DO NOT MERGE: Comment out tests for a reduced CI burden

WIP: workflows: Trigger CI tests with gh cli
- We are hitting limitations where gh can only call actions with 20 workflow jobs, so split out the CI test jobs as separate workflows and call them once the required artifacts are created. - Note: This commit updates the test runs to use the source branch workflows, rather than target branch that we have at the moment, we need to think about this pretty carefully to check there isn't any secuirty concerns here (I think there aren't as we are already vulnerable in this respect) WIP: Run the workflow on the ref, or the `main` version?
2026-03-03 11:23:01 +00:00 · 2025-07-17 14:51:19 +01:00 · 2025-07-17 14:51:19 +01:00 · 2025-07-17 14:51:19 +01:00 · 2025-07-17 12:59:00 +02:00 · 2025-07-17 10:11:58 +01:00
256 changed files with 10676 additions and 10787 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -19,7 +19,6 @@ self-hosted-runner:
    - metrics
    - ppc64le
    - riscv-builder
-    - sev
    - sev-snp
    - s390x
    - s390x-large
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -19,20 +19,23 @@ updates:
    ignore:
    # rust-vmm repos might cause incompatibilities on patch versions, so
    # lets handle them manually for now.
-      - dependency-name: "vhost"
-      - dependency-name: "vhost-user-backend"
+      - dependency-name: "event-manager"
+      - dependency-name: "kvm-bindings"
+      - dependency-name: "kvm-ioctls"
+      - dependency-name: "linux-loader"
+      - dependency-name: "seccompiler"
+      - dependency-name: "vfio-bindings"
+      - dependency-name: "vfio-ioctls"
      - dependency-name: "virtio-bindings"
      - dependency-name: "virtio-queue"
-      - dependency-name: "virtio-vsock"
+      - dependency-name: "vm-fdt"
      - dependency-name: "vm-memory"
+      - dependency-name: "vm-superio"
      - dependency-name: "vmm-sys-util"
    # As we often have up to 8/9 components that need the same versions bumps
    # create groups for common dependencies, so they can all go in a single PR
    # We can extend this as we see more frequent groups
    groups:
-      atty:
-        patterns:
-          - atty
      bit-vec:
        patterns:
          - bit-vec
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@@ -22,7 +22,6 @@ jobs:
    name: WIP Check
    steps:
    - name: WIP Check
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
      with:
        labels: '["do-not-merge", "wip", "rfc"]'
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -25,7 +25,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -35,7 +35,7 @@ jobs:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      SANDBOXER: "shim"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -51,7 +51,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -76,7 +76,7 @@ jobs:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      SANDBOXER: "podsandbox"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -91,7 +91,7 @@ jobs:
        run: bash tests/stability/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -118,7 +118,7 @@ jobs:
      GOPATH: ${{ github.workspace }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -134,7 +134,7 @@ jobs:
        run: bash tests/integration/nydus/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -153,7 +153,7 @@ jobs:
    env:
      CONTAINERD_VERSION: lts
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -169,7 +169,7 @@ jobs:
        run: bash tests/integration/runk/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -195,7 +195,7 @@ jobs:
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -211,7 +211,7 @@ jobs:
        run: bash tests/functional/tracing/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -239,7 +239,7 @@ jobs:
      GOPATH: ${{ github.workspace }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -255,7 +255,7 @@ jobs:
        run: bash tests/functional/vfio/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -280,7 +280,7 @@ jobs:
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -296,7 +296,7 @@ jobs:
        run: bash tests/integration/docker/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -324,7 +324,7 @@ jobs:
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -342,7 +342,7 @@ jobs:
        run: bash tests/integration/nerdctl/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -360,7 +360,7 @@ jobs:
        continue-on-error: true

      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: nerdctl-tests-garm-${{ matrix.vmm }}
          path: /tmp/artifacts
@@ -369,7 +369,7 @@ jobs:
  run-kata-agent-apis:
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -385,7 +385,7 @@ jobs:
        run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -35,7 +35,7 @@ jobs:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      SANDBOXER: "shim"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -51,7 +51,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -76,7 +76,7 @@ jobs:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
      SANDBOXER: "podsandbox"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -92,7 +92,7 @@ jobs:
        run: bash tests/stability/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -116,7 +116,7 @@ jobs:
    env:
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -132,7 +132,7 @@ jobs:
        run: bash tests/integration/docker/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
          path: kata-artifacts
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -72,7 +72,7 @@ jobs:
          sudo rm -f /tmp/kata_hybrid*  # Sometime we got leftover from test_setup_hvsock_failed()

      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -70,7 +70,7 @@ jobs:
          sudo rm -f /tmp/kata_hybrid*  # Sometime we got leftover from test_setup_hvsock_failed()

      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -80,7 +80,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -130,7 +130,7 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -138,7 +138,7 @@ jobs:
          push-to-registry: true

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -147,7 +147,7 @@ jobs:

      - name: store-extratarballs-artifact ${{ matrix.asset }}
        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
@@ -168,8 +168,8 @@ jobs:
          - rootfs-image-mariner
          - rootfs-initrd
          - rootfs-initrd-confidential
-          - rootfs-nvidia-gpu-initrd
-          - rootfs-nvidia-gpu-confidential-initrd
+          - rootfs-initrd-nvidia-gpu
+          - rootfs-initrd-nvidia-gpu-confidential
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -179,7 +179,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -192,7 +192,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -217,7 +217,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -270,7 +270,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -283,7 +283,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -309,7 +309,7 @@ jobs:
          MEASURED_ROOTFS: yes

      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
@@ -323,10 +323,11 @@ jobs:
      contents: read
      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
+          fetch-tags: true
          persist-credentials: false
      - name: Rebase atop of the latest target branch
        run: |
@@ -334,7 +335,7 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -343,7 +344,7 @@ jobs:
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
      - name: store-artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -61,7 +61,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -110,7 +110,7 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -118,7 +118,7 @@ jobs:
          push-to-registry: true

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -127,7 +127,7 @@ jobs:

      - name: store-extratarballs-artifact ${{ matrix.asset }}
        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.xz
@@ -145,7 +145,7 @@ jobs:
        asset:
          - rootfs-image
          - rootfs-initrd
-          - rootfs-nvidia-gpu-initrd
+          - rootfs-initrd-nvidia-gpu
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@@ -155,7 +155,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -168,7 +168,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -192,7 +192,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -242,7 +242,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -255,7 +255,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -279,7 +279,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
@@ -293,10 +293,11 @@ jobs:
      contents: read
      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
+          fetch-tags: true
          persist-credentials: false
      - name: Rebase atop of the latest target branch
        run: |
@@ -304,7 +305,7 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -313,7 +314,7 @@ jobs:
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
      - name: store-artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -51,7 +51,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -80,7 +80,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -108,7 +108,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -121,7 +121,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -145,7 +145,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -181,7 +181,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -194,7 +194,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -218,7 +218,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
@@ -236,10 +236,11 @@ jobs:
        run: |
          sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
+          fetch-tags: true
          persist-credentials: false
      - name: Rebase atop of the latest target branch
        run: |
@@ -247,7 +248,7 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -256,7 +257,7 @@ jobs:
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
      - name: store-artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -49,7 +49,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -78,7 +78,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -59,7 +59,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -104,7 +104,7 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: actions/attest-build-provenance@v1
+      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
        with:
          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
@@ -112,7 +112,7 @@ jobs:
          push-to-registry: true

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -141,7 +141,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -154,7 +154,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -179,7 +179,7 @@ jobs:
          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}

      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
@@ -193,7 +193,7 @@ jobs:
      contents: read
      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Rebase atop of the latest target branch
@@ -203,7 +203,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -227,7 +227,7 @@ jobs:
          HKD_PATH: "host-key-document"

      - name: store-artifact boot-image-se
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-boot-image-se.tar.xz
@@ -265,7 +265,7 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0 # This is needed in order to keep the commit ids history
@@ -278,7 +278,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -304,7 +304,7 @@ jobs:
          MEASURED_ROOTFS: no

      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
          path: kata-build/kata-static-shim-v2.tar.xz
@@ -322,10 +322,11 @@ jobs:
      contents: read
      packages: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
+          fetch-tags: true
          persist-credentials: false
      - name: Rebase atop of the latest target branch
        run: |
@@ -333,7 +334,7 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}
      - name: get-artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -342,7 +343,7 @@ jobs:
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
      - name: store-artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
          path: kata-static.tar.xz
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -20,16 +20,13 @@ jobs:

    steps:
      - name: Checkout Code
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: Generate Action
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
        run: bash cargo-deny-generator.sh
        working-directory: ./.github/cargo-deny-composite-action/
        env:
          GOPATH: ${{ github.workspace }}/kata-containers
      - name: Run Action
-        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
        uses: ./.github/cargo-deny-composite-action
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -1,7 +1,8 @@
 name: Kata Containers CoCo Stability Tests Weekly
 on:
-  schedule:
-    - cron: '0 0 * * 0'
+  # Note: This workload is not currently maintained, so skipping it's scheduled runs
+  # schedule:
+  #   - cron: '0 0 * * 0'
  workflow_dispatch:

 concurrency:
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -8,10 +8,11 @@ permissions:
 jobs:
  kata-containers-ci-on-push:
    permissions:
-      contents: read
-      packages: write
-      id-token: write
+      actions: write
      attestations: write
+      contents: read
+      id-token: write
+      packages: write
    uses: ./.github/workflows/ci.yaml
    with:
      commit-hash: ${{ github.sha }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -13,10 +13,11 @@ permissions:
 jobs:
  kata-containers-ci-on-push:
    permissions:
-      contents: read
-      packages: write
-      id-token: write
+      actions: write
      attestations: write
+      contents: read
+      id-token: write
+      packages: write
    uses: ./.github/workflows/ci.yaml
    with:
      commit-hash: ${{ github.sha }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -16,7 +16,6 @@ on:

 permissions:
  contents: read
-  id-token: write

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -34,10 +33,11 @@ jobs:
    needs: skipper
    if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
    permissions:
-      contents: read
-      packages: write
-      id-token: write
+      actions: write
      attestations: write
+      contents: read
+      id-token: write
+      packages: write
    uses: ./.github/workflows/ci.yaml
    with:
      commit-hash: ${{ github.event.pull_request.head.sha }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -69,7 +69,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -71,112 +71,112 @@ jobs:
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  build-kata-static-tarball-arm64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
+  # build-kata-static-tarball-arm64:
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #     id-token: write
+  #     attestations: write
+  #   uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}

-  publish-kata-deploy-payload-arm64:
-    needs: build-kata-static-tarball-arm64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04-arm
-      arch: arm64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # publish-kata-deploy-payload-arm64:
+  #   needs: build-kata-static-tarball-arm64
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #   uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-arm64
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: ubuntu-22.04-arm
+  #     arch: arm64
+  #   secrets:
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  build-kata-static-tarball-s390x:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # build-kata-static-tarball-s390x:
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #     id-token: write
+  #     attestations: write
+  #   uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #   secrets:
+  #     CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  build-kata-static-tarball-ppc64le:
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # build-kata-static-tarball-ppc64le:
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #   uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #   secrets:
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  build-kata-static-tarball-riscv64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # build-kata-static-tarball-riscv64:
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #     id-token: write
+  #     attestations: write
+  #   uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #   secrets:
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  publish-kata-deploy-payload-s390x:
-    needs: build-kata-static-tarball-s390x
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: s390x
-      arch: s390x
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # publish-kata-deploy-payload-s390x:
+  #   needs: build-kata-static-tarball-s390x
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #   uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-s390x
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: s390x
+  #     arch: s390x
+  #   secrets:
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-  publish-kata-deploy-payload-ppc64le:
-    needs: build-kata-static-tarball-ppc64le
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
-      arch: ppc64le
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+  # publish-kata-deploy-payload-ppc64le:
+  #   needs: build-kata-static-tarball-ppc64le
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #   uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-ppc64le
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: ppc64le
+  #     arch: ppc64le
+  #   secrets:
+  #     QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

  build-and-publish-tee-confidential-unencrypted-image:
    permissions:
@@ -185,7 +185,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -227,7 +227,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -240,7 +240,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64-${{ inputs.tag }}
          path: kata-artifacts
@@ -275,29 +275,61 @@ jobs:

  run-kata-monitor-tests:
    if: ${{ inputs.skip-test != 'yes' }}
+    runs-on: ubuntu-22.04
    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/run-kata-monitor-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write # Permission to trigger the gh workflows
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Trigger kata monitor tests
+        run: |
+          ./tests/gha-helper.sh trigger-and-check-workflow \
+            run-kata-monitor-tests.yaml \
+            ${{ github.ref }} \
+            ${{ github.sha }} \
+            '{
+              "artifact-run-id":"${{ github.run_id }}",
+              "tarball-suffix":"-${{ inputs.tag }}",
+              "commit-hash":"${{ inputs.commit-hash }}",
+              "target-branch":"${{ inputs.target-branch }}"
+            }'

  run-k8s-tests-on-aks:
    if: ${{ inputs.skip-test != 'yes' }}
+    runs-on: ubuntu-22.04
    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write # Permission to trigger the gh workflows
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Trigger run-k8s-tests-on-aks workflow
+        run: |
+          ./tests/gha-helper.sh trigger-and-check-workflow \
+            run-k8s-tests-on-aks.yaml \
+            ${{ github.ref }} \
+            ${{ github.sha }} \
+            '{
+              "artifact-run-id":"${{ github.run_id }}",
+              "tarball-suffix":"-${{ inputs.tag }}",
+              "registry":"ghcr.io",
+              "repo":"${{ github.repository_owner }}/kata-deploy-ci",
+              "tag":"${{ inputs.tag }}-amd64",
+              "commit-hash":"${{ inputs.commit-hash }}",
+              "pr-number":"${{ inputs.pr-number }}",
+              "target-branch":"${{ inputs.target-branch }}"
+            }'

  run-k8s-tests-on-amd64:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -311,194 +343,206 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}

-  run-k8s-tests-on-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-arm64
-    uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-k8s-tests-on-arm64:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: publish-kata-deploy-payload-arm64
+  #   uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
+  #   with:
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-arm64
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     pr-number: ${{ inputs.pr-number }}
+  #     target-branch: ${{ inputs.target-branch }}

  run-kata-coco-tests:
    if: ${{ inputs.skip-test != 'yes' }}
+    runs-on: ubuntu-22.04
    needs:
-     - publish-kata-deploy-payload-amd64
-     - build-and-publish-tee-confidential-unencrypted-image
-     - publish-csi-driver-amd64
-    uses: ./.github/workflows/run-kata-coco-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
+    - publish-kata-deploy-payload-amd64
+    - build-and-publish-tee-confidential-unencrypted-image
+    - publish-csi-driver-amd64
+    env:
+      GH_TOKEN: ${{ github.token }}
+    permissions:
+      actions: write # Permission to trigger the gh workflows
+    steps:
+      - name: Checkout the code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Trigger kata-coco-tests for amd64 arch
+        run: |
+          ./tests/gha-helper.sh trigger-and-check-workflow \
+            run-kata-coco-tests.yaml \
+            ${{ github.ref }} \
+            ${{ github.sha }} \
+            '{
+              "artifact-run-id":"${{ github.run_id }}",
+              "tarball-suffix":"-${{ inputs.tag }}",
+              "registry":"ghcr.io",
+              "repo":"${{ github.repository_owner }}/kata-deploy-ci",
+              "tag":"${{ inputs.tag }}-amd64",
+              "commit-hash":"${{ inputs.commit-hash }}",
+              "pr-number":"${{ inputs.pr-number }}",
+              "target-branch":"${{ inputs.target-branch }}"
+            }'

-  run-k8s-tests-on-zvsi:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
-    uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+  # run-k8s-tests-on-zvsi:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
+  #   uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
+  #   with:
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-s390x
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     pr-number: ${{ inputs.pr-number }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #   secrets:
+  #     AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

-  run-k8s-tests-on-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-ppc64le
-    uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-k8s-tests-on-ppc64le:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: publish-kata-deploy-payload-ppc64le
+  #   uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
+  #   with:
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-ppc64le
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     pr-number: ${{ inputs.pr-number }}
+  #     target-branch: ${{ inputs.target-branch }}

