před 2 měsíci · ac91183f32
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,7 +23,7 @@ jobs:
 
				     outputs:
			
 
				       noop: ${{ steps.noop.outputs.should_skip }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Detect No-op Changes
			
@@ -43,7 +43,7 @@ jobs:
 
				     if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
@@ -61,7 +61,7 @@ jobs:
 
				       contents: read
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
@@ -98,7 +98,7 @@ jobs:
 
				       contents: read
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,7 +26,7 @@ jobs:
 
				           - language: actions
			
 
				             build-mode: none
			
 
				     steps:
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				     - name: Checkout repository
			
--- a/.github/workflows/crds.yml
+++ b/.github/workflows/crds.yml
@@ -18,7 +18,7 @@ jobs:
 
				   crd-tests:
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
--- a/.github/workflows/dependabot-approve.yml
+++ b/.github/workflows/dependabot-approve.yml
@@ -12,10 +12,10 @@ jobs:
 
				     # PRs but also ensures that it only does work for Dependabot PRs.
			
 
				     if: github.actor == 'dependabot[bot]' && github.event.pull_request.user.login == 'dependabot[bot]'
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				-      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				         id: app-token
			
 
				         env:
			
 
				           APP_ID: ${{ secrets.APP_ID }}
			
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -17,7 +17,7 @@ jobs:
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				       - name: Harden the runner (Audit all outbound calls)
			
 
				-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
--- a/.github/workflows/dlc.yml
+++ b/.github/workflows/dlc.yml
@@ -16,7 +16,7 @@ jobs:
 
				   fossa-scan:
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         if: ${{ env.HAS_FOSSA_KEY == 'true' }}
			
 
				         with:
			
 
				           egress-policy: audit
			
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -14,7 +14,7 @@ jobs:
 
				     permissions:
			
 
				       contents: write #needed to publish documentation
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
			
--- a/.github/workflows/e2e-managed.yml
+++ b/.github/workflows/e2e-managed.yml
@@ -28,13 +28,13 @@ jobs:
 
				     outputs:
			
 
				       check_run_id: ${{ steps.create_check.outputs.check_run_id }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
 
				       - name: Create status check
			
 
				         id: create_check
			
 
				-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
			
 
				+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
			
 
				         env:
			
 
				           PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}
			
 
				           HEAD_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
			
@@ -82,7 +82,7 @@ jobs:
 
				       TF_VAR_AWS_SA_NAME: ${{ secrets.AWS_SA_NAME }}
			
 
				       TF_VAR_AWS_SA_NAMESPACE: ${{ secrets.AWS_SA_NAMESPACE }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -120,7 +120,7 @@ jobs:
 
				       - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v3
			
 
				 
			
 
				       - name: Configure AWS Credentials
			
 
				-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
			
 
				+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37
			
 
				         with:
			
 
				           role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
			
 
				           aws-region: ${{ env.AWS_REGION }}
			
@@ -169,7 +169,7 @@ jobs:
 
				       GCP_FED_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GCP_FED_SERVICE_ACCOUNT_EMAIL }}
			
 
				       GCP_FED_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_FED_WORKLOAD_IDENTITY_PROVIDER }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -264,7 +264,7 @@ jobs:
 
				       TFC_AZURE_SUBSCRIPTION_ID: ${{ secrets.TFC_AZURE_SUBSCRIPTION_ID }}
			
 
				       TFC_VAULT_URL: ${{ secrets.TFC_VAULT_URL }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -349,7 +349,7 @@ jobs:
 
				       contents: read
			
 
				     steps:
			
 
				       - name: Update status check
			
 
				-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
			
 
				+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
			
 
				         env:
			
 
				           AWS_RESULT: ${{ needs.test-aws.result }}
			
 
				           GCP_RESULT: ${{ needs.test-gcp.result }}
			
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -65,7 +65,7 @@ jobs:
 
				       GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
			
 
				       GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
			
 
				     steps:
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				 
			
@@ -131,7 +131,7 @@ jobs:
 
				       GRAFANA_URL: ${{ secrets.GRAFANA_URL }}
			
 
				       GRAFANA_TOKEN: ${{ secrets.GRAFANA_TOKEN }}
			
 
				     steps:
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				 
			
@@ -151,7 +151,7 @@ jobs:
 
				         make-target: ${{ matrix.suite.make_target }}
			
 
				     - id: create_token
			
 
				       if: always() && matrix.suite.name == 'classic'
			
 
				-      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				       env:
			
