From ae4e42a5fc578c534e00bafc466f48cf06635420 Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Fri, 1 Aug 2025 14:54:47 -0400
Subject: [PATCH 01/12] fix: Setup devcontainers for building aws-lc-sys

This needs a few environment variables and debian packages installed to facilitate building that package. This includes the env vars in the `just-cargo` invocation, and the packages in the rust, rust-musl, and devcontainer images.
---
 Dockerfile     | 1 +
 bin/just-cargo | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 3227cc8..a8de00e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -346,6 +346,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     DEBIAN_FRONTEND=noninteractive apt-get install -y \
         g++-aarch64-linux-gnu \
         gcc-aarch64-linux-gnu \
+        binutils-aarch64-linux-gnu \
         libc6-dev-arm64-cross
 
 ##
diff --git a/bin/just-cargo b/bin/just-cargo
index d052ce8..3a0be34 100755
--- a/bin/just-cargo
+++ b/bin/just-cargo
@@ -34,6 +34,7 @@ _rustflags-self-contained := "-Clink-self-contained=yes -Clinker=rust-lld -Clink
 export AR_aarch64_unknown_linux_gnu := _ar
 export CC_aarch64_unknown_linux_gnu := _clang
 export CFLAGS_aarch64_unknown_linux_gnu := '--sysroot=/usr/aarch64-linux-gnu'
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := '-fuse-ld=/usr/aarch64-linux-gnu/bin/ld'
 export STRIP_aarch64_unknown_linux_gnu := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER := 'aarch64-linux-gnu-gcc'
 
@@ -41,6 +42,7 @@ export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER := 'aarch64-linux-gnu-gcc'
 export AR_aarch64_unknown_linux_musl := _ar
 export CC_aarch64_unknown_linux_musl := _clang
 export CFLAGS_aarch64_unknown_linux_musl := '--sysroot=/usr/aarch64-linux-gnu'
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := '-fuse-ld=/usr/aarch64-linux-gnu/bin/ld'
 export STRIP_aarch64_unknown_linux_musl := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS := _rustflags-self-contained
 

From bc0421e93415567b03dbdef9238a4ae3fae67fc3 Mon Sep 17 00:00:00 2001
From: Scott Fleener <scott@buoyant.io>
Date: Thu, 7 Aug 2025 16:08:00 -0400
Subject: [PATCH 02/12] fix: Remove CFLAGS from just-cargo

---
 bin/just-cargo | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/bin/just-cargo b/bin/just-cargo
index 3a0be34..24f2c3d 100755
--- a/bin/just-cargo
+++ b/bin/just-cargo
@@ -33,16 +33,12 @@ _rustflags-self-contained := "-Clink-self-contained=yes -Clinker=rust-lld -Clink
 # linux/arm64 + gnu
 export AR_aarch64_unknown_linux_gnu := _ar
 export CC_aarch64_unknown_linux_gnu := _clang
-export CFLAGS_aarch64_unknown_linux_gnu := '--sysroot=/usr/aarch64-linux-gnu'
-export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := '-fuse-ld=/usr/aarch64-linux-gnu/bin/ld'
 export STRIP_aarch64_unknown_linux_gnu := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER := 'aarch64-linux-gnu-gcc'
 
 # linux/arm64 + musl
 export AR_aarch64_unknown_linux_musl := _ar
 export CC_aarch64_unknown_linux_musl := _clang
-export CFLAGS_aarch64_unknown_linux_musl := '--sysroot=/usr/aarch64-linux-gnu'
-export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := '-fuse-ld=/usr/aarch64-linux-gnu/bin/ld'
 export STRIP_aarch64_unknown_linux_musl := _strip
 export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS := _rustflags-self-contained
 

From 175abc5f5ac839d0cee217fd1c890e28bdfe6221 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Wed, 1 Oct 2025 18:43:23 +0000
Subject: [PATCH 03/12] wip: v48