-  run-kata-deploy-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-amd64]
-    uses: ./.github/workflows/run-kata-deploy-tests.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-kata-deploy-tests:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: [publish-kata-deploy-payload-amd64]
+  #   uses: ./.github/workflows/run-kata-deploy-tests.yaml
+  #   with:
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-amd64
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     pr-number: ${{ inputs.pr-number }}
+  #     target-branch: ${{ inputs.target-branch }}

-  run-metrics-tests:
-    # Skip metrics tests whilst runner is broken
-    if: false
-    # if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/run-metrics.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-metrics-tests:
+  #   # Skip metrics tests whilst runner is broken
+  #   if: false
+  #   # if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-amd64
+  #   uses: ./.github/workflows/run-metrics.yaml
+  #   with:
+  #     registry: ghcr.io
+  #     repo: ${{ github.repository_owner }}/kata-deploy-ci
+  #     tag: ${{ inputs.tag }}-amd64
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     pr-number: ${{ inputs.pr-number }}
+  #     target-branch: ${{ inputs.target-branch }}

-  run-basic-amd64-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/basic-ci-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-basic-amd64-tests:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-amd64
+  #   uses: ./.github/workflows/basic-ci-amd64.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}

-  run-basic-s390x-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    uses: ./.github/workflows/basic-ci-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
+  # run-basic-s390x-tests:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-s390x
+  #   uses: ./.github/workflows/basic-ci-s390x.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}

-  run-cri-containerd-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: lts,    vmm: clh              },
-          { containerd_version: lts,    vmm: dragonball       },
-          { containerd_version: lts,    vmm: qemu             },
-          { containerd_version: lts,    vmm: stratovirt       },
-          { containerd_version: lts,    vmm: cloud-hypervisor },
-          { containerd_version: lts,    vmm: qemu-runtime-rs  },
-          { containerd_version: active, vmm: clh              },
-          { containerd_version: active, vmm: dragonball       },
-          { containerd_version: active, vmm: qemu             },
-          { containerd_version: active, vmm: stratovirt       },
-          { containerd_version: active, vmm: cloud-hypervisor },
-          { containerd_version: active, vmm: qemu-runtime-rs  },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
+  # run-cri-containerd-amd64:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-amd64
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       params: [
+  #         { containerd_version: lts,    vmm: clh              },
+  #         { containerd_version: lts,    vmm: dragonball       },
+  #         { containerd_version: lts,    vmm: qemu             },
+  #         { containerd_version: lts,    vmm: stratovirt       },
+  #         { containerd_version: lts,    vmm: cloud-hypervisor },
+  #         { containerd_version: lts,    vmm: qemu-runtime-rs  },
+  #         { containerd_version: active, vmm: clh              },
+  #         { containerd_version: active, vmm: dragonball       },
+  #         { containerd_version: active, vmm: qemu             },
+  #         { containerd_version: active, vmm: stratovirt       },
+  #         { containerd_version: active, vmm: cloud-hypervisor },
+  #         { containerd_version: active, vmm: qemu-runtime-rs  },
+  #        ]
+  #   uses: ./.github/workflows/run-cri-containerd-tests.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: ubuntu-22.04
+  #     arch: amd64
+  #     containerd_version: ${{ matrix.params.containerd_version }}
+  #     vmm: ${{ matrix.params.vmm }}

-  run-cri-containerd-s390x:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu            },
-          { containerd_version: active, vmm: qemu-runtime-rs },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: s390x-large
-      arch: s390x
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
+  # run-cri-containerd-s390x:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-s390x
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       params: [
+  #         { containerd_version: active, vmm: qemu            },
+  #         { containerd_version: active, vmm: qemu-runtime-rs },
+  #        ]
+  #   uses: ./.github/workflows/run-cri-containerd-tests.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: s390x-large
+  #     arch: s390x
+  #     containerd_version: ${{ matrix.params.containerd_version }}
+  #     vmm: ${{ matrix.params.vmm }}

-  run-cri-containerd-tests-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-ppc64le
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
-      arch: ppc64le
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
+  # run-cri-containerd-tests-ppc64le:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-ppc64le
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       params: [
+  #         { containerd_version: active, vmm: qemu },
+  #        ]
+  #   uses: ./.github/workflows/run-cri-containerd-tests.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: ppc64le
+  #     arch: ppc64le
+  #     containerd_version: ${{ matrix.params.containerd_version }}
+  #     vmm: ${{ matrix.params.vmm }}

-  run-cri-containerd-tests-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: arm64-non-k8s
-      arch: arm64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
+  # run-cri-containerd-tests-arm64:
+  #   if: ${{ inputs.skip-test != 'yes' }}
+  #   needs: build-kata-static-tarball-arm64
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       params: [
+  #         { containerd_version: active, vmm: qemu },
+  #        ]
+  #   uses: ./.github/workflows/run-cri-containerd-tests.yaml
+  #   with:
+  #     tarball-suffix: -${{ inputs.tag }}
+  #     commit-hash: ${{ inputs.commit-hash }}
+  #     target-branch: ${{ inputs.target-branch }}
+  #     runner: arm64-non-k8s
+  #     arch: arm64
+  #     containerd_version: ${{ matrix.params.containerd_version }}
+  #     vmm: ${{ matrix.params.vmm }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-22.04
    environment: ci
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -60,7 +60,7 @@ jobs:
        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
    steps:
    - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false

--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -27,7 +27,6 @@ jobs:
    name: Commit Message Check
    steps:
    - name: Get PR Commits
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      id: 'get-pr-commits'
      uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
      with:
@@ -43,19 +42,18 @@ jobs:
        filter_out_pattern: '^Revert "|^Reapply "'

    - name: DCO Check
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Commit Body Missing Check
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      if: ${{ success() || failure() }}
      uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Check Subject Line Length
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -64,7 +62,7 @@ jobs:
        post_error: ${{ env.error_msg }}

    - name: Check Body Line Length
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
@@ -95,7 +93,7 @@ jobs:
        post_error: ${{ env.error_msg }}

    - name: Check Subsystem
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@@ -19,11 +19,11 @@ jobs:
    runs-on: macos-latest
    steps:
    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
        go-version: 1.23.10
    - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false
    - name: Build utils
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -15,7 +15,7 @@ jobs:
      target_branch: ${{ github.base_ref }}
    steps:
    - name: Install Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
        go-version: 1.23.10
      env:
@@ -25,7 +25,7 @@ jobs:
        echo "GOPATH=${{ github.workspace }}" >> "$GITHUB_ENV"
        echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        fetch-depth: 0
        persist-credentials: false
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -42,7 +42,7 @@ jobs:
      skip_test: ${{ steps.skipper.outputs.skip_test }}
      skip_static: ${{ steps.skipper.outputs.skip_static }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
--- a/.github/workflows/gatekeeper.yaml
+++ b/.github/workflows/gatekeeper.yaml
@@ -28,7 +28,7 @@ jobs:
      issues: read
      pull-requests: read
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
--- a/.github/workflows/kata-runtime-classes-sync.yaml
+++ b/.github/workflows/kata-runtime-classes-sync.yaml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
    - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false
    - name: Ensure the split out runtime classes match the all-in-one file
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -143,7 +143,7 @@ jobs:
    needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -44,7 +44,7 @@ jobs:
      packages: write
    runs-on: ${{ inputs.runner }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -57,7 +57,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-kata-tarball for ${{ inputs.arch }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}

@@ -79,7 +79,12 @@ jobs:

      - name: build-and-push-kata-payload for ${{ inputs.arch }}
        id: build-and-push-kata-payload
+        env:
+          REGISTRY: ${{ inputs.registry }}
+          REPO: ${{ inputs.repo }}
+          TAG: ${{ inputs.tag }}
        run: |
          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          "$(pwd)"/kata-static.tar.xz \
-          ${{ inputs.registry }}/${{ inputs.repo }} ${{ inputs.tag }}
+          "$(pwd)/kata-static.tar.xz" \
+          "${REGISTRY}/${REPO}" \
+          "${TAG}"
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -47,16 +47,18 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64

      - name: build-and-push-kata-deploy-ci-amd64
        id: build-and-push-kata-deploy-ci-amd64
+        env:
+          TARGET_ARCH: ${{ inputs.target-arch }}
        run: |
          # We need to do such trick here as the format of the $GITHUB_REF
          # is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -47,16 +47,18 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-arm64

      - name: build-and-push-kata-deploy-ci-arm64
        id: build-and-push-kata-deploy-ci-arm64
+        env:
+          TARGET_ARCH: ${{ inputs.target-arch }}
        run: |
          # We need to do such trick here as the format of the $GITHUB_REF
          # is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -47,16 +47,18 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-ppc64le

      - name: build-and-push-kata-deploy-ci-ppc64le
        id: build-and-push-kata-deploy-ci-ppc64le
+        env:
+          TARGET_ARCH: ${{ inputs.target-arch }}
        run: |
          # We need to do such trick here as the format of the $GITHUB_REF
          # is "refs/tags/<tag>"
@@ -70,8 +72,8 @@ jobs:
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -51,16 +51,18 @@ jobs:
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false
      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-s390x

      - name: build-and-push-kata-deploy-ci-s390x
        id: build-and-push-kata-deploy-ci-s390x
+        env:
+          TARGET_ARCH: ${{ inputs.target-arch }}
        run: |
          # We need to do such trick here as the format of the $GITHUB_REF
          # is "refs/tags/<tag>"
@@ -74,8 +76,8 @@ jobs:
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.xz "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${{ inputs.target-arch }}"
+                  "${tag}-${TARGET_ARCH}"
          done
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ jobs:
      contents: write # needed for the `gh release create` command
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -84,7 +84,7 @@ jobs:
      packages: write # needed to push the multi-arch manifest to ghcr.io
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -120,7 +120,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -130,7 +130,7 @@ jobs:
          echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"

      - name: Download amd64 artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64

@@ -142,7 +142,7 @@ jobs:
          ARCHITECTURE: amd64

      - name: Download arm64 artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-arm64

@@ -154,7 +154,7 @@ jobs:
          ARCHITECTURE: arm64

      - name: Download s390x artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-s390x

@@ -166,7 +166,7 @@ jobs:
          ARCHITECTURE: s390x

      - name: Download ppc64le artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-ppc64le

@@ -184,7 +184,7 @@ jobs:
      contents: write # needed for the `gh release` commands
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -201,7 +201,7 @@ jobs:
      contents: write # needed for the `gh release` commands
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -218,7 +218,7 @@ jobs:
      contents: write # needed for the `gh release` commands
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -236,7 +236,7 @@ jobs:
      packages: write # needed to push the helm chart to ghcr.io
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

@@ -251,9 +251,12 @@ jobs:
          GH_TOKEN: ${{ github.token }}

      - name: Login to the OCI registries
+        env:
+          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          GITHUB_ACTOR: ${{ github.actor }}
        run: |
-          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${{ vars.QUAY_DEPLOYER_USERNAME }}" --password-stdin
-          echo "${{ github.token }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
+          echo "${{ secrets.QUAY_DEPLOYER_PASSWORD }}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
+          echo "${{ github.token }}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin

      - name: Push helm chart to the OCI registries
        run: |
@@ -268,7 +271,7 @@ jobs:
      contents: write # needed for the `gh release` commands
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -44,7 +44,7 @@ jobs:
      GOPATH: ${{ github.workspace }}
      KATA_HYPERVISOR: ${{ inputs.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -61,7 +61,7 @@ jobs:
        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies

      - name: get-kata-tarball for ${{ inputs.arch }}
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
          path: kata-artifacts
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -2,6 +2,11 @@ name: CI | Run kubernetes tests on AKS
 on:
  workflow_call:
    inputs:
+      artifact-run-id:
+        description: "The run id where the artifact was uploaded"
+        required: false
+        type: string
+        default: ${{ github.run_id }}
      tarball-suffix:
        required: false
        type: string
@@ -32,6 +37,41 @@ on:
       required: true
      AZ_SUBSCRIPTION_ID:
        required: true
+  workflow_dispatch:
+    inputs:
+      artifact-run-id:
+        description: "The workflow run id where the artifact was uploaded"
+        required: true
+        type: string
+      tarball-suffix:
+        description: "The suffix of the kata tarball to use"
+        required: false
+        type: string
+      registry:
+        description: "The oci container registry to install kata-deploy from"
+        required: true
+        type: string
+      repo:
+        description: "The oci container repository/image to install kata-deploy from"
+        required: true
+        type: string
+      tag:
+        description: "The oci container image tag to install kata-deploy using"
+        required: true
+        type: string
+      pr-number:
+        description: "Identifier used to distinguish between PRs/dev/nightly tests"
+        required: true
+        type: string
+      commit-hash:
+        description: "The code to checkout for testing"
+        required: false
+        type: string
+      target-branch:
+        description: "The target branch to rebase on and ensure the tests are up-to-date"
+        required: false
+        type: string
+        default: ""


 permissions:
@@ -85,7 +125,7 @@ jobs:
      GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
      AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -98,16 +138,21 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
+          run-id: ${{ inputs.artifact-run-id }}
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository}}
          path: kata-artifacts

      - name: Install kata
        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts

      - name: Download Azure CLI
-        run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'

      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
@@ -129,7 +174,9 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

      - name: Install `kubectl`
-        run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'

      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
--- a/.github/workflows/run-k8s-tests-on-amd64.yaml
+++ b/.github/workflows/run-k8s-tests-on-amd64.yaml
@@ -61,7 +61,7 @@ jobs:
      K8S_TEST_HOST_TYPE: all
      CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -79,6 +79,8 @@ jobs:

      - name: Deploy ${{ matrix.k8s }}
        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
+        env:
+          CONTAINER_RUNTIME: ${{ matrix.container_runtime }}

      - name: Configure the ${{ matrix.snapshotter }} snapshotter
        if: matrix.snapshotter != ''
@@ -101,7 +103,7 @@ jobs:
        continue-on-error: true

      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
          path: /tmp/artifacts
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -46,7 +46,7 @@ jobs:
      K8S_TEST_HOST_TYPE: all
      TARGET_ARCH: "aarch64"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -75,7 +75,7 @@ jobs:
        continue-on-error: true

      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
          path: /tmp/artifacts
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -46,7 +46,7 @@ jobs:
      USING_NFD: "false"
      TARGET_ARCH: "ppc64le"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -81,7 +81,7 @@ jobs:
      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -70,7 +70,7 @@ jobs:
      SNAPSHOTTER: ${{ matrix.snapshotter }}
      USING_NFD: "false"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -83,7 +83,7 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
@@ -114,7 +114,9 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

      - name: Install `kubectl`
-        run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'

      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -2,6 +2,11 @@ name: CI | Run kata coco tests
 on:
  workflow_call:
    inputs:
+      artifact-run-id:
+        description: "The run id where the artifact was uploaded"
+        required: false
+        type: string
+        default: ${{ github.run_id }}
      tarball-suffix:
        required: false
        type: string
@@ -35,182 +40,216 @@ on:
        required: true
      ITA_KEY:
        required: true
+  workflow_dispatch:
+    inputs:
+      artifact-run-id:
+        description: "The workflow run id where the artifact was uploaded"
+        required: true
+        type: string
+      tarball-suffix:
+        description: "The suffix of the kata tarball to use"
+        required: false
+        type: string
+      registry:
+        description: "The oci container registry to install kata-deploy from"
+        required: true
+        type: string
+      repo:
+        description: "The oci container repository/image to install kata-deploy from"
+        required: true
+        type: string
+      tag:
+        description: "The oci container image tag to install kata-deploy using"
+        required: true
+        type: string
+      pr-number:
+        description: "Identifier used to distinguish between PRs/dev/nightly tests"
+        required: true
+        type: string
+      commit-hash:
+        description: "The code to checkout for testing"
+        required: false
+        type: string
+      target-branch:
+        description: "The target branch to rebase on and ensure the tests are up-to-date"
+        required: false
+        type: string
+        default: ""

 permissions:
  contents: read
  id-token: write

 jobs:
-  run-k8s-tests-on-tdx:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-tdx
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: tdx
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: "vanilla"
-      USING_NFD: "true"
-      KBS: "true"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      KBS_INGRESS: "nodeport"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
+  # run-k8s-tests-on-tdx:
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       vmm:
+  #         - qemu-tdx
+  #       snapshotter:
+  #         - nydus
+  #       pull-type:
+  #         - guest-pull
+  #   runs-on: tdx
+  #   env:
+  #     DOCKER_REGISTRY: ${{ inputs.registry }}
+  #     DOCKER_REPO: ${{ inputs.repo }}
+  #     DOCKER_TAG: ${{ inputs.tag }}
+  #     GH_PR_NUMBER: ${{ inputs.pr-number }}
+  #     KATA_HYPERVISOR: ${{ matrix.vmm }}
+  #     KUBERNETES: "vanilla"
+  #     USING_NFD: "true"
+  #     KBS: "true"
+  #     K8S_TEST_HOST_TYPE: "baremetal"
+  #     KBS_INGRESS: "nodeport"
+  #     SNAPSHOTTER: ${{ matrix.snapshotter }}
+  #     PULL_TYPE: ${{ matrix.pull-type }}
+  #     AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+  #     AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+  #     ITA_KEY: ${{ secrets.ITA_KEY }}
+  #     AUTO_GENERATE_POLICY: "yes"
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #       with:
+  #         ref: ${{ inputs.commit-hash }}
+  #         fetch-depth: 0
+  #         persist-credentials: false

