
        fail("expected exactly one src for library, got {}", len(srcs_of_library))
@ -54,7 +51,7 @@ output_go_library_srcs = rule(
            default = "@io_bazel_rules_go//proto:go_proto",
        ),
        "deps": attr.label_list(
-            providers = [GoLibrary],
+            providers = [GoInfo],
            aspects = [],
        ),
        "out": attr.output(
--- a/bazel/release/artifacts/BUILD.bazel
+++ b/bazel/release/artifacts/BUILD.bazel
@ -70,5 +70,5 @@ go_test(
    env = platform_container_sums_paths | platform_clis_paths,
    # keep
    x_defs = {"runsUnder": "bazel"},
-    deps = ["@io_bazel_rules_go//go/runfiles:go_default_library"],
+    deps = ["@io_bazel_rules_go//go/runfiles"],
 )
--- a/bazel/toolchains/ci_deps.bzl
+++ b/bazel/toolchains/ci_deps.bzl
@ -97,41 +97,41 @@ def _actionlint_deps():
        name = "com_github_rhysd_actionlint_linux_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "37252b4d440b56374b0fc1726e05fd7452d30d6d774f6e9b52e65bb64475f9db",
+        sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_linux_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_linux_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "5fd82142c39208bfdc51b929ff9bd84c38bcc10b4362ef2261a5d70d38e68e05",
+        sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_amd64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "33e960b719c87ecc0c807cf4945fd4078980cd2e626b27ded0e9551c757fa8f6",
+        sha256 = "28e5de5a05fc558474f638323d736d822fff183d2d492f0aecb2b73cc44584f5",
    )
    http_archive(
        name = "com_github_rhysd_actionlint_darwin_arm64",
        build_file_content = """exports_files(["actionlint"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
-            "https://github.com/rhysd/actionlint/releases/download/v1.7.3/actionlint_1.7.3_darwin_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
+            "https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "b4e8dab8dda48eceff6afea67d0fe4a14b8d4ea7191cf233c1e1af8a62f37c24",
+        sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
    )

 def _gofumpt_deps():
@ -181,41 +181,41 @@ def _tfsec_deps():
        name = "com_github_aquasecurity_tfsec_linux_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "9d783fa225a570f034000136973afba86a1708c919a539b72b3ea954a198289c",
+        sha256 = "f643c390e6eabdf4bd64e807ff63abfe977d4f027c0b535eefe7a5c9f391fc28",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_linux_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_linux_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_linux_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "68b5c4f6b7c459dd890ecff94b0732e456ef45974894f58bbb90fbb4816f3e52",
+        sha256 = "4aed1b122f817b684cc48da9cdc4b98b891808969441914570c089883c85ac50",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_amd64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_amd64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "d377597f2fd4e6956bb7beb711d627b0e0204c421c17e2cd062213222c2f3001",
+        sha256 = "966c7656f797c120dceb56a208a50dbf6a363c30876662a28e1c65505afca10d",
    )
    http_archive(
        name = "com_github_aquasecurity_tfsec_darwin_arm64",
        build_file_content = """exports_files(["tfsec"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
-            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.11/tfsec_1.28.11_darwin_arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
+            "https://github.com/aquasecurity/tfsec/releases/download/v1.28.13/tfsec_1.28.13_darwin_arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "14db6b40049226ebc779789196f99eb4977bb93c99fa51c8b72b603e6cdf44e7",
+        sha256 = "a381580c81d3413bb3fe07aa91ab89e51c1bbbd33c848194a2b43e9be3729c16",
    )

 def _golangci_lint_deps():
@ -223,45 +223,45 @@ def _golangci_lint_deps():
        name = "com_github_golangci_golangci_lint_linux_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-1.61.0-linux-amd64",
+        strip_prefix = "golangci-lint-2.0.2-linux-amd64",
        type = "tar.gz",
-        sha256 = "77cb0af99379d9a21d5dc8c38364d060e864a01bd2f3e30b5e8cc550c3a54111",
+        sha256 = "89cc8a7810dc63b9a37900da03e37c3601caf46d42265d774e0f1a5d883d53e2",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_linux_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-linux-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-linux-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-1.61.0-linux-arm64",
+        strip_prefix = "golangci-lint-2.0.2-linux-arm64",
        type = "tar.gz",
-        sha256 = "af60ac05566d9351615cb31b4cc070185c25bf8cbd9b09c1873aa5ec6f3cc17e",
+        sha256 = "789d5b91219ac68c2336f77d41cd7e33a910420594780f455893f8453d09595b",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_amd64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-amd64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-amd64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-1.61.0-darwin-amd64",
+        strip_prefix = "golangci-lint-2.0.2-darwin-amd64",
        type = "tar.gz",
-        sha256 = "5c280ef3284f80c54fd90d73dc39ca276953949da1db03eb9dd0fbf868cc6e55",
+        sha256 = "a88cbdc86b483fe44e90bf2dcc3fec2af8c754116e6edf0aa6592cac5baa7a0e",
    )
    http_archive(
        name = "com_github_golangci_golangci_lint_darwin_arm64",
        build_file = "//bazel/toolchains:BUILD.golangci.bazel",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
-            "https://github.com/golangci/golangci-lint/releases/download/v1.61.0/golangci-lint-1.61.0-darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
+            "https://github.com/golangci/golangci-lint/releases/download/v2.0.2/golangci-lint-2.0.2-darwin-arm64.tar.gz",
        ],
-        strip_prefix = "golangci-lint-1.61.0-darwin-arm64",
+        strip_prefix = "golangci-lint-2.0.2-darwin-arm64",
        type = "tar.gz",
-        sha256 = "544334890701e4e04a6e574bc010bea8945205c08c44cced73745a6378012d36",
+        sha256 = "664550e7954f5f4451aae99b4f7382c1a47039c66f39ca605f5d9af1a0d32b49",
    )