- Update dependabot to properly scan the dev Dockerfile weekly
- Add syft, grype, oras, and cosign to the tools iamge
- Update various dependencies to be managed as OCI dependencies (for dependabot
  management)
- Update other dependencies, including Go (to 1.25) and Rust (to 1.90)
- setup-tools action:
  - Hack mandb to avoid slowness during apt installs in GitHub Actions
  - Unpack the tools binaries without doing a full docker buildx setup
---
 .github/dependabot.yml         | 10 ++----
 Dockerfile                     | 58 +++++++++++-----------------------
 actions/setup-tools/action.yml | 25 ++++++++++-----
 3 files changed, 38 insertions(+), 55 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 9e725af..9bd0170 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,15 +1,11 @@
 version: 2
 updates:
   - package-ecosystem: "docker"
-    directory: "/.devcontainer"
+    directory: "/"
     schedule:
-      interval: daily
-      time: "05:00"
-      timezone: "UTC"
+      interval: "weekly"
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-      time: "04:00"
-      timezone: "UTC"
+      interval: "weekly"
diff --git a/Dockerfile b/Dockerfile
index 3227cc8..bf69945 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,8 +5,8 @@
 ##
 
 
-ARG GO_TAG=1.24
-ARG RUST_TAG=1.88.0
+ARG GO_TAG=1.25
+ARG RUST_TAG=1.90.0
 
 # These layers include Debian apt caches, so layers that extend `apt-base`
 # should not be published. Instead, these layers should be used to provide
@@ -45,13 +45,13 @@ RUN url="https://github.com/olix0r/j5j/releases/download/${J5J_VERSION}/j5j-${J5
 
 # just runs build/test recipes. Like `make` but a bit more ergonomic.
 FROM apt-base as just
-ARG JUST_VERSION=1.42.4 # repo=casey/just
+ARG JUST_VERSION=1.43.0 # repo=casey/just
 RUN url="https://github.com/casey/just/releases/download/${JUST_VERSION}/just-${JUST_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin just
 
 # yq is kind of like jq, but for YAML.
 FROM apt-base as yq
-ARG YQ_VERSION=v4.47.1 # repo=mikefarah/yq
+ARG YQ_VERSION=v4.47.2 # repo=mikefarah/yq
 RUN url="https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" ; \
     scurl -o /yq "$url" && chmod +x /yq
 
@@ -67,7 +67,7 @@ COPY --link bin/scurl /bin/
 
 # helm templates kubernetes manifests.
 FROM apt-base as helm
-ARG HELM_VERSION=v3.18.4 # repo=helm/helm
+ARG HELM_VERSION=v3.19.0 # repo=helm/helm
 RUN url="https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz" ; \
     scurl "$url" | tar xzvf - --strip-components=1 -C /usr/local/bin linux-amd64/helm
 
@@ -80,15 +80,13 @@ RUN url="https://github.com/norwoodj/helm-docs/releases/download/$HELM_DOCS_VERS
 
 # kubectl controls kubernetes clusters.
 FROM apt-base as kubectl
-ARG KUBECTL_VERSION=v1.33.3 # repo=kubernetes/kubernetes
+ARG KUBECTL_VERSION=v1.34.1 # repo=kubernetes/kubernetes
 RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ; \
     scurl -o /usr/local/bin/kubectl "$url" && chmod +x /usr/local/bin/kubectl
 
 # k3d runs kubernetes clusters in docker.
 FROM apt-base as k3d
-ARG K3D_VERSION=v5.8.3 # repo=rancher/k3d
-RUN url="https://raw.githubusercontent.com/rancher/k3d/$K3D_VERSION/install.sh" ; \
-    scurl "$url" | USE_SUDO=false K3D_INSTALL_DIR=/usr/local/bin bash
+COPY --link --from=ghcr.io/k3d-io/k3d-tools:5.8.3 /bin/k3d /usr/local/bin/
 # just-k3d is a utility that encodes many of the common k3d commands we use.
 COPY --link bin/just-k3d /usr/local/bin/
 # `K3S_IMAGES_JSON` configures just-k3d so that it uses a pinned version of k3s.
@@ -96,12 +94,6 @@ COPY --link bin/just-k3d /usr/local/bin/
 ENV K3S_IMAGES_JSON=/usr/local/etc/k3s-images.json
 COPY --link k3s-images.json "$K3S_IMAGES_JSON"
 