-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
+  #     - name: Rebase atop of the latest target branch
+  #       run: |
+  #         ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+  #       env:
+  #         TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
+  #     - name: Deploy Snapshotter
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter

-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx
+  #     - name: Deploy Kata
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx

-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+  #     - name: Uninstall previous `kbs-client`
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client

-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+  #     - name: Deploy CoCo KBS
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs

-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+  #     - name: Install `kbs-client`
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+  #     - name: Deploy CSI driver
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver

-      - name: Run tests
-        timeout-minutes: 100
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+  #     - name: Run tests
+  #       timeout-minutes: 100
+  #       run: bash tests/integration/kubernetes/gha-run.sh run-tests

-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx
+  #     - name: Delete kata-deploy
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx

-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
+  #     - name: Delete Snapshotter
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter

-      - name: Delete CoCo KBS
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+  #     - name: Delete CoCo KBS
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+  #     - name: Delete CSI driver
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver

-  # AMD has deprecated SEV support on Kata and henceforth SNP will be the only feature supported for Kata Containers.
-  run-k8s-tests-sev-snp:
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-snp
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: sev-snp
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBECONFIG: /home/kata/.kube/config
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      KBS: "true"
-      KBS_INGRESS: "nodeport"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
+  # run-k8s-tests-sev-snp:
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       vmm:
+  #         - qemu-snp
+  #       snapshotter:
+  #         - nydus
+  #       pull-type:
+  #         - guest-pull
+  #   runs-on: sev-snp
+  #   env:
+  #     DOCKER_REGISTRY: ${{ inputs.registry }}
+  #     DOCKER_REPO: ${{ inputs.repo }}
+  #     DOCKER_TAG: ${{ inputs.tag }}
+  #     GH_PR_NUMBER: ${{ inputs.pr-number }}
+  #     KATA_HYPERVISOR: ${{ matrix.vmm }}
+  #     KUBECONFIG: /home/kata/.kube/config
+  #     KUBERNETES: "vanilla"
+  #     USING_NFD: "false"
+  #     KBS: "true"
+  #     KBS_INGRESS: "nodeport"
+  #     K8S_TEST_HOST_TYPE: "baremetal"
+  #     SNAPSHOTTER: ${{ matrix.snapshotter }}
+  #     PULL_TYPE: ${{ matrix.pull-type }}
+  #     AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+  #     AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+  #     AUTO_GENERATE_POLICY: "yes"
+  #   steps:
+  #     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+  #       with:
+  #         ref: ${{ inputs.commit-hash }}
+  #         fetch-depth: 0
+  #         persist-credentials: false

-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
+  #     - name: Rebase atop of the latest target branch
+  #       run: |
+  #         ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+  #       env:
+  #         TARGET_BRANCH: ${{ inputs.target-branch }}

-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
+  #     - name: Deploy Snapshotter
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter

-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp
+  #     - name: Deploy Kata
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp

-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+  #     - name: Uninstall previous `kbs-client`
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client

-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+  #     - name: Deploy CoCo KBS
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs

-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+  #     - name: Install `kbs-client`
+  #       timeout-minutes: 10
+  #       run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client

-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+  #     - name: Deploy CSI driver
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver

-      - name: Run tests
-        timeout-minutes: 50
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+  #     - name: Run tests
+  #       timeout-minutes: 50
+  #       run: bash tests/integration/kubernetes/gha-run.sh run-tests

-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp
+  #     - name: Delete kata-deploy
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp

-      - name: Delete Snapshotter
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter
+  #     - name: Delete Snapshotter
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter

-      - name: Delete CoCo KBS
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+  #     - name: Delete CoCo KBS
+  #       if: always()
+  #       run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs

-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+  #     - name: Delete CSI driver
+  #       timeout-minutes: 5
+  #       run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver

  # Generate jobs for testing CoCo on non-TEE environments
  run-k8s-tests-coco-nontee:
@@ -248,7 +287,7 @@ jobs:
      USING_NFD: "false"
      AUTO_GENERATE_POLICY: "yes"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -261,9 +300,12 @@ jobs:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
+          run-id: ${{ inputs.artifact-run-id }}
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository}}
          path: kata-artifacts

      - name: Install kata
@@ -292,7 +334,9 @@ jobs:
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

      - name: Install `kubectl`
-        run: bash tests/integration/kubernetes/gha-run.sh install-kubectl
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'

      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -60,7 +60,7 @@ jobs:
      KUBERNETES: "vanilla"
      USING_NFD: "false"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -95,7 +95,9 @@ jobs:
        run: bash tests/functional/kata-deploy/gha-run.sh install-bats

      - name: Install `kubectl`
-        run: bash tests/functional/kata-deploy/gha-run.sh install-kubectl
+        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
+        with:
+          version: 'latest'

      - name: Download credentials for the Kubernetes CLI to use them
        run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -47,7 +47,7 @@ jobs:
      KUBERNETES: ${{ matrix.k8s }}
      USING_NFD: "false"
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -2,6 +2,11 @@ name: CI | Run kata-monitor tests
 on:
  workflow_call:
    inputs:
+      artifact-run-id:
+        description: "The run id where the artifact was uploaded"
+        required: false
+        type: string
+        default: ${{ github.run_id }}
      tarball-suffix:
        required: false
        type: string
@@ -12,6 +17,25 @@ on:
        required: false
        type: string
        default: ""
+  workflow_dispatch:
+    inputs:
+      artifact-run-id:
+        description: "The workflow run id where the artifact was uploaded"
+        required: true
+        type: string
+      tarball-suffix:
+        description: "Identifier used to distinguish between PRs/dev/nightly tests"
+        required: false
+        type: string
+      commit-hash:
+        description: "The code to checkout for testing"
+        required: false
+        type: string
+      target-branch:
+        description: "The target branch to rebase on and ensure the tests are up-to-date"
+        required: false
+        type: string
+        default: ""

 permissions:
  contents: read
@@ -40,7 +64,7 @@ jobs:
      #CONTAINERD_VERSION: ${{ matrix.containerd_version }}
      KATA_HYPERVISOR: ${{ matrix.vmm }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -56,9 +80,12 @@ jobs:
        run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
+          run-id: ${{ inputs.artifact-run-id }}
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository}}
          path: kata-artifacts

      - name: Install kata
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -47,7 +47,7 @@ jobs:
      USING_NFD: "false"
      KUBERNETES: kubeadm
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -116,7 +116,7 @@ jobs:
        run: bash tests/metrics/gha-run.sh make-tarball-results

      - name: archive metrics results ${{ matrix.vmm }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: metrics-artifacts-${{ matrix.vmm }}
          path: results-${{ matrix.vmm }}.tar.gz
--- a/.github/workflows/run-runk-tests.yaml
+++ b/.github/workflows/run-runk-tests.yaml
@@ -24,7 +24,7 @@ jobs:
    env:
      CONTAINERD_VERSION: lts
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0
@@ -40,7 +40,7 @@ jobs:
        run: bash tests/integration/runk/gha-run.sh install-dependencies

      - name: get-kata-tarball
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
          path: kata-artifacts
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -0,0 +1,60 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -11,7 +11,7 @@ jobs:
  stale:
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          stale-pr-message: 'This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days'
          days-before-pr-stale: 180
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -5,6 +5,7 @@ on:
      - edited
      - reopened
      - synchronize
+  workflow_dispatch:

 permissions:
  contents: read
@@ -27,7 +28,7 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -69,7 +70,7 @@ jobs:
            component-path: src/dragonball
    steps:
      - name: Checkout the code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -105,9 +106,12 @@ jobs:
          - "make static-checks"
    env:
      GOPATH: ${{ github.workspace }}
+    permissions:
+      contents: read  # for checkout
+      packages: write # for push to ghcr.io
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          persist-credentials: false
@@ -131,6 +135,10 @@ jobs:
          cd "${GOPATH}/src/github.com/${{ github.repository }}"
          ./tests/install_opa.sh
      - name: Install regorus
+        env:
+          ARTEFACT_REPOSITORY: "${{ github.repository }}"
+          ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
+          ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
        run: |
          "${GOPATH}/src/github.com/${{ github.repository }}/tests/install_regorus.sh"
      - name: Run check
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -0,0 +1,29 @@
+name: GHA security analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
 <img src="https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/kata/SVG/kata-1.svg" width="900">

 [![CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml) [![Kata Containers Nightly CI](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kata-containers/kata-containers/badge)](https://scorecard.dev/viewer/?uri=github.com/kata-containers/kata-containers)

 # Kata Containers

--- a/src/agent/Cargo.lock
+++ b/src/agent/Cargo.lock
@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4

 [[package]]
 name = "addr2line"
@@ -405,17 +405,6 @@ version = "1.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"

-[[package]]
-name = "atty"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
-dependencies = [
- "hermit-abi 0.1.19",
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "autocfg"
 version = "1.4.0"
@@ -466,11 +455,11 @@ dependencies = [

 [[package]]
 name = "bit-set"
-version = "0.5.3"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1"
+checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3"
 dependencies = [
- "bit-vec",
+ "bit-vec 0.8.0",
 ]

 [[package]]
@@ -479,6 +468,12 @@ version = "0.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"

+[[package]]
+name = "bit-vec"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7"
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -535,6 +530,12 @@ dependencies = [
 "piper",
 ]

+[[package]]
+name = "borrow-or-share"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3eeab4423108c5d7c744f4d234de88d18d636100093ae04caf4825134b9c3a32"
+
 [[package]]
 name = "borsh"
 version = "1.5.7"
@@ -658,10 +659,10 @@ dependencies = [
 [[package]]
 name = "cdi"
 version = "0.1.0"
-source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=fba5677a8e7cc962fc6e495fcec98d7d765e332a#fba5677a8e7cc962fc6e495fcec98d7d765e332a"
+source = "git+https://github.com/cncf-tags/container-device-interface-rs?rev=3b1e83dda5efcc83c7a4f134466ec006b37109c9#3b1e83dda5efcc83c7a4f134466ec006b37109c9"
 dependencies = [
 "anyhow",
- "clap 4.5.37",
+ "clap",
 "const_format",
 "jsonschema",
 "lazy_static",
@@ -719,61 +720,31 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "3.2.25"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123"
-dependencies = [
- "atty",
- "bitflags 1.3.2",
- "clap_derive 3.2.25",
- "clap_lex 0.2.4",
- "indexmap 1.9.3",
- "once_cell",
- "strsim 0.10.0",
- "termcolor",
- "textwrap",
-]
-
-[[package]]
-name = "clap"
-version = "4.5.37"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eccb054f56cbd38340b380d4a8e69ef1f02f1af43db2f0cc817a4774d80ae071"
+checksum = "40b6887a1d8685cebccf115538db5c0efe625ccac9696ad45c409d96566e910f"
 dependencies = [
 "clap_builder",
- "clap_derive 4.5.32",
+ "clap_derive",
 ]

 [[package]]
 name = "clap_builder"
-version = "4.5.37"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efd9466fac8543255d3b1fcad4762c5e116ffe808c8a3043d4263cd4fd4862a2"
+checksum = "e0c66c08ce9f0c698cbce5c0279d0bb6ac936d8674174fe48f736533b964f59e"
 dependencies = [
 "anstream",
 "anstyle",
- "clap_lex 0.7.4",
- "strsim 0.11.1",
+ "clap_lex",
+ "strsim",
 ]

 [[package]]
 name = "clap_derive"
-version = "3.2.25"
+version = "4.5.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae6371b8bdc8b7d3959e9cf7b22d4435ef3e79e138688421ec654acf8c81b008"
-dependencies = [
- "heck 0.4.1",
- "proc-macro-error",
- "proc-macro2",
- "quote",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "clap_derive"
-version = "4.5.32"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09176aae279615badda0765c0c0b3f6ed53f4709118af73cf4655d85d1530cd7"
+checksum = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce"
 dependencies = [
 "heck 0.5.0",
 "proc-macro2",
@@ -781,15 +752,6 @@ dependencies = [
 "syn 2.0.101",
 ]

-[[package]]
-name = "clap_lex"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5"
-dependencies = [
- "os_str_bytes",
-]
-
 [[package]]
 name = "clap_lex"
 version = "0.7.4"
@@ -970,7 +932,7 @@ dependencies = [
 "ident_case",
 "proc-macro2",
 "quote",
- "strsim 0.11.1",
+ "strsim",
 "syn 2.0.101",
 ]

@@ -1112,6 +1074,15 @@ version = "1.15.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"

+[[package]]
+name = "email_address"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e079f19b08ca6239f47f8ba8509c11cf3ea30095831f7fed61441475edd8c449"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "enumflags2"
 version = "0.7.11"
@@ -1200,9 +1171,9 @@ dependencies = [

 [[package]]
 name = "fancy-regex"
-version = "0.13.0"
+version = "0.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "531e46835a22af56d1e3b66f04844bed63158bc094a628bec1d321d9b4c44bf2"
+checksum = "6e24cb5a94bcae1e5408b0effca5cd7172ea3c5755049c5f3af4cd283a165298"
 dependencies = [
 "bit-set",
 "regex-automata 0.4.9",
@@ -1224,18 +1195,6 @@ version = "2.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"

-[[package]]
-name = "filetime"
-version = "0.2.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35c0522e981e68cbfa8c3f978441a5f34b30b96e146b33cd3359176b50fe8586"
-dependencies = [
- "cfg-if",
- "libc",
- "libredox",
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "fixedbitset"
 version = "0.2.0"
@@ -1249,6 +1208,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
 dependencies = [
 "crc32fast",
+ "libz-sys",
 "miniz_oxide",
 ]

@@ -1261,6 +1221,17 @@ dependencies = [
 "bitflags 1.3.2",
 ]

+[[package]]
+name = "fluent-uri"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1918b65d96df47d3591bed19c5cca17e3fa5d0707318e4b5ef2eae01764df7e5"
+dependencies = [
+ "borrow-or-share",
+ "ref-cast",
+ "serde",
+]
+
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -1447,10 +1418,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "335ff9f135e4384c8150d6f27c6daed433577f86b4750418338c01a1a2528592"
 dependencies = [
 "cfg-if",
- "js-sys",
 "libc",
 "wasi 0.11.0+wasi-snapshot-preview1",
- "wasm-bindgen",
 ]

 [[package]]
@@ -1525,27 +1494,12 @@ dependencies = [
 "unicode-segmentation",
 ]

-[[package]]
-name = "heck"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
-
 [[package]]
 name = "heck"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"

-[[package]]
-name = "hermit-abi"
-version = "0.1.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "hermit-abi"
 version = "0.3.9"
@@ -1860,6 +1814,17 @@ dependencies = [
 "tokio",
 ]

+[[package]]
+name = "inotify"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
+dependencies = [
+ "bitflags 2.9.0",
+ "inotify-sys",
+ "libc",
+]
+
 [[package]]
 name = "inotify-sys"
 version = "0.1.5"
@@ -1930,15 +1895,6 @@ version = "1.70.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"

