projectsesame · izturn · Oct 2, 2025 · Oct 2, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,6 +10,9 @@ updates:
   schedule:
     interval: "weekly"
     day: "sunday"
+  cooldown:
+    default-days: 3
+    semver-major-days: 15
   labels:
   - area/dependency
   - release-note/none-required
@@ -18,89 +21,25 @@ updates:
       patterns:
       - "k8s.io/*"
 - target-branch: main
-  package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: "weekly"
-    day: "sunday"
-  labels:
-  - area/tooling
-  - release-note/none-required
-  groups:
-    artifact-actions:
-      patterns:
-      - "actions/upload-artifact"
-      - "actions/download-artifact"
-
-# release branch N targets
-- target-branch: release-1.33
   package-ecosystem: "gomod"
-  directory: "/"
-  schedule:
-    interval: "weekly"
-    day: "sunday"
-  ignore:
-  - dependency-name: "*"
-    update-types:
-    - "version-update:semver-major"
-    - "version-update:semver-minor"
-  labels:
-  - area/dependency
-  - release-note/none-required
-  groups:
-    k8s-dependencies:
-      patterns:
-      - "k8s.io/*"
-- target-branch: release-1.33
-  package-ecosystem: "github-actions"
-  directory: "/"
+  directory: "/tools"
   schedule:
     interval: "weekly"
     day: "sunday"
-  ignore:
-  - dependency-name: "*"
-    update-types:
-    - "version-update:semver-major"
-    - "version-update:semver-minor"
+  cooldown:
+    default-days: 3
+    semver-major-days: 15
   labels:
   - area/tooling
   - release-note/none-required
-  groups:
-    artifact-actions:
-      patterns:
-      - "actions/upload-artifact"
-      - "actions/download-artifact"
-
-# release branch N-1 targets
-- target-branch: release-1.32
-  package-ecosystem: "gomod"
-  directory: "/"
-  schedule:
-    interval: "weekly"
-    day: "sunday"
-  ignore:
-  - dependency-name: "*"
-    update-types:
-    - "version-update:semver-major"
-    - "version-update:semver-minor"
-  labels:
-  - area/dependency
-  - release-note/none-required
-  groups:
-    k8s-dependencies:
-      patterns:
-      - "k8s.io/*"
-- target-branch: release-1.32
+- target-branch: main
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
     interval: "weekly"
     day: "sunday"
-  ignore:
-  - dependency-name: "*"
-    update-types:
-    - "version-update:semver-major"
-    - "version-update:semver-minor"
+  cooldown:
+    default-days: 3
   labels:
   - area/tooling
   - release-note/none-required
@@ -110,13 +49,15 @@ updates:
       - "actions/upload-artifact"
       - "actions/download-artifact"
 
-# release branch N-2 targets
-- target-branch: release-1.31
+# release branch targets
+- target-branch: release-1.33
   package-ecosystem: "gomod"
   directory: "/"
   schedule:
     interval: "weekly"
     day: "sunday"
+  cooldown:
+    default-days: 3
   ignore:
   - dependency-name: "*"
     update-types:
@@ -129,12 +70,14 @@ updates:
     k8s-dependencies:
       patterns:
       - "k8s.io/*"
-- target-branch: release-1.31
+- target-branch: release-1.33
   package-ecosystem: "github-actions"
   directory: "/"
   schedule:
     interval: "weekly"
     day: "sunday"
+  cooldown:
+    default-days: 3
   ignore:
   - dependency-name: "*"
     update-types:
@@ -148,3 +91,5 @@ updates:
       patterns:
       - "actions/upload-artifact"
       - "actions/download-artifact"
+
+
diff --git a/.github/reviewers.yaml b/.github/reviewers.yaml
diff --git a/.github/workflows/build_daily.yaml b/.github/workflows/build_daily.yaml
@@ -12,16 +12,16 @@ permissions:
 
 env:
   GOPROXY: https://proxy.golang.org/
-  GO_VERSION: 1.25.1
+  GO_VERSION: 1.26.4
 
 jobs:
   e2e-envoy-deployment:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
-    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -31,7 +31,7 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false
@@ -48,10 +48,10 @@ jobs:
   e2e-ipv6:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
-    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -61,7 +61,7 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false

diff --git a/.github/workflows/build_main.yaml b/.github/workflows/build_main.yaml
@@ -14,15 +14,15 @@ jobs:
     permissions:
       packages: write
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       with:
         version: latest
     - name: Log in to GHCR
-      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ github.actor }}

diff --git a/.github/workflows/build_tag.yaml b/.github/workflows/build_tag.yaml
@@ -18,23 +18,23 @@ permissions:
 
 env:
   GOPROXY: https://proxy.golang.org/
-  GO_VERSION: 1.25.1
+  GO_VERSION: 1.26.4
 
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
       packages: write
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       with:
         version: latest
     - name: Log in to GHCR
-      uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+      uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
@@ -49,10 +49,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
-    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -62,7 +62,7 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false
@@ -77,7 +77,7 @@ jobs:
         export CONTOUR_E2E_IMAGE="ghcr.io/projectcontour/contour:$(git describe --tags)"
         make setup-kind-cluster run-gateway-conformance cleanup-kind
     - name: Upload gateway conformance report
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
         name: gateway-conformance-report
         path: gateway-conformance-report/projectcontour-contour-*.yaml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -12,20 +12,24 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 env:
   GOPROXY: https://proxy.golang.org/
-  GO_VERSION: 1.25.1
+  GO_VERSION: 1.26.4
 
 jobs:
   CodeQL-Build:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
-    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -35,17 +39,36 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.29.5
       with:
         languages: go
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     - name: Autobuild
-      uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+      uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.29.5
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.29.5
+      with:
+        category: /language:go
+
+  CodeQL-for-Actions:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      with:
+        persist-credentials: false
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.29.5
+      with:
+        languages: actions
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v3.29.5
+      with:
+        category: /language:actions
diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml
@@ -23,17 +23,17 @@ jobs:
     name: Check release-note label set
     runs-on: ubuntu-latest
     steps:
-    - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5
+    - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5
       with:
         mode: minimum
         count: 1
         labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required"
-    - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5
+    - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5
       with:
         mode: maximum
         count: 1
         labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required"
-    - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5
+    - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5.5
       with:
         mode: maximum
         count: 1
@@ -43,10 +43,10 @@ jobs:
     needs: [check-label]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       with:
         persist-credentials: false
-    - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+    - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         # * Module download cache
         # * Build cache (Linux)
@@ -56,7 +56,7 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-    - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: 'stable'
         cache: false