-# step is a tool for managing certificates.
-FROM apt-base as step
-ARG STEP_VERSION=v0.28.7 # repo=smallstep/cli
-RUN url="https://dl.smallstep.com/gh-release/cli/gh-release-header/${STEP_VERSION}/step_linux_${STEP_VERSION#v}_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - --strip-components=2 -C /usr/local/bin step_"${STEP_VERSION#v}"/bin/step
-
 FROM scratch as tools-k8s
 COPY --link --from=helm /usr/local/bin/helm /bin/
 COPY --link --from=helm-docs /usr/local/bin/helm-docs /bin/
@@ -109,21 +101,13 @@ COPY --link --from=k3d /usr/local/bin/* /bin/
 ENV K3S_IMAGES_JSON=/etc/k3s-images.json
 COPY --link --from=k3d /usr/local/etc/k3s-images.json "$K3S_IMAGES_JSON"
 COPY --link --from=kubectl /usr/local/bin/kubectl /bin/
-COPY --link --from=step /usr/local/bin/step /bin/
-
-FROM apt-base as syft
-ARG SYFT_VERSION=v1.29.0 # repo=anchore/syft
-RUN url="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin syft
-
-FROM apt-base as grype
-ARG GRYPE_VERSION=v0.96.1 # repo=anchore/grype
-RUN url="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}/grype_${GRYPE_VERSION#v}_linux_amd64.tar.gz" ; \
-    scurl "$url" | tar xzvf - -C /usr/local/bin grype
+COPY --link --from=docker.io/smallstep/step-cli:0.28.7 /usr/local/bin/step /bin/
 
 FROM scratch as tools-oci
-COPY --link --from=syft /usr/local/bin/syft /bin/
-COPY --link --from=grype /usr/local/bin/grype /bin/
+COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.4.1 /ko-app/cosign /bin/
+COPY --link --from=ghcr.io/oras-project/oras:v1.3.0 /bin/oras /bin/
+COPY --link --from=ghcr.io/anchore/syft:v1.33.0 /syft /bin/
+COPY --link --from=ghcr.io/anchore/grype:v0.96.1 /grype /bin/
 
 ##
 ## Linting tools
@@ -141,17 +125,10 @@ ARG CHECKSEC_VERSION=2.7.1 # ignore
 RUN url="https://raw.githubusercontent.com/slimm609/checksec/${CHECKSEC_VERSION}/checksec" ; \
     scurl -o /usr/local/bin/checksec "$url" && chmod 755 /usr/local/bin/checksec
 
-# shellcheck lints shell scripts.
-FROM apt-base as shellcheck
-ARG SHELLCHECK_VERSION=v0.10.0 # repo=koalaman/shellcheck
-RUN url="https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ; \
-    scurl "$url" | tar xJvf - --strip-components=1 -C /usr/local/bin "shellcheck-${SHELLCHECK_VERSION}/shellcheck"
-COPY --link bin/just-sh /usr/local/bin/
-
 FROM scratch as tools-lint
 COPY --link --from=actionlint /usr/local/bin/actionlint /bin/
 COPY --link --from=checksec /usr/local/bin/checksec /bin/
-COPY --link --from=shellcheck /usr/local/bin/shellcheck /bin/
+COPY --link --from=docker.io/koalaman/shellcheck:v0.11.0 /bin/shellcheck /bin/
 COPY --link bin/action-* bin/just-dev bin/just-sh /bin/
 
 ##
@@ -159,7 +136,7 @@ COPY --link bin/action-* bin/just-dev bin/just-sh /bin/
 ##
 
 FROM apt-base as protobuf
-ARG PROTOC_VERSION=v31.1 # repo=protocolbuffers/protobuf
+ARG PROTOC_VERSION=v32.1 # repo=protocolbuffers/protobuf
 RUN url="https://github.com/google/protobuf/releases/download/$PROTOC_VERSION/protoc-${PROTOC_VERSION#v}-linux-$(uname -m).zip" ; \
     cd $(mktemp -d) && \
     scurl -o protoc.zip  "$url" && \
@@ -186,13 +163,13 @@ RUN url="https://github.com/rust-secure-code/cargo-auditable/releases/download/$
 