-[[package]]
-name = "iso8601"
-version = "0.6.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5c177cff824ab21a6f41079a4c401241c4e8be14f316c4c6b07d5fca351c98d"
-dependencies = [
- "nom 8.0.0",
-]
-
 [[package]]
 name = "itertools"
 version = "0.10.5"
@@ -1982,39 +1938,36 @@ version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c6e529149475ca0b2820835d3dce8fcc41c6b943ca608d32f35b449255e4627"
 dependencies = [
- "fluent-uri",
+ "fluent-uri 0.1.4",
 "serde",
 "serde_json",
 ]

 [[package]]
 name = "jsonschema"
-version = "0.18.3"
+version = "0.30.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa0f4bea31643be4c6a678e9aa4ae44f0db9e5609d5ca9dc9083d06eb3e9a27a"
+checksum = "f1b46a0365a611fbf1d2143104dcf910aada96fafd295bab16c60b802bf6fa1d"
 dependencies = [
 "ahash 0.8.12",
- "anyhow",
 "base64 0.22.1",
 "bytecount",
- "clap 4.5.37",
+ "email_address",
 "fancy-regex",
 "fraction",
- "getrandom 0.2.16",
- "iso8601",
+ "idna",
 "itoa",
- "memchr",
 "num-cmp",
+ "num-traits",
 "once_cell",
- "parking_lot 0.12.3",
 "percent-encoding",
+ "referencing",
 "regex",
+ "regex-syntax 0.8.5",
 "reqwest",
 "serde",
 "serde_json",
- "time",
- "url",
- "uuid",
+ "uuid-simd",
 ]

 [[package]]
@@ -2031,7 +1984,7 @@ dependencies = [
 "cdi",
 "cfg-if",
 "cgroups-rs",
- "clap 3.2.25",
+ "clap",
 "const_format",
 "derivative",
 "futures",
@@ -2052,7 +2005,7 @@ dependencies = [
 "opentelemetry",
 "procfs 0.12.0",
 "prometheus",
- "protobuf 3.7.1",
+ "protobuf 3.7.2",
 "protocols",
 "regex",
 "rstest",
@@ -2071,8 +2024,8 @@ dependencies = [
 "slog-scope",
 "slog-stdlog",
 "slog-term",
- "strum",
- "strum_macros",
+ "strum 0.26.3",
+ "strum_macros 0.26.4",
 "tempfile",
 "test-utils",
 "thiserror 1.0.69",
@@ -2139,7 +2092,9 @@ dependencies = [
 "base64 0.13.1",
 "bitmask-enum",
 "byte-unit",
+ "flate2",
 "glob",
+ "hex",
 "lazy_static",
 "num_cpus",
 "oci-spec",
@@ -2148,6 +2103,7 @@ dependencies = [
 "serde",
 "serde-enum-str",
 "serde_json",
+ "sha2",
 "slog",
 "slog-scope",
 "sysinfo",
@@ -2204,7 +2160,6 @@ checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
 dependencies = [
 "bitflags 2.9.0",
 "libc",
- "redox_syscall 0.5.12",
 ]

 [[package]]
@@ -2225,6 +2180,17 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9a7cbbd4ad467251987c6e5b47d53b11a5a05add08f2447a9e2d70aef1e0d138"

+[[package]]
+name = "libz-sys"
+version = "1.1.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b70e7a7df205e92a1a4cd9aaae7898dac0aa555503cc0a649494d0d60e7651d"
+dependencies = [
+ "cc",
+ "pkg-config",
+ "vcpkg",
+]
+
 [[package]]
 name = "linux-raw-sys"
 version = "0.3.8"
@@ -2360,18 +2326,6 @@ dependencies = [
 "adler2",
 ]

-[[package]]
-name = "mio"
-version = "0.8.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
-dependencies = [
- "libc",
- "log",
- "wasi 0.11.0+wasi-snapshot-preview1",
- "windows-sys 0.48.0",
-]
-
 [[package]]
 name = "mio"
 version = "1.0.3"
@@ -2379,6 +2333,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
 dependencies = [
 "libc",
+ "log",
 "wasi 0.11.0+wasi-snapshot-preview1",
 "windows-sys 0.52.0",
 ]
@@ -2562,34 +2517,30 @@ dependencies = [
 "minimal-lexical",
 ]

-[[package]]
-name = "nom"
-version = "8.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df9761775871bdef83bee530e60050f7e54b1105350d6884eb0fb4f46c2f9405"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "notify"
-version = "6.1.1"
+version = "8.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6205bd8bb1e454ad2e27422015fb5e4f2bcc7e08fa8f27058670d208324a4d2d"
+checksum = "3163f59cd3fa0e9ef8c32f242966a7b9994fd7378366099593e0e73077cd8c97"
 dependencies = [
 "bitflags 2.9.0",
- "crossbeam-channel",
- "filetime",
 "fsevent-sys",
- "inotify",
+ "inotify 0.11.0",
 "kqueue",
 "libc",
 "log",
- "mio 0.8.11",
+ "mio",
+ "notify-types",
 "walkdir",
- "windows-sys 0.48.0",
+ "windows-sys 0.60.2",
 ]

+[[package]]
+name = "notify-types"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5e0826a989adedc2a244799e823aece04662b66609d96af8dff7ac6df9a8925d"
+
 [[package]]
 name = "ntapi"
 version = "0.4.1"
@@ -2714,26 +2665,26 @@ dependencies = [

 [[package]]
 name = "oci-spec"
-version = "0.6.8"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f5a3fe998d50101ae009351fec56d88a69f4ed182e11000e711068c2f5abf72"
+checksum = "57e9beda9d92fac7bf4904c34c83340ef1024159faee67179a04e0277523da33"
 dependencies = [
+ "const_format",
 "derive_builder",
 "getset",
- "once_cell",
 "regex",
 "serde",
 "serde_json",
- "strum",
- "strum_macros",
- "thiserror 1.0.69",
+ "strum 0.27.1",
+ "strum_macros 0.27.1",
+ "thiserror 2.0.12",
 ]

 [[package]]
 name = "once_cell"
-version = "1.19.0"
+version = "1.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+checksum = "42f5e15c9953c5e4ccceeb2e7382a716482c34515315f7b03532b8b4e8393d2d"

 [[package]]
 name = "opentelemetry"
@@ -2766,10 +2717,10 @@ dependencies = [
 ]

 [[package]]
-name = "os_str_bytes"
-version = "6.6.1"
+name = "outref"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1"
+checksum = "1a80800c0488c3a21695ea981a54918fbb37abf04f4d0720c453632255e2ff0e"

 [[package]]
 name = "page_size"
@@ -2872,7 +2823,7 @@ version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d88ae3281b415d856e9c2ddbcdd5961e71c1a3e90138512c04d720241853a6af"
 dependencies = [
- "nom 7.1.3",
+ "nom",
 "phf",
 "phf_codegen",
 "proc-macro2",
@@ -3073,30 +3024,6 @@ dependencies = [
 "toml_edit 0.22.26",
 ]

-[[package]]
-name = "proc-macro-error"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da25490ff9892aab3fcf7c36f08cfb902dd3e71ca0f9f9517bea02a73a5ce38c"
-dependencies = [
- "proc-macro-error-attr",
- "proc-macro2",
- "quote",
- "syn 1.0.109",
- "version_check",
-]
-
-[[package]]
-name = "proc-macro-error-attr"
-version = "1.0.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1be40180e52ecc98ad80b184934baf3d0d29f979574e439af5a55274b35f869"
-dependencies = [
- "proc-macro2",
- "quote",
- "version_check",
-]
-
 [[package]]
 name = "proc-macro-error-attr2"
 version = "2.0.0"
@@ -3242,9 +3169,9 @@ checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94"

 [[package]]
 name = "protobuf"
-version = "3.7.1"
+version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a3a7c64d9bf75b1b8d981124c14c179074e8caa7dfe7b6a12e6222ddcd0c8f72"
+checksum = "d65a1d4ddae7d8b5de68153b48f6aa3bba8cb002b243dbdbc55a5afbc98f99f4"
 dependencies = [
 "once_cell",
 "protobuf-support",
@@ -3262,13 +3189,13 @@ dependencies = [

 [[package]]
 name = "protobuf-codegen"
-version = "3.7.1"
+version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e26b833f144769a30e04b1db0146b2aaa53fd2fd83acf10a6b5f996606c18144"
+checksum = "5d3976825c0014bbd2f3b34f0001876604fe87e0c86cd8fa54251530f1544ace"
 dependencies = [
 "anyhow",
 "once_cell",
- "protobuf 3.7.1",
+ "protobuf 3.7.2",
 "protobuf-parse",
 "regex",
 "tempfile",
@@ -3277,14 +3204,14 @@ dependencies = [

 [[package]]
 name = "protobuf-parse"
-version = "3.7.1"
+version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "322330e133eab455718444b4e033ebfac7c6528972c784fcde28d2cc783c6257"
+checksum = "b4aeaa1f2460f1d348eeaeed86aea999ce98c1bded6f089ff8514c9d9dbdc973"
 dependencies = [
 "anyhow",
 "indexmap 2.9.0",
 "log",
- "protobuf 3.7.1",
+ "protobuf 3.7.2",
 "protobuf-support",
 "tempfile",
 "thiserror 1.0.69",
@@ -3293,9 +3220,9 @@ dependencies = [

 [[package]]
 name = "protobuf-support"
-version = "3.7.1"
+version = "3.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b088fd20b938a875ea00843b6faf48579462630015c3788d397ad6a786663252"
+checksum = "3e36c2f31e0a47f9280fb347ef5e461ffcd2c52dd520d8e216b52f93b0b0d7d6"
 dependencies = [
 "thiserror 1.0.69",
 ]
@@ -3306,7 +3233,7 @@ version = "0.1.0"
 dependencies = [
 "async-trait",
 "oci-spec",
- "protobuf 3.7.1",
+ "protobuf 3.7.2",
 "serde",
 "serde_json",
 "ttrpc",
@@ -3414,10 +3341,44 @@ dependencies = [
 ]

 [[package]]
-name = "regex"
-version = "1.10.6"
+name = "ref-cast"
+version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619"
+checksum = "4a0ae411dbe946a674d89546582cea4ba2bb8defac896622d6496f14c23ba5cf"
+dependencies = [
+ "ref-cast-impl",
+]
+
+[[package]]
+name = "ref-cast-impl"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1165225c21bff1f3bbce98f5a1f889949bc902d3575308cc7b0de30b4f6d27c7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.101",
+]
+
+[[package]]
+name = "referencing"
+version = "0.30.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8eff4fa778b5c2a57e85c5f2fe3a709c52f0e60d23146e2151cbef5893f420e"
+dependencies = [
+ "ahash 0.8.12",
+ "fluent-uri 0.3.2",
+ "once_cell",
+ "parking_lot 0.12.3",
+ "percent-encoding",
+ "serde_json",
+]
+
+[[package]]
+name = "regex"
+version = "1.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -3697,13 +3658,13 @@ dependencies = [
 "anyhow",
 "async-trait",
 "awaitgroup",
- "bit-vec",
+ "bit-vec 0.6.3",
 "capctl",
 "caps",
 "cfg-if",
 "cgroups-rs",
 "futures",
- "inotify",
+ "inotify 0.9.6",
 "kata-sys-util",
 "lazy_static",
 "libc",
@@ -3711,7 +3672,7 @@ dependencies = [
 "nix 0.24.3",
 "oci-spec",
 "path-absolutize",
- "protobuf 3.7.1",
+ "protobuf 3.7.2",
 "protocols",
 "regex",
 "rlimit",
@@ -4117,12 +4078,6 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"

-[[package]]
-name = "strsim"
-version = "0.10.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
-
 [[package]]
 name = "strsim"
 version = "0.11.1"
@@ -4135,6 +4090,12 @@ version = "0.26.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"

+[[package]]
+name = "strum"
+version = "0.27.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f64def088c51c9510a8579e3c5d67c65349dcf755e5479ad3d010aa6454e2c32"
+
 [[package]]
 name = "strum_macros"
 version = "0.26.4"
@@ -4148,6 +4109,19 @@ dependencies = [
 "syn 2.0.101",
 ]

+[[package]]
+name = "strum_macros"
+version = "0.27.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c77a8c5abcaf0f9ce05d62342b7d298c346515365c36b673df4ebe3ced01fde8"
+dependencies = [
+ "heck 0.5.0",
+ "proc-macro2",
+ "quote",
+ "rustversion",
+ "syn 2.0.101",
+]
+
 [[package]]
 name = "subprocess"
 version = "0.2.9"
@@ -4249,15 +4223,6 @@ dependencies = [
 "winapi",
 ]

-[[package]]
-name = "termcolor"
-version = "1.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755"
-dependencies = [
- "winapi-util",
-]
-
 [[package]]
 name = "termtree"
 version = "0.5.1"
@@ -4271,12 +4236,6 @@ dependencies = [
 "nix 0.24.3",
 ]

-[[package]]
-name = "textwrap"
-version = "0.16.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c13547615a44dc9c452a8a534638acdf07120d4b6847c8178705da06306a3057"
-
 [[package]]
 name = "thiserror"
 version = "1.0.69"
@@ -4392,7 +4351,7 @@ dependencies = [
 "backtrace",
 "bytes 1.10.1",
 "libc",
- "mio 1.0.3",
+ "mio",
 "parking_lot 0.12.3",
 "pin-project-lite",
 "signal-hook-registry",
@@ -4621,8 +4580,8 @@ dependencies = [
 "libc",
 "log",
 "nix 0.26.4",
- "protobuf 3.7.1",
- "protobuf-codegen 3.7.1",
+ "protobuf 3.7.2",
+ "protobuf-codegen 3.7.2",
 "thiserror 1.0.69",
 "tokio",
 "tokio-vsock 0.4.0",
@@ -4637,7 +4596,7 @@ checksum = "cdc0529f65223eca94fc5830e7d552d0d152ff42b74aff5c641edac39592f41f"
 dependencies = [
 "home",
 "protobuf 2.28.0",
- "protobuf-codegen 3.7.1",
+ "protobuf-codegen 3.7.2",
 "protobuf-support",
 "ttrpc-compiler",
 ]
@@ -4740,6 +4699,17 @@ version = "1.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "458f7a779bf54acc9f347480ac654f68407d3aab21269a6e3c9f922acd9e2da9"

+[[package]]
+name = "uuid-simd"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23b082222b4f6619906941c17eb2297fff4c2fb96cb60164170522942a200bd8"
+dependencies = [
+ "outref",
+ "uuid",
+ "vsimd",
+]
+
 [[package]]
 name = "valuable"
 version = "0.1.1"
@@ -4752,12 +4722,24 @@ version = "1.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "943ce29a8a743eb10d6082545d861b24f9d1b160b7d741e0f2cdf726bec909c5"

+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
 [[package]]
 name = "version_check"
 version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"

+[[package]]
+name = "vsimd"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c3082ca00d5a5ef149bb8b555a72ae84c9c59f7250f013ac822ac2e49b19c64"
+
 [[package]]
 name = "vsock"
 version = "0.2.6"
@@ -5050,7 +5032,7 @@ checksum = "4286ad90ddb45071efd1a66dfa43eb02dd0dfbae1545ad6cc3c51cf34d7e8ba3"
 dependencies = [
 "windows-result 0.3.2",
 "windows-strings 0.3.1",
- "windows-targets 0.53.0",
+ "windows-targets 0.53.2",
 ]

 [[package]]
@@ -5116,6 +5098,15 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

+[[package]]
+name = "windows-sys"
+version = "0.60.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
+dependencies = [
+ "windows-targets 0.53.2",
+]
+
 [[package]]
 name = "windows-targets"
 version = "0.48.5"
@@ -5149,9 +5140,9 @@ dependencies = [

 [[package]]
 name = "windows-targets"
-version = "0.53.0"
+version = "0.53.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b1e4c7e8ceaaf9cb7d7507c974735728ab453b67ef8f18febdd7c11fe59dca8b"
+checksum = "c66f69fcc9ce11da9966ddb31a40968cad001c5bedeb5c2b82ede4253ab48aef"
 dependencies = [
 "windows_aarch64_gnullvm 0.53.0",
 "windows_aarch64_msvc 0.53.0",
--- a/src/agent/Cargo.toml
+++ b/src/agent/Cargo.toml
@@ -8,10 +8,10 @@ license = "Apache-2.0"
 rust-version = "1.85.1"

