diff --git a/Dockerfile b/Dockerfile
index 9ca2c08..d6199eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -43,13 +43,13 @@ RUN url="https://github.com/olix0r/j5j/releases/download/${J5J_VERSION}/j5j-${J5
 
 # just runs build/test recipes. Like `make` but a bit more ergonomic.
 FROM apt-base as just
-ARG JUST_VERSION=1.24.0
+ARG JUST_VERSION=1.37.0
 RUN url="https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin just
 
 # yq is kind of like jq, but for YAML.
 FROM apt-base as yq
-ARG YQ_VERSION=v4.33.3
+ARG YQ_VERSION=v4.44.5
 RUN url="https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" ; \
     scurl -o /yq "$url" && chmod +x /yq
 
@@ -65,26 +65,26 @@ COPY --link bin/scurl /bin/
 
 # helm templates kubernetes manifests.
 FROM apt-base as helm
-ARG HELM_VERSION=v3.14.1
+ARG HELM_VERSION=v3.16.3
 RUN url="https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" ; \
     scurl "$url" | tar xzvf - --strip-components=1 -C /usr/local/bin linux-amd64/helm
 
 
 # helm-docs generates documentation from helm charts.
 FROM apt-base as helm-docs
-ARG HELM_DOCS_VERSION=v1.12.0
+ARG HELM_DOCS_VERSION=v1.14.2
 RUN url="https://github.com/norwoodj/helm-docs/releases/download/$HELM_DOCS_VERSION/helm-docs_${HELM_DOCS_VERSION#v}_Linux_x86_64.tar.gz" ; \
     scurl "$url" | tar xzvf - -C /usr/local/bin helm-docs
 
 # kubectl controls kubernetes clusters.
 FROM apt-base as kubectl
-ARG KUBECTL_VERSION=v1.29.2
+ARG KUBECTL_VERSION=v1.31.3
 RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ; \
     scurl -o /usr/local/bin/kubectl "$url" && chmod +x /usr/local/bin/kubectl
 
 # k3d runs kubernetes clusters in docker.
 FROM apt-base as k3d
-ARG K3D_VERSION=v5.6.0
+ARG K3D_VERSION=v5.7.5
 RUN url="https://raw.githubusercontent.com/rancher/k3d/$K3D_VERSION/install.sh" ; \
     scurl "$url" | USE_SUDO=false K3D_INSTALL_DIR=/usr/local/bin bash
 # just-k3d is a utility that encodes many of the common k3d commands we use.
@@ -96,10 +96,9 @@ COPY --link k3s-images.json "$K3S_IMAGES_JSON"
 
 # step is a tool for managing certificates.
 FROM apt-base as step
-ARG STEP_VERSION=v0.25.2
-RUN scurl -O "https://dl.step.sm/gh-release/cli/docs-cli-install/${STEP_VERSION}/step-cli_${STEP_VERSION#v}_amd64.deb" \
-    && dpkg -i "step-cli_${STEP_VERSION#v}_amd64.deb" \
-    && rm "step-cli_${STEP_VERSION#v}_amd64.deb"
+ARG STEP_VERSION=v0.28.2
+RUN url="https://dl.smallstep.com/gh-release/cli/gh-release-header/${STEP_VERSION}/step_linux_${STEP_VERSION#v}_amd64.tar.gz" ; \
+    scurl "$url" | tar xzvf - --strip-components=2 -C /usr/local/bin step_"${STEP_VERSION#v}"/bin/step
 
 FROM scratch as tools-k8s
 COPY --link --from=helm /usr/local/bin/helm /bin/
@@ -108,7 +107,7 @@ COPY --link --from=k3d /usr/local/bin/* /bin/
 ENV K3S_IMAGES_JSON=/etc/k3s-images.json
 COPY --link --from=k3d /usr/local/etc/k3s-images.json "$K3S_IMAGES_JSON"
 COPY --link --from=kubectl /usr/local/bin/kubectl /bin/
-COPY --link --from=step /usr/bin/step-cli /bin/
+COPY --link --from=step /usr/local/bin/step /bin/
 