 # cargo-deny checks cargo dependencies for licensing and RUSTSEC security issues.
 FROM apt-base as cargo-deny
-ARG CARGO_DENY_VERSION=0.18.3 # repo=EmbarkStudios/cargo-deny
+ARG CARGO_DENY_VERSION=0.18.5 # repo=EmbarkStudios/cargo-deny
 RUN url="https://github.com/EmbarkStudios/cargo-deny/releases/download/${CARGO_DENY_VERSION}/cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl.tar.gz" ; \
     scurl "$url" | tar zvxf - --strip-components=1 -C /usr/local/bin "cargo-deny-${CARGO_DENY_VERSION}-x86_64-unknown-linux-musl/cargo-deny"
 
 # cargo-nextest is a nicer test runner.
 FROM apt-base as cargo-nextest
-ARG NEXTEST_VERSION=0.9.101 # repo=nextest-rs/nextest,prefix=cargo-nextest-
+ARG NEXTEST_VERSION=0.9.104 # repo=nextest-rs/nextest,prefix=cargo-nextest-
 RUN url="https://github.com/nextest-rs/nextest/releases/download/cargo-nextest-${NEXTEST_VERSION}/cargo-nextest-${NEXTEST_VERSION}-x86_64-unknown-linux-gnu.tar.gz" ; \
     scurl "$url" | tar zvxf - -C /usr/local/bin cargo-nextest
 
@@ -248,7 +225,7 @@ FROM docker.io/library/golang:${GO_TAG} as gotests
 RUN go install github.com/cweill/gotests/gotests@latest
 
 FROM docker.io/library/golang:${GO_TAG} as gotestsum
-ARG GOTESTSUM_VERSION=v1.12.0
+ARG GOTESTSUM_VERSION=v1.13.0  # repo=gotestyourself/gotestsum
 RUN go install gotest.tools/gotestsum@${GOTESTSUM_VERSION}
 
 FROM scratch as tools-go
@@ -344,6 +321,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
     --mount=type=cache,from=apt-base,source=/var/cache/apt,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,from=apt-base,source=/var/lib/apt/lists,target=/var/lib/apt/lists,sharing=locked \
     DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        binutils-aarch64-linux-gnu \
         g++-aarch64-linux-gnu \
         gcc-aarch64-linux-gnu \
         libc6-dev-arm64-cross
diff --git a/actions/setup-tools/action.yml b/actions/setup-tools/action.yml
index 435ee53..df7853b 100644
--- a/actions/setup-tools/action.yml
+++ b/actions/setup-tools/action.yml
@@ -10,22 +10,31 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: docker/setup-buildx-action@v3
+    - name: "Hack mandb"
+      shell: bash
+      run: |
+        sudo dpkg-divert --local --rename --add /usr/bin/mandb
+        sudo ln -sf /bin/true /usr/bin/mandb
+
+    - shell: bash
+      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo umoci
 
     - name: Extract tools
       shell: bash
       run: |
         set -xeuo pipefail
 
-        build=$(mktemp -d '${{ runner.temp }}/build.XXXX')
-        echo 'FROM ghcr.io/linkerd/dev:${{ inputs.version }}-tools' > "$build"/Dockerfile
+        oci_dir=$(mktemp -d '${{ runner.temp }}/oci.XXXX')
+        bundle_dir=$(mktemp -d '${{ runner.temp }}/bundle.XXXX')
 