 [workspace.dependencies]
-oci-spec = { version = "0.6.8", features = ["runtime"] }
+oci-spec = { version = "0.8.1", features = ["runtime"] }
 lazy_static = "1.3.0"
 ttrpc = { version = "0.8.4", features = ["async"], default-features = false }
-protobuf = "=3.7.1"
+protobuf = "3.7.2"
 libc = "0.2.94"
 nix = "0.24.2"
 capctl = "0.2.0"
@@ -66,7 +66,7 @@ opentelemetry = { version = "0.14.0", features = ["rt-tokio-current-thread"] }
 serde = { version = "1.0.129", features = ["derive"] }
 serde_json = "1.0.39"
 toml = "0.5.8"
-clap = { version = "3.0.1", features = ["derive"] }
+clap = { version = "4.5.40", features = ["derive"] }
 strum = "0.26.2"
 strum_macros = "0.26.2"

@@ -80,7 +80,7 @@ kata-agent-policy = { path = "policy" }
 rustjail = { path = "rustjail" }
 vsock-exporter = { path = "vsock-exporter" }

-mem-agent = { path = "../mem-agent" }
+mem-agent = { path = "../mem-agent", package = "mem-agent-lib" }

 kata-sys-util = { path = "../libs/kata-sys-util" }
 kata-types = { path = "../libs/kata-types" }
@@ -163,7 +163,7 @@ strum.workspace = true
 strum_macros.workspace = true

 # Agent Policy
-cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "fba5677a8e7cc962fc6e495fcec98d7d765e332a" }
+cdi = { git = "https://github.com/cncf-tags/container-device-interface-rs", rev = "3b1e83dda5efcc83c7a4f134466ec006b37109c9" }

 # Local dependencies
 kata-agent-policy = { workspace = true, optional = true }
--- a/src/agent/rustjail/src/container.rs
+++ b/src/agent/rustjail/src/container.rs
@@ -2081,8 +2081,8 @@ mod tests {
        });
    }

-    #[test]
-    fn test_linuxcontainer_get_process() {
+    #[tokio::test]
+    async fn test_linuxcontainer_get_process() {
        let _ = new_linux_container_and_then(|mut c: LinuxContainer| {
            c.processes.insert(
                1,
--- a/src/agent/rustjail/src/mount.rs
+++ b/src/agent/rustjail/src/mount.rs
@@ -1144,7 +1144,6 @@ mod tests {
    use std::fs::remove_dir_all;
    use std::fs::remove_file;
    use std::io;
-    use std::os::unix::fs;
    use std::os::unix::io::AsRawFd;
    use tempfile::tempdir;
    use test_utils::assert_result;
--- a/src/agent/rustjail/src/process.rs
+++ b/src/agent/rustjail/src/process.rs
@@ -179,6 +179,11 @@ impl Process {
                p.parent_stdin = Some(pstdin);
                p.stdin = Some(stdin);

+                // Make sure the parent stdin writer be inserted into
+                // p.writes hashmap, thus the cleanup_process_stream can
+                // cleanup and close the parent stdin fd.
+                let _ = p.get_writer(StreamType::ParentStdin);
+
                // These pipes are necessary as the stdout/stderr of the child process
                // cannot be a socket. Otherwise, some images relying on the /dev/stdout(stderr)
                // and /proc/self/fd/1(2) will fail to boot as opening an existing socket
@@ -308,8 +313,8 @@ mod tests {
        assert_eq!(max_size, actual_size);
    }

-    #[test]
-    fn test_process() {
+    #[tokio::test]
+    async fn test_process() {
        let id = "abc123rgb";
        let init = true;
        let process = Process::new(
--- a/src/agent/src/config.rs
+++ b/src/agent/src/config.rs
@@ -323,31 +323,31 @@ impl FromStr for AgentConfig {

            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_disable,
-                mac.memcg_config.disabled
+                mac.memcg_config.default.disabled
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_swap,
-                mac.memcg_config.swap
+                mac.memcg_config.default.swap
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_swappiness_max,
-                mac.memcg_config.swappiness_max
+                mac.memcg_config.default.swappiness_max
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_period_secs,
-                mac.memcg_config.period_secs
+                mac.memcg_config.default.period_secs
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_period_psi_percent_limit,
-                mac.memcg_config.period_psi_percent_limit
+                mac.memcg_config.default.period_psi_percent_limit
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_eviction_psi_percent_limit,
-                mac.memcg_config.eviction_psi_percent_limit
+                mac.memcg_config.default.eviction_psi_percent_limit
            );
            mem_agent_config_override!(
                agent_config_builder.mem_agent_memcg_eviction_run_aging_count_min,
-                mac.memcg_config.eviction_run_aging_count_min
+                mac.memcg_config.default.eviction_run_aging_count_min
            );

            mem_agent_config_override!(
@@ -549,43 +549,43 @@ impl AgentConfig {
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_DISABLE,
-                    mac.memcg_config.disabled,
+                    mac.memcg_config.default.disabled,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_SWAP,
-                    mac.memcg_config.swap,
+                    mac.memcg_config.default.swap,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_SWAPPINESS_MAX,
-                    mac.memcg_config.swappiness_max,
+                    mac.memcg_config.default.swappiness_max,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_PERIOD_SECS,
-                    mac.memcg_config.period_secs,
+                    mac.memcg_config.default.period_secs,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_PERIOD_PSI_PERCENT_LIMIT,
-                    mac.memcg_config.period_psi_percent_limit,
+                    mac.memcg_config.default.period_psi_percent_limit,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_EVICTION_PSI_PERCENT_LIMIT,
-                    mac.memcg_config.eviction_psi_percent_limit,
+                    mac.memcg_config.default.eviction_psi_percent_limit,
                    get_number_value
                );
                parse_cmdline_param!(
                    param,
                    MEM_AGENT_MEMCG_EVICTION_RUN_AGING_COUNT_MIN,
-                    mac.memcg_config.eviction_run_aging_count_min,
+                    mac.memcg_config.default.eviction_run_aging_count_min,
                    get_number_value
                );
                parse_cmdline_param!(
@@ -1408,7 +1408,10 @@ mod tests {
                contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300",
                mem_agent: Some(MemAgentConfig {
                    memcg_config: mem_agent::memcg::Config {
-                        period_secs: 300,
+                        default: mem_agent::memcg::SingleConfig {
+                            period_secs: 300,
+                            ..Default::default()
+                        },
                        ..Default::default()
                    },
                    ..Default::default()
@@ -1419,7 +1422,10 @@ mod tests {
                contents: "agent.mem_agent_enable=1\nagent.mem_agent_memcg_period_secs=300\nagent.mem_agent_compact_order=6",
                mem_agent: Some(MemAgentConfig {
                    memcg_config: mem_agent::memcg::Config {
-                        period_secs: 300,
+                        default: mem_agent::memcg::SingleConfig {
+                            period_secs: 300,
+                            ..Default::default()
+                        },
                        ..Default::default()
                    },
                    compact_config: mem_agent::compact::Config {
--- a/src/agent/src/initdata.rs
+++ b/src/agent/src/initdata.rs
@@ -15,7 +15,7 @@ use anyhow::{bail, Context, Result};
 use async_compression::tokio::bufread::GzipDecoder;
 use base64::{engine::general_purpose::STANDARD, Engine};
 use const_format::concatcp;
-use serde::Deserialize;
+use kata_types::initdata::InitData;
 use sha2::{Digest, Sha256, Sha384, Sha512};
 use slog::Logger;
 use tokio::io::{AsyncReadExt, AsyncSeekExt};
@@ -23,6 +23,13 @@ use tokio::io::{AsyncReadExt, AsyncSeekExt};
 /// This is the target directory to store the extracted initdata.
 pub const INITDATA_PATH: &str = "/run/confidential-containers/initdata";

+const AA_CONFIG_KEY: &str = "aa.toml";
+const CDH_CONFIG_KEY: &str = "cdh.toml";
+const POLICY_KEY: &str = "policy.rego";
+
+/// The path of initdata toml
+pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
+
 /// The path of AA's config file
 pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");

@@ -32,30 +39,6 @@ pub const CDH_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/cdh.toml");
 /// Magic number of initdata device
 pub const INITDATA_MAGIC_NUMBER: &[u8] = b"initdata";

-/// Now only initdata `0.1.0` is defined.
-const INITDATA_VERSION: &str = "0.1.0";
-
-/// Initdata defined in
-/// <https://github.com/confidential-containers/trustee/blob/47d7a2338e0be76308ac19be5c0c172c592780aa/kbs/docs/initdata.md>
-#[derive(Deserialize)]
-pub struct Initdata {
-    version: String,
-    algorithm: String,
-    data: DefinedFields,
-}
-
-/// Well-defined keys for initdata of kata/CoCo
-#[derive(Deserialize, Default)]
-#[serde(deny_unknown_fields)]
-pub struct DefinedFields {
-    #[serde(rename = "aa.toml")]
-    aa_config: Option<String>,
-    #[serde(rename = "cdh.toml")]
-    cdh_config: Option<String>,
-    #[serde(rename = "policy.rego")]
-    policy: Option<String>,
-}
-
 async fn detect_initdata_device(logger: &Logger) -> Result<Option<String>> {
    let dev_dir = Path::new("/dev");
    let mut read_dir = tokio::fs::read_dir(dev_dir).await?;
@@ -115,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
 }

 pub struct InitdataReturnValue {
-    pub digest: Vec<u8>,
+    pub _digest: Vec<u8>,
    pub _policy: Option<String>,
 }

@@ -137,40 +120,41 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
        .await
        .inspect_err(|e| error!(logger, "Failed to read initdata: {e:?}"))?;

-    let initdata: Initdata =
+    let initdata: InitData =
        toml::from_slice(&initdata_content).context("parse initdata failed")?;
-    info!(logger, "Initdata version: {}", initdata.version);
+    info!(logger, "Initdata version: {}", initdata.version());
+    initdata.validate()?;

-    if initdata.version != INITDATA_VERSION {
-        bail!("Unsupported initdata version");
-    }
+    tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
+        .await
+        .context("write initdata toml failed")?;

-    let digest = match &initdata.algorithm[..] {
+    let _digest = match initdata.algorithm() {
        "sha256" => Sha256::digest(&initdata_content).to_vec(),
        "sha384" => Sha384::digest(&initdata_content).to_vec(),
        "sha512" => Sha512::digest(&initdata_content).to_vec(),
        others => bail!("Unsupported hash algorithm {others}"),
    };

-    if let Some(config) = initdata.data.aa_config {
+    if let Some(config) = initdata.get_coco_data(AA_CONFIG_KEY) {
        tokio::fs::write(AA_CONFIG_PATH, config)
            .await
            .context("write aa config failed")?;
        info!(logger, "write AA config from initdata");
    }

-    if let Some(config) = initdata.data.cdh_config {
+    if let Some(config) = initdata.get_coco_data(CDH_CONFIG_KEY) {
        tokio::fs::write(CDH_CONFIG_PATH, config)
            .await
            .context("write cdh config failed")?;
        info!(logger, "write CDH config from initdata");
    }

-    debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest));
+    debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));

    let res = InitdataReturnValue {
-        digest,
-        _policy: initdata.data.policy,
+        _digest,
+        _policy: initdata.get_coco_data(POLICY_KEY).cloned(),
    };

    Ok(Some(res))
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -19,9 +19,8 @@ extern crate scopeguard;
 extern crate slog;

 use anyhow::{anyhow, bail, Context, Result};
-use base64::Engine;
 use cfg_if::cfg_if;
-use clap::{AppSettings, Parser};
+use clap::Parser;
 use const_format::concatcp;
 use initdata::{InitdataReturnValue, AA_CONFIG_PATH, CDH_CONFIG_PATH};
 use nix::fcntl::OFlag;
@@ -128,7 +127,7 @@ lazy_static! {

 #[derive(Parser)]
 // The default clap version info doesn't match our form, so we need to override it
-#[clap(global_setting(AppSettings::DisableVersionFlag))]
+#[clap(disable_version_flag = true)]
 struct AgentOpts {
    /// Print the version information
    #[clap(short, long)]
@@ -485,12 +484,9 @@ async fn launch_guest_component_procs(

    debug!(logger, "spawning attestation-agent process {}", AA_PATH);
    let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
-    let initdata_parameter;
-    if let Some(initdata_return_value) = initdata_return_value {
-        initdata_parameter =
-            base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
-        aa_args.push("--initdata");
-        aa_args.push(&initdata_parameter);
+    if initdata_return_value.is_some() {
+        aa_args.push("--initdata-toml");
+        aa_args.push(initdata::INITDATA_TOML_PATH);
    }

    launch_process(
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -708,13 +708,15 @@ fn mem_agent_memcgconfig_to_memcg_optionconfig(
    mc: &protocols::agent::MemAgentMemcgConfig,
 ) -> mem_agent::memcg::OptionConfig {
    mem_agent::memcg::OptionConfig {
-        disabled: mc.disabled,
-        swap: mc.swap,
-        swappiness_max: mc.swappiness_max.map(|x| x as u8),
-        period_secs: mc.period_secs,
-        period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
-        eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
-        eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
+        default: mem_agent::memcg::SingleOptionConfig {
+            disabled: mc.disabled,
+            swap: mc.swap,
+            swappiness_max: mc.swappiness_max.map(|x| x as u8),
+            period_secs: mc.period_secs,
+            period_psi_percent_limit: mc.period_psi_percent_limit.map(|x| x as u8),
+            eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|x| x as u8),
+            eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
+        },
        ..Default::default()
    }
 }
@@ -2621,11 +2623,6 @@ mod tests {
                }),
                ..Default::default()
            },
-            TestData {
-                has_fd: false,
-                result: Err(anyhow!(ERR_CANNOT_GET_WRITER)),
-                ..Default::default()
-            },
        ];

        for (i, d) in tests.iter().enumerate() {
--- a/src/dragonball/Cargo.lock
+++ b/src/dragonball/Cargo.lock
@@ -56,17 +56,6 @@ version = "0.7.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711"

-[[package]]
-name = "atty"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
-dependencies = [
- "hermit-abi 0.1.19",
- "libc",
- "winapi",
-]
-
 [[package]]
 name = "autocfg"
 version = "1.1.0"
@@ -803,21 +792,18 @@ version = "0.15.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "84b26c544d002229e640969970a2e74021aadf6e2f96372b9c58eff97de08eb3"

-[[package]]
-name = "hermit-abi"
-version = "0.1.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "hermit-abi"
 version = "0.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "443144c8cdadd93ebf52ddb4056d257f5b52c04d3c804e657d19eb73fc33668b"

+[[package]]
+name = "hermit-abi"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c"
+
 [[package]]
 name = "hex"
 version = "0.4.3"
@@ -974,6 +960,17 @@ version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6"

+[[package]]
+name = "is-terminal"
+version = "0.4.16"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e04d7f318608d35d4b61ddd75cbdaee86b023ebe2bd5a66ee0915f0bf93095a9"
+dependencies = [
+ "hermit-abi 0.5.2",
+ "libc",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "itoa"
 version = "1.0.9"
@@ -1067,9 +1064,9 @@ checksum = "ef53942eb7bf7ff43a617b3e2c1c4a5ecf5944a7c1bc12d7ee39bbb15e5c1519"

 [[package]]
 name = "linux-raw-sys"
-version = "0.4.7"
+version = "0.4.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a9bad9f94746442c783ca431b22403b519cd7fbeed0533fdd6328b2f2212128"
+checksum = "d26c52dbd32dccf2d10cac7725f8eae5296885fb5703b261f7d0a0739ec807ab"

 [[package]]
 name = "lock_api"
@@ -1228,15 +1225,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "num_threads"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "nydus-api"
 version = "0.3.1"
@@ -1482,7 +1470,7 @@ dependencies = [
 "byteorder",
 "hex",
 "lazy_static",
- "rustix 0.36.15",
+ "rustix 0.36.17",
 ]

 [[package]]
@@ -1606,9 +1594,9 @@ checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"

 [[package]]
 name = "rustix"
-version = "0.36.15"
+version = "0.36.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c37f1bd5ef1b5422177b7646cba67430579cfe2ace80f284fee876bca52ad941"
+checksum = "305efbd14fde4139eb501df5f136994bb520b033fa9fbdce287507dc23b8c7ed"
 dependencies = [
 "bitflags 1.3.2",
 "errno",
@@ -1620,9 +1608,9 @@ dependencies = [