 
				         APP_ID: ${{ secrets.APP_ID }}
			
 
				       with:
			
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -16,7 +16,7 @@ jobs:
 
				     permissions:
			
 
				       contents: read
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
@@ -71,7 +71,7 @@ jobs:
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				       - name: Harden the runner (Audit all outbound calls)
			
 
				-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -87,7 +87,7 @@ jobs:
 
				           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
			
 
				 
			
 
				       - name: Set up Helm
			
 
				-        uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
			
 
				+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
			
 
				         with:
			
 
				           version: v3.17.3
			
 
				 
			
--- a/.github/workflows/issue-label.yml
+++ b/.github/workflows/issue-label.yml
@@ -15,7 +15,7 @@ jobs:
 
				       issues: write
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7
			
 
				+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7
			
 
				         with:
			
 
				           script: |
			
 
				             console.log("Verify that the issue was created by a first time contributor");
			
--- a/.github/workflows/lgtm-remove-on-update.yml
+++ b/.github/workflows/lgtm-remove-on-update.yml
@@ -14,7 +14,7 @@ jobs:
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				     - name: Remove LGTM label on PR update
			
 
				-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7
			
 
				+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7
			
 
				       with:
			
 
				         script: |
			
 
				           const prNumber = context.payload.pull_request.number;
			
--- a/.github/workflows/lgtm.yml
+++ b/.github/workflows/lgtm.yml
@@ -28,7 +28,7 @@ jobs:
 
				     # Generate a GitHub App installation access token
			
 
				     - name: Generate token
			
 
				       id: generate_token
			
 
				-      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				       env:
			
 
				         LGTM_APP_ID: ${{ secrets.LGTM_APP_ID }}
			
 
				         LGTM_PRIVATE_KEY: ${{ secrets.LGTM_PRIVATE_KEY }}
			
@@ -48,7 +48,7 @@ jobs:
 
				 
			
 
				     - name: Process LGTM Command
			
 
				       if: ${{ github.event.comment.body == '/lgtm' }}
			
 
				-      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7
			
 
				+      uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7
			
 
				       with:
			
 
				         github-token: ${{ steps.generate_token.outputs.token }}
			
 
				         script: |
			
--- a/.github/workflows/ok-to-test-managed.yml
+++ b/.github/workflows/ok-to-test-managed.yml
@@ -20,12 +20,12 @@ jobs:
 
				     # To create a new GitHub App:
			
 
				     #   https://developer.github.com/apps/building-github-apps/creating-a-github-app/
			
 
				     # See app.yml for an example app manifest
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				     - name: Generate token
			
 
				       id: generate_token
			
 
				-      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				       env:
			
 
				         APP_ID: ${{ secrets.APP_ID }}
			
 
				       with:
			
--- a/.github/workflows/ok-to-test.yml
+++ b/.github/workflows/ok-to-test.yml
@@ -16,7 +16,7 @@ jobs:
 
				     # Only run for PRs, not issue comments
			
 
				     if: ${{ github.event.issue.pull_request }}
			
 
				     steps:
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				     # Generate a GitHub App installation access token from an App ID and private key
			
@@ -25,7 +25,7 @@ jobs:
 
				     # See app.yml for an example app manifest
			
 
				     - name: Generate token
			
 
				       id: generate_token
			
 
				-      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				       env:
			
 
				         APP_ID: ${{ secrets.APP_ID }}
			
 
				       with:
			
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -53,7 +53,7 @@ jobs:
 
				     outputs:
			
 
				       image-tag: ${{ steps.container_info.outputs.image-tag }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -161,7 +161,7 @@ jobs:
 
				       id-token: write #for keyless sign
			
 
				       packages: write #to update packages with added SBOMs.
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
--- a/.github/workflows/pull-request-label.yml
+++ b/.github/workflows/pull-request-label.yml
@@ -19,7 +19,7 @@ jobs:
 
				       pull-requests: write
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v7
			
 
				+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v7
			
 
				         env:
			
 
				           # If extended, don't forget to also include it in the verification step verify-labels.
			
 
				           TYPE_TO_LABEL: |
			
@@ -127,7 +127,7 @@ jobs:
 
				       issues: write
			
 
				       pull-requests: write
			
 
				     steps:
			
 
				-      - uses: codelytv/pr-size-labeler@4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a # v1
			
 
				+      - uses: codelytv/pr-size-labeler@095a41fca88b8764fd9e008ad269bcdb82bb38b9 # v1
			
 
				         with:
			