-        tools=$(mktemp -d '${{ runner.temp }}/tools.XXXX')
-        docker buildx build "$build" --output="type=local,dest=$tools/"
+        skopeo copy \
+          "docker://ghcr.io/linkerd/dev:${{ inputs.version }}-tools" \
+          "oci:$oci_dir:tools"
+
+        umoci unpack --rootless --image "$oci_dir:tools" "$bundle_dir"
+
+        tools="$bundle_dir/rootfs"
         (
           echo K3S_IMAGES_JSON="$tools/etc/k3s-images.json"
           echo PATH="$tools/bin:$PATH"
         ) >> "$GITHUB_ENV"
-
-    - shell: bash
-      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends jo jq

From 43805e780a40a9c25c73b701d0bcd708f3e6db08 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Wed, 1 Oct 2025 19:37:20 +0000
Subject: [PATCH 04/12] cosign

---
 Dockerfile                | 2 +-
 repos/linkerd-await       | 2 +-
 repos/linkerd2            | 2 +-
 repos/linkerd2-proxy      | 2 +-
 repos/linkerd2-proxy-init | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index bf69945..2778d55 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -104,7 +104,7 @@ COPY --link --from=kubectl /usr/local/bin/kubectl /bin/
 COPY --link --from=docker.io/smallstep/step-cli:0.28.7 /usr/local/bin/step /bin/
 
 FROM scratch as tools-oci
-COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.4.1 /ko-app/cosign /bin/
+COPY --link --from=ghcr.io/sigstore/cosign/cosign:v2.6.0 /ko-app/cosign /bin/
 COPY --link --from=ghcr.io/oras-project/oras:v1.3.0 /bin/oras /bin/
 COPY --link --from=ghcr.io/anchore/syft:v1.33.0 /syft /bin/
 COPY --link --from=ghcr.io/anchore/grype:v0.96.1 /grype /bin/
diff --git a/repos/linkerd-await b/repos/linkerd-await
index b84a6ba..acff4d6 160000
--- a/repos/linkerd-await
+++ b/repos/linkerd-await
@@ -1 +1 @@
-Subproject commit b84a6ba261e7424f70ba3fc9f6fe81948609b970
+Subproject commit acff4d6c3699cd1e5a4cab76c29023f3bc904245
diff --git a/repos/linkerd2 b/repos/linkerd2
index 7fa43d8..4116fb8 160000
--- a/repos/linkerd2
+++ b/repos/linkerd2
@@ -1 +1 @@
-Subproject commit 7fa43d8306678a4c0f900128eaf9ab5743002a09
+Subproject commit 4116fb86dca6af969fdb07f33af6f0e340b62531
diff --git a/repos/linkerd2-proxy b/repos/linkerd2-proxy
index 7891abc..08c2cde 160000
--- a/repos/linkerd2-proxy
+++ b/repos/linkerd2-proxy
@@ -1 +1 @@
-Subproject commit 7891abce163587a7910c8262de3d7983ee3d7714
+Subproject commit 08c2cdec9f904966076374170c31290d5eae349e
diff --git a/repos/linkerd2-proxy-init b/repos/linkerd2-proxy-init
index fcdfbfa..bcbba3a 160000
--- a/repos/linkerd2-proxy-init
+++ b/repos/linkerd2-proxy-init
@@ -1 +1 @@
-Subproject commit fcdfbfa621bbb04a94e3c909df4059a12805e6a2
+Subproject commit bcbba3a9e2bb9999c3b932971fb352dd7951b406

From 4ebcb7931ecf373a3c9a4c02a6f2c176797a1735 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Wed, 1 Oct 2025 20:33:31 +0000
Subject: [PATCH 05/12] use cargo-auditable

---
 bin/just-cargo | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/just-cargo b/bin/just-cargo
index 24f2c3d..c759763 100755
--- a/bin/just-cargo
+++ b/bin/just-cargo
@@ -9,7 +9,7 @@ profile := 'debug' # or 'release'
 _release := if profile == 'release' { '--release' } else { '' }
 
 toolchain := ""
-export CARGO := env_var_or_default("CARGO", "cargo" + if toolchain != "" { " +" + toolchain } else { "" })
+export CARGO := env_var_or_default("CARGO", "cargo auditable" + if toolchain != "" { " +" + toolchain } else { "" })
 
 target := ''
 _target := if target == '' {

From e1e5e47c88f1037551ff11b650204d94c6422dac Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Wed, 1 Oct 2025 23:55:22 +0000
Subject: [PATCH 06/12] update k3s images