 [[package]]
 name = "rustix"
-version = "0.37.23"
+version = "0.37.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4d69718bf81c6127a49dc64e44a742e8bb9213c0ff8869a22c308f84c1d4ab06"
+checksum = "519165d378b97752ca44bbe15047d5d3409e875f39327546b42ac81d7e18c1b6"
 dependencies = [
 "bitflags 1.3.2",
 "errno",
@@ -1634,14 +1622,14 @@ dependencies = [

 [[package]]
 name = "rustix"
-version = "0.38.13"
+version = "0.38.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7db8590df6dfcd144d22afd1b83b36c21a18d7cbc1dc4bb5295a8712e9eb662"
+checksum = "dc99bc2d4f1fed22595588a013687477aedf3cdcfb26558c559edb67b4d9b22e"
 dependencies = [
 "bitflags 2.4.0",
 "errno",
 "libc",
- "linux-raw-sys 0.4.7",
+ "linux-raw-sys 0.4.15",
 "windows-sys 0.48.0",
 ]

@@ -1824,11 +1812,11 @@ dependencies = [

 [[package]]
 name = "slog-term"
-version = "2.9.0"
+version = "2.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87d29185c55b7b258b4f120eab00f48557d4d9bc814f41713f449d35b0f8977c"
+checksum = "b6e022d0b998abfe5c3782c1f03551a596269450ccd677ea51c56f8b214610e8"
 dependencies = [
- "atty",
+ "is-terminal",
 "slog",
 "term",
 "thread_local",
@@ -1905,7 +1893,7 @@ dependencies = [
 "cfg-if",
 "fastrand",
 "redox_syscall 0.3.5",
- "rustix 0.38.13",
+ "rustix 0.38.25",
 "windows-sys 0.48.0",
 ]

@@ -1974,9 +1962,7 @@ checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
 dependencies = [
 "deranged",
 "itoa",
- "libc",
 "num-conv",
- "num_threads",
 "powerfmt",
 "serde",
 "time-core",
@@ -2005,7 +1991,7 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d3fd47d83ad0b5c7be2e8db0b9d712901ef6ce5afbcc6f676761004f5104ea2"
 dependencies = [
- "rustix 0.37.23",
+ "rustix 0.37.28",
 ]

 [[package]]
--- a/src/dragonball/out
+++ b/src/dragonball/out
--- a/src/dragonball/src/api/v1/vmm_action.rs
+++ b/src/dragonball/src/api/v1/vmm_action.rs
@@ -9,8 +9,9 @@
 use std::fs::File;
 use std::sync::{Arc, Mutex};

-use crossbeam_channel::{unbounded, Receiver, Sender, TryRecvError};
+use crossbeam_channel::{Receiver, Sender, TryRecvError};
 use log::{debug, error, info, warn};
+use std::sync::mpsc;
 use tracing::instrument;

 use crate::error::{Result, StartMicroVmError, StopMicrovmError};
@@ -284,7 +285,7 @@ pub enum VmmData {
    /// Return vfio device's slot number in guest.
    VfioDeviceData(Option<u8>),
    /// Sync Hotplug
-    SyncHotplug((Sender<Option<i32>>, Receiver<Option<i32>>)),
+    SyncHotplug((mpsc::Sender<Option<i32>>, mpsc::Receiver<Option<i32>>)),
 }

 /// Request data type used to communicate between the API and the VMM.
@@ -900,7 +901,7 @@ impl VmmService {
            }
        })?;

-        let (sender, receiver) = unbounded();
+        let (sender, receiver) = mpsc::channel();

        // It is safe because we don't expect poison lock.
        let vfio_manager = vm.device_manager.vfio_manager.lock().unwrap();
@@ -965,15 +966,17 @@ impl VmmService {
            ));
        }

+        let (sender, revceiver) = mpsc::channel();
+
        #[cfg(feature = "dbs-upcall")]
-        vm.resize_vcpu(config, None).map_err(|e| {
+        vm.resize_vcpu(config, Some(sender.clone())).map_err(|e| {
            if let VcpuResizeError::UpcallServerNotReady = e {
                return VmmActionError::UpcallServerNotReady;
            }
            VmmActionError::ResizeVcpu(e)
        })?;

-        Ok(VmmData::Empty)
+        Ok(VmmData::SyncHotplug((sender, revceiver)))
    }

    #[cfg(feature = "virtio-mem")]
--- a/src/dragonball/src/device_manager/vfio_dev_mgr/mod.rs
+++ b/src/dragonball/src/device_manager/vfio_dev_mgr/mod.rs
@@ -16,9 +16,9 @@ use std::collections::HashMap;
 use std::ops::Deref;
 use std::os::fd::RawFd;
 use std::path::Path;
+use std::sync::mpsc::Sender;
 use std::sync::{Arc, Weak};

-use crossbeam_channel::Sender;
 use dbs_device::resources::Resource::LegacyIrq;
 use dbs_device::resources::{DeviceResources, Resource, ResourceConstraint};
 use dbs_device::DeviceIo;
--- a/src/dragonball/src/vcpu/vcpu_manager.rs
+++ b/src/dragonball/src/vcpu/vcpu_manager.rs
@@ -225,7 +225,7 @@ pub struct VcpuManager {
    vm_as: GuestAddressSpaceImpl,
    pub(crate) vm_fd: Arc<VmFd>,

-    action_sycn_tx: Option<Sender<bool>>,
+    action_sycn_tx: Option<Sender<Option<i32>>>,
    vcpus_in_action: (VcpuAction, Vec<u8>),
    pub(crate) reset_event_fd: Option<EventFd>,

@@ -756,7 +756,9 @@ impl VcpuManager {

    fn sync_action_finish(&mut self, got_error: bool) {
        if let Some(tx) = self.action_sycn_tx.take() {
-            if let Err(e) = tx.send(got_error) {
+            let result = if got_error { 0 } else { -1 };
+
+            if let Err(e) = tx.send(Some(result)) {
                debug!("cpu sync action send to closed channel {}", e);
            }
        }
@@ -856,7 +858,7 @@ mod hotplug {
        pub fn resize_vcpu(
            &mut self,
            vcpu_count: u8,
-            sync_tx: Option<Sender<bool>>,
+            sync_tx: Option<Sender<Option<i32>>>,
        ) -> std::result::Result<(), VcpuResizeError> {
            if self.get_vcpus_action() != VcpuAction::None {
                return Err(VcpuResizeError::VcpuIsHotplugging);
--- a/src/dragonball/src/vm/mod.rs
+++ b/src/dragonball/src/vm/mod.rs
@@ -832,7 +832,7 @@ impl Vm {
    pub fn resize_vcpu(
        &mut self,
        config: VcpuResizeInfo,
-        sync_tx: Option<Sender<bool>>,
+        sync_tx: Option<Sender<Option<i32>>>,
    ) -> std::result::Result<(), VcpuResizeError> {
        if self.upcall_client().is_none() {
            Err(VcpuResizeError::UpcallClientMissing)
--- a/src/libs/.gitignore
+++ b/src/libs/.gitignore
@@ -0,0 +1 @@
+Cargo.lock
--- a/src/libs/Cargo.lock
+++ b/src/libs/Cargo.lock
--- a/src/libs/kata-sys-util/Cargo.toml
+++ b/src/libs/kata-sys-util/Cargo.toml
@@ -32,7 +32,7 @@ pci-ids = "0.2.5"
 mockall = "0.13.1"

 kata-types = { path = "../kata-types" }
-oci-spec = { version = "0.6.8", features = ["runtime"] }
+oci-spec = { version = "0.8.1", features = ["runtime"] }
 runtime-spec = { path = "../runtime-spec" }
 safe-path = { path = "../safe-path" }

--- a/src/libs/kata-sys-util/src/protection.rs
+++ b/src/libs/kata-sys-util/src/protection.rs
@@ -225,7 +225,7 @@ mod tests {

        let actual = arch_guest_protection("/xyz/tmp", path.to_str().unwrap());
        assert!(actual.is_ok());
-        assert_eq!(actual.unwrap(), GuestProtection::Snp);
+        assert!(matches!(actual.unwrap(), GuestProtection::Snp(_)));

        writeln!(snp_file, "N").unwrap();
        let actual = arch_guest_protection("/xyz/tmp", path.to_str().unwrap());
@@ -244,7 +244,7 @@ mod tests {

        let actual = arch_guest_protection(sev_path.to_str().unwrap(), "/xyz/tmp");
        assert!(actual.is_ok());
-        assert_eq!(actual.unwrap(), GuestProtection::Sev);
+        assert!(matches!(actual.unwrap(), GuestProtection::Sev(_)));

        writeln!(sev_file, "N").unwrap();
        let actual = arch_guest_protection(sev_path.to_str().unwrap(), "/xyz/tmp");
--- a/src/libs/kata-types/Cargo.toml
+++ b/src/libs/kata-types/Cargo.toml
@@ -27,8 +27,11 @@ thiserror = "1.0"
 toml = "0.5.8"
 serde-enum-str = "0.4"
 sysinfo = "0.34.2"
+sha2 = "0.10.8"
+flate2 = { version = "1.0", features = ["zlib"] }
+hex = "0.4"

-oci-spec = { version = "0.6.8", features = ["runtime"] }
+oci-spec = { version = "0.8.1", features = ["runtime"] }
 safe-path = { path = "../safe-path" }

 [dev-dependencies]
--- a/src/libs/kata-types/src/annotations/mod.rs
+++ b/src/libs/kata-types/src/annotations/mod.rs
@@ -15,6 +15,7 @@ use serde::Deserialize;
 use crate::config::hypervisor::{get_hypervisor_plugin, HugePageType};

 use crate::config::TomlConfig;
+use crate::initdata::add_hypervisor_initdata_overrides;
 use crate::sl;

 use self::cri_containerd::{SANDBOX_CPU_PERIOD_KEY, SANDBOX_CPU_QUOTA_KEY, SANDBOX_MEM_KEY};
@@ -271,6 +272,17 @@ pub const KATA_ANNO_CFG_HYPERVISOR_VIRTIO_FS_EXTRA_ARGS: &str =
    "io.katacontainers.config.hypervisor.virtio_fs_extra_args";
 /// A sandbox annotation to specify as the msize for 9p shares.
 pub const KATA_ANNO_CFG_HYPERVISOR_MSIZE_9P: &str = "io.katacontainers.config.hypervisor.msize_9p";
+/// The initdata annotation passed in when CVM launchs
+pub const KATA_ANNO_CFG_HYPERVISOR_INIT_DATA: &str =
+    "io.katacontainers.config.hypervisor.cc_init_data";
+
+/// GPU specific annotations for remote hypervisor to help with instance selection
+/// It's for minimum number of GPUs required for the VM.
+pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS: &str =
+    "io.katacontainers.config.hypervisor.default_gpus";
+/// It's for the GPU model(tesla, h100, a100, radeon etc.) required for the VM.
+pub const KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL: &str =
+    "io.katacontainers.config.hypervisor.default_gpu_model";

 // Runtime related annotations
 /// Prefix for Runtime configurations.
@@ -303,6 +315,9 @@ pub const KATA_ANNO_CFG_DISABLE_NEW_NETNS: &str =
 pub const KATA_ANNO_CFG_VFIO_MODE: &str = "io.katacontainers.config.runtime.vfio_mode";
 /// An annotation to declare shared mount points, which is a set of mount points that directly share mounted objects between containers.
 pub const KATA_ANNO_CFG_SHARED_MOUNTS: &str = "io.katacontainers.config.runtime.shared_mounts";
+/// An annotation to set timeout value in second when do create container
+pub const KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT: &str =
+    "io.katacontainers.config.runtime.create_container_timeout";

 /// A sandbox annotation used to specify prefetch_files.list host path container image
 /// being used,
@@ -880,6 +895,21 @@ impl Annotation {
                        hv.security_info.validate_path(value)?;
                        hv.security_info.guest_hook_path = value.to_string();
                    }
+                    KATA_ANNO_CFG_HYPERVISOR_INIT_DATA => {
+                        hv.security_info.initdata =
+                            add_hypervisor_initdata_overrides(value).unwrap();
+                    }
+                    KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPUS => match self.get_value::<u32>(key) {
+                        Ok(r) => {
+                            hv.remote_info.default_gpus = r.unwrap_or_default();
+                        }
+                        Err(_e) => {
+                            return Err(u32_err);
+                        }
+                    },
+                    KATA_ANNO_CFG_HYPERVISOR_DEFAULT_GPU_MODEL => {
+                        hv.remote_info.default_gpu_model = value.to_string();
+                    }
                    KATA_ANNO_CFG_HYPERVISOR_ENABLE_ROOTLESS_HYPERVISOR => {
                        match self.get_value::<bool>(key) {
                            Ok(r) => {
@@ -962,6 +992,14 @@ impl Annotation {
                            return Err(u32_err);
                        }
                    },
+                    KATA_ANNO_CFG_RUNTIME_CREATE_CONTAINTER_TIMEOUT => match self.get_value::<u32>(key) {
+                        Ok(v) => {
+                            ag.request_timeout_ms = v.unwrap_or_default() * 1000;
+                        }
+                        Err(_e) => {
+                            return Err(u32_err);
+                        }
+                    },
                    // update runtime config
                    KATA_ANNO_CFG_RUNTIME_NAME => {
                        let runtime = vec!["virt-container", "linux-container", "wasm-container"];
--- a/src/libs/kata-types/src/config/agent.rs
+++ b/src/libs/kata-types/src/config/agent.rs
@@ -112,7 +112,10 @@ pub struct Agent {
    pub reconnect_timeout_ms: u32,

    /// Agent request timeout value in millisecond
-    #[serde(default = "default_request_timeout")]
+    /// This timeout value is used to set the maximum duration for the agent to process a CreateContainerRequest.
+    /// It's also used to ensure that workloads, especially those involving large image pulls within the guest,
+    /// have sufficient time to complete.
+    #[serde(default = "default_request_timeout", rename = "create_container_timeout")]
    pub request_timeout_ms: u32,

    /// Agent health check request timeout value in millisecond
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -885,6 +885,12 @@ pub struct SecurityInfo {
    #[serde(default)]
    pub guest_hook_path: String,

+    /// Initdata is dynamic configuration (like policies, configs, and identity files) with encoded format that users inject
+    /// into the TEE Guest upon CVM launch. And it's implemented based on the `InitData Specification`:
+    /// https://github.com/confidential-containers/trustee/blob/61c1dc60ee1f926c2eb95d69666c2430c3fea808/kbs/docs/initdata.md
+    #[serde(default)]
+    pub initdata: String,
+
    /// List of valid annotation names for the hypervisor.
    ///
    /// Each member of the list is a regular expression, which is the base name of the annotation,
@@ -1104,6 +1110,14 @@ pub struct RemoteInfo {
    /// Remote hyperisor timeout of creating (in seconds)
    #[serde(default)]
    pub hypervisor_timeout: i32,
+
+    /// GPU specific annotations (currently only applicable for Remote Hypervisor)
+    /// default_gpus specifies the number of GPUs required for the Kata VM
+    #[serde(default)]
+    pub default_gpus: u32,
+    /// default_gpu_model specifies GPU model like tesla, h100, a100, readeon etc.
+    #[serde(default)]
+    pub default_gpu_model: String,
 }