 ##
 ## Linting tools
@@ -116,7 +115,7 @@ COPY --link --from=step /usr/bin/step-cli /bin/
 
 # actionlint lints github actions workflows.
 FROM apt-base as actionlint
-ARG ACTIONLINT_VERSION=v1.6.26
+ARG ACTIONLINT_VERSION=v1.7.4
 RUN url="https://github.com/rhysd/actionlint/releases/download/${ACTIONLINT_VERSION}/actionlint_${ACTIONLINT_VERSION#v}_linux_amd64.tar.gz" ; \
     scurl "$url" | tar xzvf - -C /usr/local/bin actionlint
 
@@ -128,7 +127,7 @@ RUN url="https://raw.githubusercontent.com/slimm609/checksec.sh/${CHECKSEC_VERSI
 
 # shellcheck lints shell scripts.
 FROM apt-base as shellcheck
-ARG SHELLCHECK_VERSION=v0.9.0
+ARG SHELLCHECK_VERSION=v0.10.0
 RUN url="https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ; \
     scurl "$url" | tar xJvf - --strip-components=1 -C /usr/local/bin "shellcheck-${SHELLCHECK_VERSION}/shellcheck"
 COPY --link bin/just-sh /usr/local/bin/
@@ -144,7 +143,7 @@ COPY --link bin/action-* bin/just-dev bin/just-sh /bin/
 ##
 
 FROM apt-base as protobuf
-ARG PROTOC_VERSION=v3.20.3
+ARG PROTOC_VERSION=v29.0
 RUN url="https://github.com/google/protobuf/releases/download/$PROTOC_VERSION/protoc-${PROTOC_VERSION#v}-linux-$(uname -m).zip" ; \
     cd $(mktemp -d) && \
     scurl -o protoc.zip  "$url" && \
@@ -166,19 +165,19 @@ RUN url="https://github.com/olix0r/cargo-action-fmt/releases/download/release%2F
 
 # cargo-deny checks cargo dependencies for licensing and RUSTSEC security issues.
 FROM apt-base as cargo-deny
-ARG CARGO_DENY_VERSION=0.14.11
+ARG CARGO_DENY_VERSION=0.16.3
 RUN url="https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - --strip-components=1 -C /usr/local/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny"
 
 # cargo-nextest is a nicer test runner.
 FROM apt-base as cargo-nextest
-ARG NEXTEST_VERSION=0.9.67
+ARG NEXTEST_VERSION=0.9.85
 RUN url="https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${NEXTEST_VERSION}/cargo-nextest-${NEXTEST_VERSION}-x86_64-unknown-linux-gnu.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin cargo-nextest
 
 # cargo-tarpaulin is a code coverage tool.
 FROM apt-base as cargo-tarpaulin
-ARG CARGO_TARPAULIN_VERSION=0.27.3
+ARG CARGO_TARPAULIN_VERSION=0.31.3
 RUN url="https://github.com/xd009642/tarpaulin/releases/download/${CARGO_TARPAULIN_VERSION}/cargo-tarpaulin-x86_64-unknown-linux-musl.tar.gz" ;\
     scurl "$url" | tar xzvf - -C /usr/local/bin cargo-tarpaulin
 
@@ -193,39 +192,42 @@ COPY --link bin/just-cargo /bin/
 ## Go tools
 ##
 
-FROM docker.io/library/golang:1.22 as go-delve
+FROM docker.io/library/golang:1.23 as go-delve
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
 
-FROM docker.io/library/golang:1.22 as go-impl
+FROM docker.io/library/golang:1.23 as go-impl
 RUN go install github.com/josharian/impl@latest
 
-FROM docker.io/library/golang:1.22 as go-outline
+FROM docker.io/library/golang:1.23 as go-outline
 RUN go install github.com/ramya-rao-a/go-outline@latest
 
-FROM docker.io/library/golang:1.22 as go-protoc
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28.1
-RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2
+FROM docker.io/library/golang:1.23 as go-protoc
+ARG PROTOC_GEN_GO_VERSION=v1.35.2
+ARG PROTOC_GEN_GO_GRPC_VERSION=v1.5.1
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@${PROTOC_GEN_GO_VERSION}
+RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@${PROTOC_GEN_GO_GRPC_VERSION}
 