---
 k3s-images.json | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/k3s-images.json b/k3s-images.json
index d648e3b..0f74216 100644
--- a/k3s-images.json
+++ b/k3s-images.json
@@ -1,8 +1,8 @@
 {
   "name": "docker.io/rancher/k3s",
   "channels": {
-    "stable": "v1.32.6-k3s1",
-    "latest": "v1.33.2-k3s1",
+    "stable": "v1.33.4-k3s1",
+    "latest": "v1.34.1-k3s1",
     "v1.20": "v1.20.15-k3s1",
     "v1.21": "v1.21.14-k3s1",
     "v1.22": "v1.22.17-k3s1",
@@ -13,10 +13,11 @@
     "v1.27": "v1.27.16-k3s1",
     "v1.28": "v1.28.15-k3s1",
     "v1.29": "v1.29.15-k3s1",
-    "v1.30": "v1.30.14-k3s1",
-    "v1.31": "v1.31.10-k3s1",
-    "v1.32": "v1.32.6-k3s1",
-    "v1.33": "v1.33.2-k3s1"
+    "v1.30": "v1.30.14-k3s2",
+    "v1.31": "v1.31.13-k3s1",
+    "v1.32": "v1.32.9-k3s1",
+    "v1.33": "v1.33.5-k3s1",
+    "v1.34": "v1.34.1-k3s1"
   },
   "digests": {
     "v1.20.15-k3s1": "sha256:0e49b63b8ee234e308ff578682f8f4f2f95bffda7ba75077e5da29548cd2a6b3",
@@ -29,9 +30,11 @@
     "v1.27.16-k3s1": "sha256:b7bca8255da9e25a9fdd95bae61f99f8cd424d90691fc5125621b2955bebdfd2",
     "v1.28.15-k3s1": "sha256:af4f882a4cfaf418cb03d52c59cd150f42bf2b72f084c4592c6a133f4856660d",
     "v1.29.15-k3s1": "sha256:8f782bd47a41509e89c1ad1d60b02998cc5b0f1310a36c65aa0f331cde866c80",
-    "v1.30.14-k3s1": "sha256:cbed71f50f16fc98a7f64c6ecf21fd8fc04efc41ad7d664fb46b199c7bd3fda7",
-    "v1.31.10-k3s1": "sha256:8c7032ab267c3a571bac4fafffbb54e249386dbc73ebe5532fb390fa998a7936",
-    "v1.32.6-k3s1": "sha256:4cd4ccd268089f92e4efcc64916b1313ecdd38291a48129508cf47fa32934006",
-    "v1.33.2-k3s1": "sha256:d8f05b9043d136c3fb01d6cf677caaef304568b8c99bdd359b86d3d7286de1df"
+    "v1.30.14-k3s2": "sha256:5f02ba89b28861574b1677d91943b57f55f5fe0b451d539f83e650c8925fd9a2",
+    "v1.31.13-k3s1": "sha256:3f43b78b337265dc1c0540e1f88af18ca4826910353120991a0edfeaa68d1269",
+    "v1.32.9-k3s1": "sha256:af1f66e58580ea4027eeef9a65ef95cc29554ff96c8eddb4fc1267c71fe15328",
+    "v1.33.4-k3s1": "sha256:31a85202039b95a75781d537b35e5756ded4b43949f8e1f9f3db8e69d3b73497",
+    "v1.33.5-k3s1": "sha256:fd4740667b7033055c27d424d0d2d660bf66cedbdb225d68e0eab6dd48aa0fd2",
+    "v1.34.1-k3s1": "sha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c"
   }
 }

From 33690ba09cedc3f0558ca54d25155385858dda2b Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Wed, 1 Oct 2025 23:59:44 +0000
Subject: [PATCH 07/12] +gh