 def _buf_deps():
@ -270,44 +270,44 @@ def _buf_deps():
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
-            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "deebd48a6bf85b073d7c7800c17b330376487e86852d4905c76a205b6fd795d4",
+        sha256 = "3cf4aa139b289e09f76f3b506d0f48b5d27bd4a58b510af6b976e6a0fb4a0953",
    )
    http_archive(
        name = "com_github_bufbuild_buf_linux_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
-            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Linux-aarch64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Linux-aarch64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "2d3ebfed036881d0615e5b24288cf788791b45848f26e915e3efe7ee9c10735d",
+        sha256 = "853f91722ab06e8e7d140b9693f6f6eafd4812636f193ab5dbae99ee1612f1b6",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_amd64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
-            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-x86_64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-x86_64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "7fef3c482ac440cc09c40864498ef1f44745fde82428ddf52edd2012d3a036a4",
+        sha256 = "ed5873b81f80d2aa95f4534b51c3a9e0d382d807902706b4aee7a61be5516461",
    )
    http_archive(
        name = "com_github_bufbuild_buf_darwin_arm64",
        strip_prefix = "buf/bin",
        build_file_content = """exports_files(["buf"], visibility = ["//visibility:public"])""",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
-            "https://github.com/bufbuild/buf/releases/download/v1.45.0/buf-Darwin-arm64.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
+            "https://github.com/bufbuild/buf/releases/download/v1.51.0/buf-Darwin-arm64.tar.gz",
        ],
        type = "tar.gz",
-        sha256 = "e5309c70c7bb4a06d799ab7c7601c0d647c704085593d5cd981db29f986e469b",
+        sha256 = "fc34097ddc95533b0d8065bdf9cf368c63f040ea9d96ffda4ab2805122fddbce",
    )

 def _talos_docgen_deps():
--- a/bazel/toolchains/container_images.bzl
+++ b/bazel/toolchains/container_images.bzl
@ -7,7 +7,7 @@ load("@rules_oci//oci:pull.bzl", "oci_pull")
 def containter_image_deps():
    oci_pull(
        name = "distroless_static",
-        digest = "sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea",
+        digest = "sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9",
        image = "gcr.io/distroless/static",
        platforms = [
            "linux/amd64",
@ -16,6 +16,6 @@ def containter_image_deps():
    )
    oci_pull(
        name = "libvirtd_base",
-        digest = "sha256:99dbf3cf69b3f97cb0158bde152c9bc7c2a96458cf462527ee80b75754f572a7",
+        digest = "sha256:48ba2401ea66490ca1997b9d3e72b4bef7557ffbcdb1c95651fb3308f32fda58",
        image = "ghcr.io/edgelesssys/constellation/libvirtd-base",
    )
--- a/bazel/toolchains/nixpkgs_deps.bzl
+++ b/bazel/toolchains/nixpkgs_deps.bzl
@ -5,11 +5,11 @@ load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 def nixpkgs_deps():
    http_archive(
        name = "io_tweag_rules_nixpkgs",
-        sha256 = "f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
-        strip_prefix = "rules_nixpkgs-705ee3b26cf49e990cddbbe6f60510fa46d50904",
+        sha256 = "30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
+        strip_prefix = "rules_nixpkgs-0.13.0",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/f2c927815c18c088f02ff81caf9903f9c0b2596ac6e6bd40534bc299af9dc0d7",
-            "https://github.com/tweag/rules_nixpkgs/archive/705ee3b26cf49e990cddbbe6f60510fa46d50904.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/30271f7bd380e4e20e4d7132c324946c4fdbc31ebe0bbb6638a0f61a37e74397",
+            "https://github.com/tweag/rules_nixpkgs/releases/download/v0.13.0/rules_nixpkgs-0.13.0.tar.gz",
        ],
        type = "tar.gz",
    )
--- a/bazel/toolchains/oci_deps.bzl
+++ b/bazel/toolchains/oci_deps.bzl
@ -7,14 +7,13 @@ def oci_deps():
    # Remove this override once https://github.com/bazel-contrib/rules_oci/issues/420 is fixed.
    http_archive(
        name = "rules_oci",
-        strip_prefix = "rules_oci-2.0.1",
+        strip_prefix = "rules_oci-2.2.5",
        type = "tar.gz",
        urls = [
-            "https://cdn.confidential.cloud/constellation/cas/sha256/acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
-            "https://cdn.confidential.cloud/constellation/cas/sha256/f70f07f9d0d6c275d7ec7d3c7f236d9b552ba3205e8f37df9c1125031cf967cc",
-            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.0.1/rules_oci-v2.0.1.tar.gz",
+            "https://cdn.confidential.cloud/constellation/cas/sha256/361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
+            "https://github.com/bazel-contrib/rules_oci/releases/download/v2.2.5/rules_oci-v2.2.5.tar.gz",
        ],
-        sha256 = "acbf8f40e062f707f8754e914dcb0013803c6e5e3679d3e05b571a9f5c7e0b43",
+        sha256 = "361c417e8c95cd7c3d8b5cf4b202e76bac8d41532131534ff8e6fa43aa161142",
        patches = ["//bazel/toolchains:0001-disable-Windows-support.patch"],
        patch_args = ["-p1"],
    )
--- a/Show More
+++ b/Show More
 @ -1 +1 @@
 .3.2
 .4.1