 /// Common configuration information for hypervisors.
--- a/src/libs/kata-types/src/initdata.rs
+++ b/src/libs/kata-types/src/initdata.rs
@@ -0,0 +1,351 @@
+// Copyright (c) 2025 Ant Group
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use anyhow::{anyhow, Context, Result};
+use flate2::read::GzDecoder;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256, Sha384, Sha512};
+use std::{collections::HashMap, io::Read};
+
+/// Currently, initdata only supports version 0.1.0.
+const INITDATA_VERSION: &str = "0.1.0";
+/// supported algorithms list
+const SUPPORTED_ALGORITHMS: [&str; 3] = ["sha256", "sha384", "sha512"];
+
+/// TEE platform type
+#[derive(Debug, Default, Clone, Copy)]
+pub enum ProtectedPlatform {
+    /// Tdx platform for Intel TDX
+    Tdx,
+    /// Snp platform for AMD SEV-SNP
+    Snp,
+    /// Cca platform for ARM CCA
+    Cca,
+    /// Default with no protection
+    #[default]
+    NoProtection,
+}
+
+#[allow(clippy::doc_lazy_continuation)]
+/// <https://github.com/confidential-containers/trustee/blob/47d7a2338e0be76308ac19be5c0c172c592780aa/kbs/docs/initdata.md>
+/// The Initdata specification defines the key data structures and algorithms for injecting any well-defined data
+/// from an untrusted host into a TEE (Trusted Execution Environment). To guarantee the integrity of the data,
+/// either the hostdata capability of TEE evidence or the (v)TPM dynamic measurement capability will be utilized.
+/// And its format looks like as below:
+/// ```toml
+/// algorithm = "sha384"
+/// version = "0.1.0"
+///
+/// [data]
+/// key1 = "value1"
+/// key2 = "value2"
+///```
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub struct InitData {
+    /// version of InitData Spec
+    version: String,
+    /// algorithm: sha256, sha512, sha384
+    algorithm: String,
+    /// data for specific "key:value"
+    data: HashMap<String, String>,
+}
+
+impl InitData {
+    /// new InitData
+    pub fn new(algorithm: impl Into<String>, version: impl Into<String>) -> Self {
+        Self {
+            version: version.into(),
+            algorithm: algorithm.into(),
+            data: HashMap::new(),
+        }
+    }
+
+    /// get coco data
+    pub fn get_coco_data(&self, key: &str) -> Option<&String> {
+        self.data.get(key)
+    }
+
+    /// insert data items
+    pub fn insert_data(&mut self, key: impl Into<String>, value: impl Into<String>) {
+        self.data.insert(key.into(), value.into());
+    }
+
+    /// get algorithm
+    pub fn algorithm(&self) -> &str {
+        &self.algorithm
+    }
+
+    /// get version
+    pub fn version(&self) -> &str {
+        &self.version
+    }
+
+    /// get data
+    pub fn data(&self) -> &HashMap<String, String> {
+        &self.data
+    }
+
+    /// serialize it to Vec<u8>
+    pub fn to_vec(&self) -> Result<Vec<u8>> {
+        Ok(toml::to_vec(&self)?)
+    }
+
+    /// serialize config to TOML string
+    pub fn to_string(&self) -> Result<String> {
+        Ok(toml::to_string_pretty(self)?)
+    }
+
+    /// Validate InitData
+    pub fn validate(&self) -> Result<()> {
+        // Currently, it only supports 0.1.0
+        if self.version != INITDATA_VERSION {
+            return Err(anyhow!(
+                "unsupported version: {}, expected: {}",
+                self.version,
+                INITDATA_VERSION
+            ));
+        }
+
+        if !SUPPORTED_ALGORITHMS
+            .iter()
+            .any(|&alg| alg == self.algorithm)
+        {
+            return Err(anyhow!(
+                "unsupported algorithm: {}, supported algorithms: {}",
+                self.algorithm,
+                SUPPORTED_ALGORITHMS.join(", ")
+            ));
+        }
+
+        Ok(())
+    }
+}
+
+/// calculate initdata digest
+fn calculate_digest(algorithm: &str, data: &str) -> Result<Vec<u8>> {
+    let digest = match algorithm {
+        "sha256" => {
+            let mut hasher = Sha256::new();
+            hasher.update(&data);
+            hasher.finalize().to_vec()
+        }
+        "sha384" => {
+            let mut hasher = Sha384::new();
+            hasher.update(&data);
+            hasher.finalize().to_vec()
+        }
+        "sha512" => {
+            let mut hasher = Sha512::new();
+            hasher.update(&data);
+            hasher.finalize().to_vec()
+        }
+        _ => return Err(anyhow!("unsupported Hash algorithm: {}", algorithm).into()),
+    };
+
+    Ok(digest)
+}
+
+/// Handle digest for different TEE platform
+fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
+    let required_len = match platform {
+        ProtectedPlatform::Tdx => 48,
+        ProtectedPlatform::Snp => 32,
+        ProtectedPlatform::Cca => 64,
+        ProtectedPlatform::NoProtection => digest.len(),
+    };
+
+    let mut adjusted = Vec::with_capacity(required_len);
+
+    if digest.len() >= required_len {
+        adjusted.extend_from_slice(&digest[..required_len]);
+    } else {
+        adjusted.extend_from_slice(digest);
+        adjusted.resize(required_len, 0u8); // padding with zero
+    }
+
+    // Vec<u8>
+    adjusted
+}
+
+/// Parse initdata
+fn parse_initdata(initdata_str: &str) -> Result<InitData> {
+    let initdata: InitData = toml::from_str(&initdata_str)?;
+    initdata.validate()?;
+
+    Ok(initdata)
+}
+
+/// calculate initdata digest
+/// 1. Parse InitData
+/// 2. Calculate Digest
+/// 3. Adjust Digest with Platform
+/// 4. Encode digest with base64/Standard
+pub fn calculate_initdata_digest(
+    initdata_toml: &str,
+    platform: ProtectedPlatform,
+) -> Result<String> {
+    // 1. Parse InitData
+    let initdata: InitData = parse_initdata(initdata_toml).context("parse initdata")?;
+    let algorithm: &str = &initdata.algorithm;
+
+    // 2. Calculate Digest
+    let digest = calculate_digest(algorithm, &initdata_toml).context("calculate digest")?;
+
+    // 3. Adjust Digest with Platform
+    let digest_platform = adjust_digest(&digest, platform);
+
+    // 4. Encode digest with base64/Standard
+    let b64encoded_digest = base64::encode_config(digest_platform, base64::STANDARD);
+
+    Ok(b64encoded_digest)
+}
+
+/// The argument `initda_annotation` is a Standard base64 encoded string containing a TOML formatted content.
+/// This function decodes the base64 string, parses the TOML content into an InitData structure.
+pub fn add_hypervisor_initdata_overrides(initda_annotation: &str) -> Result<String> {
+    // Base64 decode the annotation value
+    let b64_decoded =
+        base64::decode_config(initda_annotation, base64::STANDARD).context("base64 decode")?;
+
+    // Gzip decompress the decoded data
+    let mut gz_decoder = GzDecoder::new(&b64_decoded[..]);
+    let mut initdata_str = String::new();
+    gz_decoder
+        .read_to_string(&mut initdata_str)
+        .context("gz decoder failed")?;
+
+    // Parse the initdata
+    let initdata: InitData = parse_initdata(&initdata_str).context("parse initdata overrides")?;
+
+    // initdata within a TOML string
+    initdata.to_string()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use flate2::write::GzEncoder;
+    use flate2::Compression;
+    use std::io::Write;
+
+    /// Test InitData creation and serialization
+    #[test]
+    fn test_init_data() {
+        let mut init_data = InitData::new("sha384", "0.1.0");
+        init_data.insert_data("initdata_key", "initdata_value");
+
+        // Verify data insertion
+        assert_eq!(
+            init_data.data().get("initdata_key").unwrap(),
+            "initdata_value"
+        );
+        assert_eq!(init_data.version(), "0.1.0");
+        assert_eq!(init_data.algorithm(), "sha384");
+
+        // Test TOML serialization
+        let toml_str = init_data.to_string().unwrap();
+        assert!(toml_str.contains("initdata_key = 'initdata_value'\n"));
+        assert!(toml_str.starts_with("version = '0.1.0'"));
+    }
+
+    /// Test calculate_digest with different algorithms
+    #[test]
+    fn test_calculate_digest() {
+        let data = "test_data";
+
+        // Test SHA256
+        let sha256 = calculate_digest("sha256", data).unwrap();
+        assert_eq!(sha256.len(), 32);
+
+        // Test SHA384
+        let sha384 = calculate_digest("sha384", data).unwrap();
+        assert_eq!(sha384.len(), 48);
+
+        // Test SHA512
+        let sha512 = calculate_digest("sha512", data).unwrap();
+        assert_eq!(sha512.len(), 64);
+
+        // Test invalid algorithm
+        assert!(calculate_digest("md5", data).is_err());
+    }
+
+    /// Test digest adjustment for different platforms
+    #[test]
+    fn test_adjust_digest() {
+        let sample_digest = vec![0xAA; 64]; // 64-byte digest
+
+        // Test TDX platform (requires 48 bytes)
+        let tdx_result = adjust_digest(&sample_digest, ProtectedPlatform::Tdx);
+        assert_eq!(tdx_result.len(), 48);
+        assert_eq!(&tdx_result[..48], &sample_digest[..48]);
+
+        // Test SNP platform (requires 32 bytes)
+        let snp_result = adjust_digest(&sample_digest, ProtectedPlatform::Snp);
+        assert_eq!(snp_result.len(), 32);
+
+        // Test short digest with CCA platform (requires 64 bytes)
+        let short_digest = vec![0xBB; 32];
+        let cca_result = adjust_digest(&short_digest, ProtectedPlatform::Cca);
+        assert_eq!(cca_result.len(), 64);
+        assert_eq!(&cca_result[..32], &short_digest[..]);
+        assert_eq!(&cca_result[32..], vec![0u8; 32]);
+    }
+
+    /// Test hypervisor initdata processing with compression
+    #[test]
+    fn test_hypervisor_initdata_processing() {
+        // Create test initdata
+        let mut init_data = InitData::new("sha512", "0.1.0");
+        init_data.insert_data("hypervisor_key", "config_value");
+
+        // Create compressed annotation
+        let mut encoder = GzEncoder::new(Vec::new(), Compression::default());
+        encoder
+            .write_all(init_data.to_string().unwrap().as_bytes())
+            .unwrap();
+        let compressed = encoder.finish().unwrap();
+        let b64_annotation = base64::encode(compressed);
+
+        // Test processing
+        let result = add_hypervisor_initdata_overrides(&b64_annotation).unwrap();
+        assert!(result.contains("hypervisor_key = 'config_value'\n"));
+        assert!(result.contains("algorithm = 'sha512'\n"));
+    }
+
+    /// Test input validation
+    #[test]
+    fn test_initdata_validation() {
+        // Valid TOML
+        let valid_toml = r#"
+            version = "0.1.0"
+            algorithm = "sha384"
+            
+            [data]
+            valid_key = "valid_value"
+        "#;
+        assert!(parse_initdata(valid_toml).is_ok());
+
+        // Invalid TOML (missing version)
+        let invalid_toml = r#"
+            algorithm = "sha256"
+            
+            [data]
+            key = "value"
+        "#;
+        assert!(parse_initdata(invalid_toml).is_err());
+    }
+
+    /// Test error handling for malformed inputs
+    #[test]
+    fn test_error_handling() {
+        // Invalid base64
+        assert!(add_hypervisor_initdata_overrides("invalid_base64!!").is_err());
+
+        // Invalid compression format
+        let invalid_data = base64::encode("raw uncompressed data");
+        assert!(add_hypervisor_initdata_overrides(&invalid_data).is_err());
+    }
+}
--- a/src/libs/kata-types/src/lib.rs
+++ b/src/libs/kata-types/src/lib.rs
@@ -40,6 +40,10 @@ pub(crate) mod utils;
 /// hypervisor capabilities
 pub mod capabilities;

+/// The Initdata specification defines the key data structures and algorithms for injecting
+/// any well-defined data from an untrusted host into a TEE (Trusted Execution Environment).
+pub mod initdata;
+
 /// Common error codes.
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
--- a/src/libs/kata-types/src/mount.rs
+++ b/src/libs/kata-types/src/mount.rs
@@ -47,6 +47,9 @@ pub const SANDBOX_BIND_MOUNTS_RO: &str = ":ro";
 /// SANDBOX_BIND_MOUNTS_RO is for sandbox bindmounts with readwrite
 pub const SANDBOX_BIND_MOUNTS_RW: &str = ":rw";

+/// KATA_VIRTUAL_VOLUME_PREFIX is for container image guest pull
+pub const KATA_VIRTUAL_VOLUME_PREFIX: &str = "io.katacontainers.volume=";
+
 /// Directly assign a block volume to vm and mount it inside guest.
 pub const KATA_VIRTUAL_VOLUME_DIRECT_BLOCK: &str = "direct_block";
 /// Present a container image as a generic block device.
@@ -384,7 +387,15 @@ impl KataVirtualVolume {
    pub fn from_base64(value: &str) -> Result<Self> {
        let json = base64::decode(value)?;
        let volume: KataVirtualVolume = serde_json::from_slice(&json)?;
+
+        Ok(volume)
+    }
+
+    /// Decode and deserialize a virtual volume object from base64 encoded json string and validate it.
+    pub fn from_base64_and_validate(value: &str) -> Result<Self> {
+        let volume = Self::from_base64(value)?;
        volume.validate()?;
+
        Ok(volume)
    }
 }
@@ -532,7 +543,7 @@ pub fn adjust_rootfs_mounts() -> Result<Vec<Mount>> {
    // Create a new Vec<Mount> with a single Mount entry.
    // This Mount's options will contain the base64-encoded virtual volume.
    Ok(vec![Mount {
-        options: vec![format!("{}={}", "io.katacontainers.volume", b64_vol)],
+        options: vec![format!("{}{}", KATA_VIRTUAL_VOLUME_PREFIX, b64_vol)],
        ..Default::default() // Use default values for other Mount fields
    }])
 }
@@ -647,7 +658,8 @@ mod tests {
        volume.direct_volume = Some(DirectAssignedVolume { metadata });

        let value = volume.to_base64().unwrap();
-        let volume2: KataVirtualVolume = KataVirtualVolume::from_base64(value.as_str()).unwrap();
+        let volume2: KataVirtualVolume =
+            KataVirtualVolume::from_base64_and_validate(value.as_str()).unwrap();
        assert_eq!(volume.volume_type, volume2.volume_type);
        assert_eq!(volume.source, volume2.source);
        assert_eq!(volume.fs_type, volume2.fs_type);
--- a/src/libs/logging/Cargo.toml
+++ b/src/libs/logging/Cargo.toml
@@ -13,9 +13,13 @@ serde_json = "1.0.73"
 # - Dynamic keys required to allow HashMap keys to be slog::Serialized.
 # - The 'max_*' features allow changing the log level at runtime
 #   (by stopping the compiler from removing log calls).
-slog = { version = "2.5.2", features = ["dynamic-keys", "max_level_trace", "release_max_level_debug"] }
+slog = { version = "2.5.2", features = [
+    "dynamic-keys",
+    "max_level_trace",
+    "release_max_level_debug",
+] }
 slog-json = "2.4.0"
-slog-term = "2.9.0"
+slog-term = "2.9.1"
 slog-async = "2.7.0"
 slog-scope = "4.4.0"
 lazy_static = "1.3.0"
--- a/src/libs/protocols/Cargo.toml
+++ b/src/libs/protocols/Cargo.toml
@@ -13,11 +13,11 @@ async = ["ttrpc/async", "async-trait"]
 [dependencies]
 ttrpc = "0.8.4"
 async-trait = { version = "0.1.42", optional = true }
-protobuf = { version = "=3.7.1" }
+protobuf = { version = "3.7.2" }
 serde = { version = "1.0.130", features = ["derive"] }
 serde_json = "1.0.68"
-oci-spec = { version = "0.6.8", features = ["runtime"] }
+oci-spec = { version = "0.8.1", features = ["runtime"] }