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 2778d55..a633101 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -287,6 +287,7 @@ RUN --mount=type=cache,from=apt-base,source=/etc/apt,target=/etc/apt,ro \
         cmake \
         curl \
         file \
+        gh \
         git \
         jo \
         jq \

From dc8a9ba938bdf464e2dae8c8ac517db2f59e0192 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Thu, 2 Oct 2025 00:20:40 +0000
Subject: [PATCH 08/12] fix k3d

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a633101..be1f776 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -86,7 +86,7 @@ RUN url="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" ;
 
 # k3d runs kubernetes clusters in docker.
 FROM apt-base as k3d
-COPY --link --from=ghcr.io/k3d-io/k3d-tools:5.8.3 /bin/k3d /usr/local/bin/
+COPY --link --from=ghcr.io/k3d-io/k3d:5.8.3 /bin/k3d /usr/local/bin/
 # just-k3d is a utility that encodes many of the common k3d commands we use.
 COPY --link bin/just-k3d /usr/local/bin/
 # `K3S_IMAGES_JSON` configures just-k3d so that it uses a pinned version of k3s.

From 4c8dc566b8c409aeca86de792e8e78ff26cff3f0 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Thu, 2 Oct 2025 00:26:04 +0000
Subject: [PATCH 09/12] bump setup versions

---
 actions/setup-go/action.yml    | 2 +-
 actions/setup-rust/action.yml  | 2 +-
 actions/setup-tools/action.yml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/actions/setup-go/action.yml b/actions/setup-go/action.yml
index 7e344ec..18753ee 100644
--- a/actions/setup-go/action.yml
+++ b/actions/setup-go/action.yml
@@ -5,7 +5,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Go version
-    default: 1.24
+    default: 1.25
 
 runs:
   using: composite
diff --git a/actions/setup-rust/action.yml b/actions/setup-rust/action.yml
index 530cc14..3eeab08 100644
--- a/actions/setup-rust/action.yml
+++ b/actions/setup-rust/action.yml
@@ -6,7 +6,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches that in the Dockerfile
   version:
     description: Container image version
-    default: 1.88.0
+    default: 1.90.0
 
   components:
     description: Rust components to install
diff --git a/actions/setup-tools/action.yml b/actions/setup-tools/action.yml
index df7853b..86b4970 100644
--- a/actions/setup-tools/action.yml
+++ b/actions/setup-tools/action.yml
@@ -5,7 +5,7 @@ inputs:
   # TODO(ver): CI should validate at this version matches the most recent release tag
   version:
     description: Container image version
-    default: v47
+    default: v48
 
 runs:
   using: composite

From 9d85b7ebb404d346b0359abd7233800fecbf0a09 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Thu, 2 Oct 2025 03:45:55 +0000
Subject: [PATCH 10/12] devcontainer bump

---
 .devcontainer/devcontainer.json | 2 +-
 repos/linkerd2                  | 2 +-
 repos/linkerd2-proxy            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index ba8b48f..94dc706 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
     "name": "linkerd-dev",
-    "image": "ghcr.io/linkerd/dev:v46",
+    "image": "ghcr.io/linkerd/dev:v48",
     "customizations": {
         "vscode": {
             "extensions": [
diff --git a/repos/linkerd2 b/repos/linkerd2
index 4116fb8..c29ffc8 160000
--- a/repos/linkerd2
+++ b/repos/linkerd2
@@ -1 +1 @@
-Subproject commit 4116fb86dca6af969fdb07f33af6f0e340b62531
+Subproject commit c29ffc89e743f05543c79e6397334ad265d64372
diff --git a/repos/linkerd2-proxy b/repos/linkerd2-proxy
index 08c2cde..f311441 160000
--- a/repos/linkerd2-proxy
+++ b/repos/linkerd2-proxy
@@ -1 +1 @@
-Subproject commit 08c2cdec9f904966076374170c31290d5eae349e
+Subproject commit f311441b5612cd89aea081d4d59b6d1cb3501212

From 55763ffb7b7f9af4534663528103a63795d46f59 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Fri, 3 Oct 2025 15:53:01 +0000
Subject: [PATCH 11/12] k3s