 
				           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
			
 
				           xs_label: 'size/xs'
			
--- a/.github/workflows/rebuild-image.yml
+++ b/.github/workflows/rebuild-image.yml
@@ -19,7 +19,7 @@ jobs:
 
				       timestamp: ${{ steps.timestamp.outputs.timestamp }}
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
 
				       contents: write # to create a release and push new docs
			
 
				     steps:
			
 
				       - name: Harden the runner (Audit all outbound calls)
			
 
				-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				 
			
@@ -62,7 +62,7 @@ jobs:
 
				         run: git checkout "$RESOLVED_SHA"
			
 
				 
			
 
				       - name: Create Release
			
 
				-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
			
 
				+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
			
 
				         with:
			
 
				           tag_name: ${{ github.event.inputs.version }}
			
 
				           target_commitish: ${{ github.event.inputs.source_ref }}
			
@@ -110,7 +110,7 @@ jobs:
 
				       RELEASE_TAG: ${{ github.event.inputs.version }}${{ matrix.tag_suffix }}
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
@@ -156,7 +156,7 @@ jobs:
 
				           image-tag: ${{ env.RELEASE_TAG }}
			
 
				 
			
 
				       - name: Update Release
			
 
				-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
			
 
				+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
			
 
				         with:
			
 
				           tag_name: ${{ github.event.inputs.version }}
			
 
				           files: |
			
--- a/.github/workflows/release_esoctl.yml
+++ b/.github/workflows/release_esoctl.yml
@@ -24,7 +24,7 @@ jobs:
 
				     permissions:
			
 
				       contents: write # for publishing the release
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -20,7 +20,7 @@ jobs:
 
				       id-token: write
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: "Checkout code"
			
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
 
				       pull-requests: write  # for actions/stale to close stale PRs
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
			
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -20,7 +20,7 @@ jobs:
 
				       branches: ${{ steps.branches.outputs.branches }}
			
 
				 
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Checkout
			
@@ -42,7 +42,7 @@ jobs:
 
				       matrix:
			
 
				         branch: ${{ fromJson(needs.branches.outputs.branches) }}
			
 
				     steps:
			
 
				-    - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+    - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				       with:
			
 
				         egress-policy: audit
			
 
				 
			
@@ -50,7 +50,7 @@ jobs:
 
				       # from running: we can create a PR but the tests won't run :/
			
 
				     - name: Generate token
			
 
				       id: generate_token
			
 
				-      uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
			
 
				+      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
			
 
				       env:
			
 
				         APP_ID: ${{ secrets.APP_ID }}
			
 
				       with:
			
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -24,7 +24,7 @@ jobs:
 
				     outputs:
			
 
				       noop: ${{ steps.noop.outputs.should_skip }}
			
 
				     steps:
			
 
				-      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
			
 
				+      - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
			
 
				         with:
			
 
				           egress-policy: audit
			
 
				       - name: Detect No-op Changes
			
--- a/deploy/charts/external-secrets/Chart.yaml
+++ b/deploy/charts/external-secrets/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 
				 name: external-secrets
			
 
				 description: External secrets management for Kubernetes
			
 
				 type: application
			
 
				-version: "2.2.0"
			
 
				-appVersion: "v2.2.0"
			
 
				+version: "2.3.0"
			
 
				+appVersion: "v2.3.0"
			
 
				 kubeVersion: ">= 1.19.0-0"
			
 
				 keywords:
			
 
				   - kubernetes-external-secrets
			
--- a/deploy/charts/external-secrets/README.md
+++ b/deploy/charts/external-secrets/README.md
@@ -4,7 +4,7 @@
 
				 
			
 
				 [//]: # (README.md generated by gotmpl. DO NOT EDIT.)
			
 
				 
			
 
				-![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square)
			
 
				+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square)
			
 
				 
			
 
				 External secrets management for Kubernetes
			
 
				 
			
--- a/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap
+++ b/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap
@@ -7,8 +7,8 @@ should match snapshot of default values:
 
				         app.kubernetes.io/instance: RELEASE-NAME
			
 
				         app.kubernetes.io/managed-by: Helm
			
 
				         app.kubernetes.io/name: external-secrets-cert-controller
			
 
				-        app.kubernetes.io/version: v2.2.0
			
 
				-        helm.sh/chart: external-secrets-2.2.0
			
 
				+        app.kubernetes.io/version: v2.3.0
			
 
				+        helm.sh/chart: external-secrets-2.3.0
			
 
				       name: RELEASE-NAME-external-secrets-cert-controller
			
 
				       namespace: NAMESPACE
			
 
				     spec:
			