-FROM docker.io/library/golang:1.22 as golangci-lint
+FROM docker.io/library/golang:1.23 as golangci-lint
 RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
-FROM docker.io/library/golang:1.22 as gomodifytags
+FROM docker.io/library/golang:1.23 as gomodifytags
 RUN go install github.com/fatih/gomodifytags@latest
 
-FROM docker.io/library/golang:1.22 as gopkgs
+FROM docker.io/library/golang:1.23 as gopkgs
 RUN go install github.com/uudashr/gopkgs/v2/cmd/gopkgs@latest
 
-FROM docker.io/library/golang:1.22 as goplay
+FROM docker.io/library/golang:1.23 as goplay
 RUN go install github.com/haya14busa/goplay/cmd/goplay@latest
 
-FROM docker.io/library/golang:1.22 as gopls
+FROM docker.io/library/golang:1.23 as gopls
 RUN go install golang.org/x/tools/gopls@latest
 
-FROM docker.io/library/golang:1.22 as gotests
+FROM docker.io/library/golang:1.23 as gotests
 RUN go install github.com/cweill/gotests/gotests@latest
 
-FROM docker.io/library/golang:1.22 as gotestsum
-RUN go install gotest.tools/gotestsum@v0.4.2
+FROM docker.io/library/golang:1.23 as gotestsum
+ARG GOTESTSUM_VERSION=v1.12.0
+RUN go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
 
 FROM scratch as tools-go
 COPY --link --from=go-delve /go/bin/dlv /bin/
@@ -263,7 +265,7 @@ COPY --link --from=tools-script /bin/* /bin/
 ##
 
 # A Go build environment.
-FROM docker.io/library/golang:1.22 as go
+FROM docker.io/library/golang:1.23 as go
 RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
@@ -277,7 +279,7 @@ ENV PROTOC_NO_VENDOR=1 \
     PROTOC_INCLUDE=/usr/local/include
 
 # A Rust build environment.
-FROM docker.io/rust:1.76-slim-bookworm as rust
+FROM docker.io/library/rust:1.83-slim-bookworm as rust
 RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
@@ -379,6 +381,8 @@ RUN --mount=type=cache,from=apt-llvm,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-llvm,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-llvm,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
     DEBIAN_FRONTEND=noninteractive apt-get install -y clang-14 llvm-14
+ENV CC=clang-14 \
+    CXX=clang++-14
 
 # Use microsoft's Docker setup script to install the Docker CLI.
 #
@@ -393,7 +397,7 @@ RUN --mount=type=cache,id=apt-docker,from=apt-base,source=/etc/apt,target=/etc/a
     scurl https://raw.githubusercontent.com/microsoft/vscode-dev-containers/main/script-library/docker-debian.sh | bash -s
 ENV DOCKER_BUILDKIT=1
 
-ARG MARKDOWNLINT_VERSION=0.10.0
+ARG MARKDOWNLINT_VERSION=0.15.0
 RUN --mount=type=cache,from=apt-node,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-node,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-node,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
diff --git a/README.md b/README.md
index e4018e7..62dee16 100644
--- a/README.md
+++ b/README.md
@@ -217,7 +217,7 @@ jobs:
 Build a single target (e.g. while editing the Dockerfile):
 
 ```sh
-:; just build --target=rust
+:; just targets=rust build
 ```
 
 Update k3s images for all channels:
diff --git a/actions/setup-go/action.yml b/actions/setup-go/action.yml
index 8727e69..ead2e16 100644
--- a/actions/setup-go/action.yml
+++ b/actions/setup-go/action.yml
@@ -5,7 +5,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Go version
-    default: 1.22
+    default: 1.23
 
 runs:
   using: composite
diff --git a/actions/setup-rust/action.yml b/actions/setup-rust/action.yml
index f85e4e4..e7d5ef1 100644
--- a/actions/setup-rust/action.yml
+++ b/actions/setup-rust/action.yml
@@ -6,7 +6,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Container image version
-    default: 1.76.0
+    default: 1.83.0
 