---
 k3s-images.json | 3 +--
 repos/linkerd2  | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/k3s-images.json b/k3s-images.json
index 0f74216..f551680 100644
--- a/k3s-images.json
+++ b/k3s-images.json
@@ -1,7 +1,7 @@
 {
   "name": "docker.io/rancher/k3s",
   "channels": {
-    "stable": "v1.33.4-k3s1",
+    "stable": "v1.33.5-k3s1",
     "latest": "v1.34.1-k3s1",
     "v1.20": "v1.20.15-k3s1",
     "v1.21": "v1.21.14-k3s1",
@@ -33,7 +33,6 @@
     "v1.30.14-k3s2": "sha256:5f02ba89b28861574b1677d91943b57f55f5fe0b451d539f83e650c8925fd9a2",
     "v1.31.13-k3s1": "sha256:3f43b78b337265dc1c0540e1f88af18ca4826910353120991a0edfeaa68d1269",
     "v1.32.9-k3s1": "sha256:af1f66e58580ea4027eeef9a65ef95cc29554ff96c8eddb4fc1267c71fe15328",
-    "v1.33.4-k3s1": "sha256:31a85202039b95a75781d537b35e5756ded4b43949f8e1f9f3db8e69d3b73497",
     "v1.33.5-k3s1": "sha256:fd4740667b7033055c27d424d0d2d660bf66cedbdb225d68e0eab6dd48aa0fd2",
     "v1.34.1-k3s1": "sha256:5e0707cfd1239b358ef73f3254bc3eadc027dd30cd5ec6ca41e29e47652a1b8c"
   }
diff --git a/repos/linkerd2 b/repos/linkerd2
index c29ffc8..f2c3f17 160000
--- a/repos/linkerd2
+++ b/repos/linkerd2
@@ -1 +1 @@
-Subproject commit c29ffc89e743f05543c79e6397334ad265d64372
+Subproject commit f2c3f1740faccad11cd6779be2c2abb94ca46005

From 9da1d050f543ee17c1a4c94e41d5034bb112a4d3 Mon Sep 17 00:00:00 2001
From: Oliver Gould <ver@buoyant.io>
Date: Fri, 3 Oct 2025 15:55:52 +0000
Subject: [PATCH 12/12] revert submodules

---
 repos/linkerd-await       | 2 +-
 repos/linkerd2            | 2 +-
 repos/linkerd2-proxy      | 2 +-
 repos/linkerd2-proxy-init | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/repos/linkerd-await b/repos/linkerd-await
index acff4d6..b84a6ba 160000
--- a/repos/linkerd-await
+++ b/repos/linkerd-await
@@ -1 +1 @@
-Subproject commit acff4d6c3699cd1e5a4cab76c29023f3bc904245
+Subproject commit b84a6ba261e7424f70ba3fc9f6fe81948609b970
diff --git a/repos/linkerd2 b/repos/linkerd2
index f2c3f17..7fa43d8 160000
--- a/repos/linkerd2
+++ b/repos/linkerd2
@@ -1 +1 @@
-Subproject commit f2c3f1740faccad11cd6779be2c2abb94ca46005
+Subproject commit 7fa43d8306678a4c0f900128eaf9ab5743002a09
diff --git a/repos/linkerd2-proxy b/repos/linkerd2-proxy
index f311441..7891abc 160000
--- a/repos/linkerd2-proxy
+++ b/repos/linkerd2-proxy
@@ -1 +1 @@
-Subproject commit f311441b5612cd89aea081d4d59b6d1cb3501212
+Subproject commit 7891abce163587a7910c8262de3d7983ee3d7714
diff --git a/repos/linkerd2-proxy-init b/repos/linkerd2-proxy-init
index bcbba3a..fcdfbfa 160000
--- a/repos/linkerd2-proxy-init
+++ b/repos/linkerd2-proxy-init
@@ -1 +1 @@
-Subproject commit bcbba3a9e2bb9999c3b932971fb352dd7951b406
+Subproject commit fcdfbfa621bbb04a94e3c909df4059a12805e6a2