@@ -24,8 +24,8 @@ should match snapshot of default values:
 
				             app.kubernetes.io/instance: RELEASE-NAME
			
 
				             app.kubernetes.io/managed-by: Helm
			
 
				             app.kubernetes.io/name: external-secrets-cert-controller
			
 
				-            app.kubernetes.io/version: v2.2.0
			
 
				-            helm.sh/chart: external-secrets-2.2.0
			
 
				+            app.kubernetes.io/version: v2.3.0
			
 
				+            helm.sh/chart: external-secrets-2.3.0
			
 
				         spec:
			
 
				           automountServiceAccountToken: true
			
 
				           containers:
			
@@ -41,7 +41,7 @@ should match snapshot of default values:
 
				                 - --loglevel=info
			
 
				                 - --zap-time-encoding=epoch
			
 
				                 - --enable-partial-cache=true
			
 
				-              image: ghcr.io/external-secrets/external-secrets:v2.2.0
			
 
				+              image: ghcr.io/external-secrets/external-secrets:v2.3.0
			
 
				               imagePullPolicy: IfNotPresent
			
 
				               name: cert-controller
			
 
				               ports:
			
--- a/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
+++ b/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
@@ -7,8 +7,8 @@ should match snapshot of default values:
 
				         app.kubernetes.io/instance: RELEASE-NAME
			
 
				         app.kubernetes.io/managed-by: Helm
			
 
				         app.kubernetes.io/name: external-secrets
			
 
				-        app.kubernetes.io/version: v2.2.0
			
 
				-        helm.sh/chart: external-secrets-2.2.0
			
 
				+        app.kubernetes.io/version: v2.3.0
			
 
				+        helm.sh/chart: external-secrets-2.3.0
			
 
				       name: RELEASE-NAME-external-secrets
			
 
				       namespace: NAMESPACE
			
 
				     spec:
			
@@ -24,8 +24,8 @@ should match snapshot of default values:
 
				             app.kubernetes.io/instance: RELEASE-NAME
			
 
				             app.kubernetes.io/managed-by: Helm
			
 
				             app.kubernetes.io/name: external-secrets
			
 
				-            app.kubernetes.io/version: v2.2.0
			
 
				-            helm.sh/chart: external-secrets-2.2.0
			
 
				+            app.kubernetes.io/version: v2.3.0
			
 
				+            helm.sh/chart: external-secrets-2.3.0
			
 
				         spec:
			
 
				           automountServiceAccountToken: true
			
 
				           containers:
			
@@ -34,7 +34,7 @@ should match snapshot of default values:
 
				                 - --metrics-addr=:8080
			
 
				                 - --loglevel=info
			
 
				                 - --zap-time-encoding=epoch
			
 
				-              image: ghcr.io/external-secrets/external-secrets:v2.2.0
			
 
				+              image: ghcr.io/external-secrets/external-secrets:v2.3.0
			
 
				               imagePullPolicy: IfNotPresent
			
 
				               name: external-secrets
			
 
				               ports:
			
--- a/deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap
+++ b/deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap
@@ -7,8 +7,8 @@ should match snapshot of default values:
 
				         app.kubernetes.io/instance: RELEASE-NAME
			
 
				         app.kubernetes.io/managed-by: Helm
			
 
				         app.kubernetes.io/name: external-secrets-webhook
			
 
				-        app.kubernetes.io/version: v2.2.0
			
 
				-        helm.sh/chart: external-secrets-2.2.0
			
 
				+        app.kubernetes.io/version: v2.3.0
			
 
				+        helm.sh/chart: external-secrets-2.3.0
			
 
				       name: RELEASE-NAME-external-secrets-webhook
			
 
				       namespace: NAMESPACE
			
 
				     spec:
			
@@ -24,8 +24,8 @@ should match snapshot of default values:
 
				             app.kubernetes.io/instance: RELEASE-NAME
			
 
				             app.kubernetes.io/managed-by: Helm
			
 
				             app.kubernetes.io/name: external-secrets-webhook
			
 
				-            app.kubernetes.io/version: v2.2.0
			
 
				-            helm.sh/chart: external-secrets-2.2.0
			
 
				+            app.kubernetes.io/version: v2.3.0
			
 
				+            helm.sh/chart: external-secrets-2.3.0
			
 
				         spec:
			
 
				           automountServiceAccountToken: true
			
 
				           containers:
			