   components:
     description: Rust components to install
diff --git a/actions/setup-tools/action.yml b/actions/setup-tools/action.yml
index ab70e40..7f6fcab 100644
--- a/actions/setup-tools/action.yml
+++ b/actions/setup-tools/action.yml
@@ -5,7 +5,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches the most recent release tag
   version:
     description: Container image version
-    default: v43
+    default: v44
 
 runs:
   using: composite
diff --git a/k3s-images.json b/k3s-images.json
index eb4326b..afb7bcc 100644
--- a/k3s-images.json
+++ b/k3s-images.json
@@ -1,18 +1,20 @@
 {
   "name": "docker.io/rancher/k3s",
   "channels": {
-    "stable": "v1.28.6-k3s2",
-    "latest": "v1.29.1-k3s2",
+    "stable": "v1.30.6-k3s1",
+    "latest": "v1.31.2-k3s1",
     "v1.20": "v1.20.15-k3s1",
     "v1.21": "v1.21.14-k3s1",
     "v1.22": "v1.22.17-k3s1",
     "v1.23": "v1.23.17-k3s1",
     "v1.24": "v1.24.17-k3s1",
     "v1.25": "v1.25.16-k3s4",
-    "v1.26": "v1.26.13-k3s2",
-    "v1.27": "v1.27.10-k3s2",
-    "v1.28": "v1.28.6-k3s2",
-    "v1.29": "v1.29.1-k3s2"
+    "v1.26": "v1.26.15-k3s1",
+    "v1.27": "v1.27.16-k3s1",
+    "v1.28": "v1.28.15-k3s1",
+    "v1.29": "v1.29.10-k3s1",
+    "v1.30": "v1.30.6-k3s1",
+    "v1.31": "v1.31.2-k3s1"
   },
   "digests": {
     "v1.20.15-k3s1": "sha256:0e49b63b8ee234e308ff578682f8f4f2f95bffda7ba75077e5da29548cd2a6b3",
@@ -21,9 +23,11 @@
     "v1.23.17-k3s1": "sha256:6f2b6d6d756b3f2f04c864ca2773435b9f19473a3568893720aef46f2cd47606",
     "v1.24.17-k3s1": "sha256:9e034931999854c6210b86a0708fde66b91370459fa077a4f9d008e7f51fc51d",
     "v1.25.16-k3s4": "sha256:b6e5bd6260e36da6c2f84de3d4f4cf636bab973a428149d9962e566bed7dc5cf",
-    "v1.26.13-k3s2": "sha256:19009a12bd34282298c85931aa0ffbf23db2d031bb522fbf4e9803b7e44d773a",
-    "v1.27.10-k3s2": "sha256:39cf130bafeb5472607b9f876500b0cc3e03e623bc298fef959d2bfd3eec4d2e",
-    "v1.28.6-k3s2": "sha256:6b47ec6de901f81f5f361b615dd60a438372b295d73df6966b1482de1704153c",
-    "v1.29.1-k3s2": "sha256:16ef2c025ff314906316b38fa84ce2ed81705432ef4c2cdf79790405365d4086"
+    "v1.26.15-k3s1": "sha256:fabb4a57b34c67c0dfab602bd6ae54b34598a9f9218004089d1202431088fdb1",
+    "v1.27.16-k3s1": "sha256:b7bca8255da9e25a9fdd95bae61f99f8cd424d90691fc5125621b2955bebdfd2",
+    "v1.28.15-k3s1": "sha256:af4f882a4cfaf418cb03d52c59cd150f42bf2b72f084c4592c6a133f4856660d",
+    "v1.29.10-k3s1": "sha256:081d77a383a372d3984a3256d73865eff1c815644ea5935551656ddbe04395f3",
+    "v1.30.6-k3s1": "sha256:204d4094343ed60ff60ed4b009785151c43d8f611761929aae3a1beb02fc0adf",
+    "v1.31.2-k3s1": "sha256:c88e1cf829fd84331c9ec92988509f17b5815527829326810da1a223e8b50a36"
   }
 }