@@ -39,7 +39,7 @@ should match snapshot of default values:
 
				                 - --healthz-addr=:8081
			
 
				                 - --loglevel=info
			
 
				                 - --zap-time-encoding=epoch
			
 
				-              image: ghcr.io/external-secrets/external-secrets:v2.2.0
			
 
				+              image: ghcr.io/external-secrets/external-secrets:v2.3.0
			
 
				               imagePullPolicy: IfNotPresent
			
 
				               name: webhook
			
 
				               ports:
			
@@ -86,8 +86,8 @@ should match snapshot of default values:
 
				         app.kubernetes.io/instance: RELEASE-NAME
			
 
				         app.kubernetes.io/managed-by: Helm
			
 
				         app.kubernetes.io/name: external-secrets-webhook
			
 
				-        app.kubernetes.io/version: v2.2.0
			
 
				+        app.kubernetes.io/version: v2.3.0
			
 
				         external-secrets.io/component: webhook
			
 
				-        helm.sh/chart: external-secrets-2.2.0
			
 
				+        helm.sh/chart: external-secrets-2.3.0
			
 
				       name: RELEASE-NAME-external-secrets-webhook
			
 
				       namespace: NAMESPACE
			
--- a/docs/introduction/stability-support.md
+++ b/docs/introduction/stability-support.md
@@ -18,7 +18,8 @@ As of version 0.14.x , this is the only kubernetes version that we will guarante
 
				 
			
 
				 | ESO Version | Kubernetes Version | Release Date | End of Life           |
			
 
				 |-------------|--------------------|--------------|-----------------------|
			
 
				-| 2.2         | 1.34-1.35          | Mar 20, 2026 | Release of next minor |
			
 
				+| 2.3         | 1.34-1.35          | Apr 10, 2026 | Release of 2.4        |
			
 
				+| 2.2         | 1.34-1.35          | Mar 20, 2026 | April 10, 2026        |
			
 
				 | 2.1         | 1.34-1.35          | Mar 06, 2026 | Mar 20, 2026          |
			
 
				 | 2.0         | 1.34-1.35          | Feb 06, 2026 | Mar 06, 2026          |
			
 
				 | 1.3         | 1.34               | Jan 23, 2026 | Feb 06, 2026          |
			
--- a/hack/api-docs/requirements.txt
+++ b/hack/api-docs/requirements.txt
@@ -8,7 +8,7 @@ ghp-import==2.1.0
 
				 htmlmin==0.1.12
			
 
				 idna==3.11
			
 
				 importlib-metadata==9.0.0
			
 
				-importlib-resources==6.5.2
			
 
				+importlib-resources==7.1.0
			
 
				 Jinja2==3.1.6
			
 
				 jsmin==3.0.1
			
 
				 livereload==2.7.1
			
@@ -25,7 +25,7 @@ packaging==26.0
 
				 paginate==0.5.7
			
 
				 pathspec==1.0.4
			
 
				 pep562==1.1
			
 
				-platformdirs==4.9.4
			
 
				+platformdirs==4.9.6
			
 
				 Pygments==2.20.0
			
 
				 pymdown-extensions==10.21.2
			
 
				 python-dateutil==2.9.0.post0
			
--- a/overrides/main.html
+++ b/overrides/main.html
@@ -7,6 +7,8 @@
 
				 {% endblock %}
			
 
				 
			
 
				 {% block footer %}
			
 
				-<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e"  alt=""/>
			
 
				+<img referrerpolicy="no-referrer-when-downgrade"
			
 
				+  src="https://static.scarf.sh/a.png?x-pxid=6658a9eb-067d-49f1-94f2-b8b00f21451e" alt=""
			
 
				+  hidden />
			
 
				   {{ super() }}
			
 
				 {% endblock %}
			
--- a/tilt.debug.dockerfile
+++ b/tilt.debug.dockerfile
@@ -1,4 +1,4 @@
 
				-FROM golang:1.26.2@sha256:2a2b4b5791cea8ae09caecba7bad0bd9631def96e5fe362e4a5e67009fe4ae61
			
 
				+FROM golang:1.26.2@sha256:fcdb3e42c5544e9682a635771eac76a698b66de79b1b50ec5b9ce5c5f14ad775
			
 
				 WORKDIR /
			
 
				 COPY ./bin/external-secrets /external-secrets