 [build-dependencies]
 ttrpc-codegen = "0.5.0"
-protobuf = { version = "=3.7.1" }
+protobuf = { version = "3.7.2" }
--- a/src/mem-agent/.gitignore
+++ b/src/mem-agent/.gitignore
@@ -1,5 +0,0 @@
-/target
-/example/target
-/.vscode
-.vscode-ctags
-
--- a/src/mem-agent/Cargo.lock
+++ b/src/mem-agent/Cargo.lock
@@ -1,917 +0,0 @@
-# This file is automatically @generated by Cargo.
-# It is not intended for manual editing.
-version = 4
-
-[[package]]
-name = "addr2line"
-version = "0.21.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8a30b2e23b9e17a9f90641c7ab1549cd9b44f296d3ccbf309d2863cfe398a0cb"
-dependencies = [
- "gimli",
-]
-
-[[package]]
-name = "adler"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
-
-[[package]]
-name = "android-tzdata"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
-
-[[package]]
-name = "android_system_properties"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
-dependencies = [
- "libc",
-]
-
-[[package]]
-name = "anyhow"
-version = "1.0.81"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0952808a6c2afd1aa8947271f3a60f1a6763c7b912d210184c5149b5cf147247"
-
-[[package]]
-name = "arc-swap"
-version = "1.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7b3d0060af21e8d11a926981cc00c6c1541aa91dd64b9f881985c3da1094425f"
-
-[[package]]
-name = "async-trait"
-version = "0.1.77"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c980ee35e870bd1a4d2c8294d4c04d0499e67bca1e4b5cefcc693c2fa00caea9"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "autocfg"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
-
-[[package]]
-name = "backtrace"
-version = "0.3.69"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837"
-dependencies = [
- "addr2line",
- "cc",
- "cfg-if",
- "libc",
- "miniz_oxide",
- "object",
- "rustc-demangle",
-]
-
-[[package]]
-name = "bitflags"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
-
-[[package]]
-name = "bitflags"
-version = "2.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
-
-[[package]]
-name = "bumpalo"
-version = "3.15.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ff69b9dd49fd426c69a0db9fc04dd934cdb6645ff000864d98f7e2af8830eaa"
-
-[[package]]
-name = "bytes"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a2bd12c1caf447e69cd4528f47f94d203fd2582878ecb9e9465484c4148a8223"
-
-[[package]]
-name = "cc"
-version = "1.0.90"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8cd6604a82acf3039f1144f54b8eb34e91ffba622051189e71b781822d5ee1f5"
-
-[[package]]
-name = "cfg-if"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
-
-[[package]]
-name = "chrono"
-version = "0.4.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8eaf5903dcbc0a39312feb77df2ff4c76387d591b9fc7b04a238dcf8bb62639a"
-dependencies = [
- "android-tzdata",
- "iana-time-zone",
- "js-sys",
- "num-traits",
- "wasm-bindgen",
- "windows-targets 0.52.4",
-]
-
-[[package]]
-name = "core-foundation-sys"
-version = "0.8.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
-
-[[package]]
-name = "crossbeam-channel"
-version = "0.5.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
-dependencies = [
- "crossbeam-utils",
-]
-
-[[package]]
-name = "crossbeam-utils"
-version = "0.8.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
-
-[[package]]
-name = "deranged"
-version = "0.3.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
-dependencies = [
- "powerfmt",
-]
-
-[[package]]
-name = "dirs-next"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
-dependencies = [
- "cfg-if",
- "dirs-sys-next",
-]
-
-[[package]]
-name = "dirs-sys-next"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
-dependencies = [
- "libc",
- "redox_users",
- "winapi",
-]
-
-[[package]]
-name = "getrandom"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
-dependencies = [
- "cfg-if",
- "libc",
- "wasi",
-]
-
-[[package]]
-name = "gimli"
-version = "0.28.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
-
-[[package]]
-name = "hermit-abi"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbf6a919d6cf397374f7dfeeea91d974c7c0a7221d0d0f4f20d859d329e53fcc"
-
-[[package]]
-name = "iana-time-zone"
-version = "0.1.60"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7ffbb5a1b541ea2561f8c41c087286cc091e21e556a4f09a8f6cbf17b69b141"
-dependencies = [
- "android_system_properties",
- "core-foundation-sys",
- "iana-time-zone-haiku",
- "js-sys",
- "wasm-bindgen",
- "windows-core",
-]
-
-[[package]]
-name = "iana-time-zone-haiku"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "is-terminal"
-version = "0.4.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "261f68e344040fbd0edea105bef17c66edf46f984ddb1115b775ce31be948f4b"
-dependencies = [
- "hermit-abi",
- "libc",
- "windows-sys",
-]
-
-[[package]]
-name = "itoa"
-version = "1.0.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
-
-[[package]]
-name = "js-sys"
-version = "0.3.69"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d"
-dependencies = [
- "wasm-bindgen",
-]
-
-[[package]]
-name = "lazy_static"
-version = "1.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
-
-[[package]]
-name = "libc"
-version = "0.2.172"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
-
-[[package]]
-name = "libredox"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
-dependencies = [
- "bitflags 2.6.0",
- "libc",
-]
-
-[[package]]
-name = "lock_api"
-version = "0.4.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3c168f8615b12bc01f9c17e2eb0cc07dcae1940121185446edc3744920e8ef45"
-dependencies = [
- "autocfg",
- "scopeguard",
-]
-
-[[package]]
-name = "log"
-version = "0.4.21"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
-
-[[package]]
-name = "maplit"
-version = "1.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d"
-
-[[package]]
-name = "mem-agent"
-version = "0.1.0"
-dependencies = [
- "anyhow",
- "async-trait",
- "chrono",
- "lazy_static",
- "maplit",
- "nix",
- "once_cell",
- "page_size",
- "slog",
- "slog-async",
- "slog-scope",
- "slog-term",
- "tokio",
-]
-
-[[package]]
-name = "memchr"
-version = "2.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "523dc4f511e55ab87b694dc30d0f820d60906ef06413f93d4d7a1385599cc149"
-
-[[package]]
-name = "memoffset"
-version = "0.6.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aa361d4faea93603064a027415f07bd8e1d5c88c9fbf68bf56a285428fd79ce"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "miniz_oxide"
-version = "0.7.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7"
-dependencies = [
- "adler",
-]
-
-[[package]]
-name = "mio"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
-dependencies = [
- "libc",
- "wasi",
- "windows-sys",
-]
-
-[[package]]
-name = "nix"
-version = "0.23.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f3790c00a0150112de0f4cd161e3d7fc4b2d8a5542ffc35f099a2562aecb35c"
-dependencies = [
- "bitflags 1.3.2",
- "cc",
- "cfg-if",
- "libc",
- "memoffset",
-]
-
-[[package]]
-name = "num-conv"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
-
-[[package]]
-name = "num-traits"
-version = "0.2.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "object"
-version = "0.32.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a6a622008b6e321afc04970976f62ee297fdbaa6f95318ca343e3eebb9648441"
-dependencies = [
- "memchr",
-]
-
-[[package]]
-name = "once_cell"
-version = "1.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
-
-[[package]]
-name = "page_size"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
-dependencies = [
- "libc",
- "winapi",
-]
-
-[[package]]
-name = "parking_lot"
-version = "0.12.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f"
-dependencies = [
- "lock_api",
- "parking_lot_core",
-]
-
-[[package]]
-name = "parking_lot_core"
-version = "0.9.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e"
-dependencies = [
- "cfg-if",
- "libc",
- "redox_syscall",
- "smallvec",
- "windows-targets 0.48.5",
-]
-
-[[package]]
-name = "pin-project-lite"
-version = "0.2.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8afb450f006bf6385ca15ef45d71d2288452bc3683ce2e2cacc0d18e4be60b58"
-
-[[package]]
-name = "powerfmt"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
-
-[[package]]
-name = "proc-macro2"
-version = "1.0.79"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e"
-dependencies = [
- "unicode-ident",
-]
-
-[[package]]
-name = "quote"
-version = "1.0.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
-dependencies = [
- "proc-macro2",
-]
-
-[[package]]
-name = "redox_syscall"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa"
-dependencies = [
- "bitflags 1.3.2",
-]
-
-[[package]]
-name = "redox_users"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
-dependencies = [
- "getrandom",
- "libredox",
- "thiserror",
-]
-
-[[package]]
-name = "rustc-demangle"
-version = "0.1.23"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
-
-[[package]]
-name = "rustversion"
-version = "1.0.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e819f2bc632f285be6d7cd36e25940d45b2391dd6d9b939e79de557f7014248"
-
-[[package]]
-name = "scopeguard"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
-
-[[package]]
-name = "serde"
-version = "1.0.210"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
-dependencies = [
- "serde_derive",
-]
-
-[[package]]
-name = "serde_derive"
-version = "1.0.210"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "signal-hook-registry"
-version = "1.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8229b473baa5980ac72ef434c4415e70c4b5e71b423043adb4ba059f89c99a1"
-dependencies = [
- "libc",
-]
-
-[[package]]
-name = "slog"
-version = "2.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
-
-[[package]]
-name = "slog-async"
-version = "2.8.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72c8038f898a2c79507940990f05386455b3a317d8f18d4caea7cbc3d5096b84"
-dependencies = [
- "crossbeam-channel",
- "slog",
- "take_mut",
- "thread_local",
-]
-
-[[package]]
-name = "slog-scope"
-version = "4.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f95a4b4c3274cd2869549da82b57ccc930859bdbf5bcea0424bc5f140b3c786"
-dependencies = [
- "arc-swap",
- "lazy_static",
- "slog",
-]
-
-[[package]]
-name = "slog-term"
-version = "2.9.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6e022d0b998abfe5c3782c1f03551a596269450ccd677ea51c56f8b214610e8"
-dependencies = [
- "is-terminal",
- "slog",
- "term",
- "thread_local",
- "time",
-]
-
-[[package]]
-name = "smallvec"
-version = "1.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6ecd384b10a64542d77071bd64bd7b231f4ed5940fba55e98c3de13824cf3d7"
-
-[[package]]
-name = "socket2"
-version = "0.5.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05ffd9c0a93b7543e062e759284fcf5f5e3b098501104bfbdde4d404db792871"
-dependencies = [
- "libc",
- "windows-sys",
-]
-
-[[package]]
-name = "syn"
-version = "2.0.52"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b699d15b36d1f02c3e7c69f8ffef53de37aefae075d8488d4ba1a7788d574a07"
-dependencies = [
- "proc-macro2",
- "quote",
- "unicode-ident",
-]
-
-[[package]]
-name = "take_mut"
-version = "0.2.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f764005d11ee5f36500a149ace24e00e3da98b0158b3e2d53a7495660d3f4d60"
-
-[[package]]
-name = "term"
-version = "0.7.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
-dependencies = [
- "dirs-next",
- "rustversion",
- "winapi",
-]
-
-[[package]]
-name = "thiserror"
-version = "1.0.65"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d11abd9594d9b38965ef50805c5e469ca9cc6f197f883f717e0269a3057b3d5"
-dependencies = [
- "thiserror-impl",
-]
-
-[[package]]
-name = "thiserror-impl"
-version = "1.0.65"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae71770322cbd277e69d762a16c444af02aa0575ac0d174f0b9562d3b37f8602"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "thread_local"
-version = "1.1.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c"
-dependencies = [
- "cfg-if",
- "once_cell",
-]
-
-[[package]]
-name = "time"
-version = "0.3.37"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "35e7868883861bd0e56d9ac6efcaaca0d6d5d82a2a7ec8209ff492c07cf37b21"
-dependencies = [
- "deranged",
- "itoa",
- "num-conv",
- "powerfmt",
- "serde",
- "time-core",
- "time-macros",
-]
-
-[[package]]
-name = "time-core"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
-
-[[package]]
-name = "time-macros"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2834e6017e3e5e4b9834939793b282bc03b37a3336245fa820e35e233e2a85de"
-dependencies = [
- "num-conv",
- "time-core",
-]
-
-[[package]]
-name = "tokio"
-version = "1.44.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
-dependencies = [
- "backtrace",
- "bytes",
- "libc",
- "mio",
- "parking_lot",
- "pin-project-lite",
- "signal-hook-registry",
- "socket2",
- "tokio-macros",
- "windows-sys",
-]
-
-[[package]]
-name = "tokio-macros"
-version = "2.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "unicode-ident"
-version = "1.0.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
-
-[[package]]
-name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
-
-[[package]]
-name = "wasm-bindgen"
-version = "0.2.92"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8"
-dependencies = [
- "cfg-if",
- "wasm-bindgen-macro",
-]
-
-[[package]]
-name = "wasm-bindgen-backend"
-version = "0.2.92"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da"
-dependencies = [
- "bumpalo",
- "log",
- "once_cell",
- "proc-macro2",
- "quote",
- "syn",
- "wasm-bindgen-shared",
-]
-
-[[package]]
-name = "wasm-bindgen-macro"
-version = "0.2.92"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726"
-dependencies = [
- "quote",
- "wasm-bindgen-macro-support",
-]
-
-[[package]]
-name = "wasm-bindgen-macro-support"
-version = "0.2.92"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
- "wasm-bindgen-backend",
- "wasm-bindgen-shared",
-]
-
-[[package]]
-name = "wasm-bindgen-shared"
-version = "0.2.92"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96"
-
-[[package]]
-name = "winapi"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
-dependencies = [
- "winapi-i686-pc-windows-gnu",
- "winapi-x86_64-pc-windows-gnu",
-]
-
-[[package]]
-name = "winapi-i686-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
-
-[[package]]
-name = "winapi-x86_64-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
-
-[[package]]
-name = "windows-core"
-version = "0.52.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9"
-dependencies = [
- "windows-targets 0.52.4",
-]
-
-[[package]]
-name = "windows-sys"
-version = "0.52.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
-dependencies = [
- "windows-targets 0.52.4",
-]
-
-[[package]]
-name = "windows-targets"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
-dependencies = [
- "windows_aarch64_gnullvm 0.48.5",
- "windows_aarch64_msvc 0.48.5",
- "windows_i686_gnu 0.48.5",
- "windows_i686_msvc 0.48.5",
- "windows_x86_64_gnu 0.48.5",
- "windows_x86_64_gnullvm 0.48.5",
- "windows_x86_64_msvc 0.48.5",
-]
-
-[[package]]
-name = "windows-targets"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7dd37b7e5ab9018759f893a1952c9420d060016fc19a472b4bb20d1bdd694d1b"
-dependencies = [
- "windows_aarch64_gnullvm 0.52.4",
- "windows_aarch64_msvc 0.52.4",
- "windows_i686_gnu 0.52.4",
- "windows_i686_msvc 0.52.4",
- "windows_x86_64_gnu 0.52.4",
- "windows_x86_64_gnullvm 0.52.4",
- "windows_x86_64_msvc 0.52.4",
-]
-
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
-
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bcf46cf4c365c6f2d1cc93ce535f2c8b244591df96ceee75d8e83deb70a9cac9"
-
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
-
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da9f259dd3bcf6990b55bffd094c4f7235817ba4ceebde8e6d11cd0c5633b675"
-
-[[package]]
-name = "windows_i686_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
-
-[[package]]
-name = "windows_i686_gnu"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b474d8268f99e0995f25b9f095bc7434632601028cf86590aea5c8a5cb7801d3"
-
-[[package]]
-name = "windows_i686_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
-
-[[package]]
-name = "windows_i686_msvc"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1515e9a29e5bed743cb4415a9ecf5dfca648ce85ee42e15873c3cd8610ff8e02"
-
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
-
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5eee091590e89cc02ad514ffe3ead9eb6b660aedca2183455434b93546371a03"
-
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
-
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77ca79f2451b49fa9e2af39f0747fe999fcda4f5e241b2898624dca97a1f2177"
-
-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.48.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
-
-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.52.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32b752e52a2da0ddfbdbcc6fceadfeede4c939ed16d13e648833a61dfb611ed8"
--- a/src/mem-agent/Cargo.toml
+++ b/src/mem-agent/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
-name = "mem-agent"
-version = "0.1.0"
-edition = "2018"
+name = "mem-agent-lib"
+version = "0.2.0"
+edition = "2021"

 [dependencies]
 slog = "2.5.2"
@@ -9,13 +9,14 @@ slog-scope = "4.1.2"
 anyhow = "1.0"
 page_size = "0.6"
 chrono = "0.4"
-tokio = { version = "1.44.2", features = ["full"] }
+tokio = { version = "1.45.1", features = ["full"] }
 async-trait = "0.1"
-lazy_static = "1.4"
-nix = "0.23.2"
+maplit = "1.0"
+nix = { version = "0.30.1", features = ["fs", "sched"] }

 [dev-dependencies]
 maplit = "1.0"
 slog-term = "2.9.0"
 slog-async = "2.7"
 once_cell = "1.9.0"
+lazy_static = "1.4"
--- a/src/mem-agent/Makefile
+++ b/src/mem-agent/Makefile
@@ -1,6 +0,0 @@
-# Copyright (C) 2024 Ant group. All rights reserved.
-#
-# SPDX-License-Identifier: Apache-2.0
-
-default:
-	cd example; cargo build --examples --target x86_64-unknown-linux-musl
--- a/src/mem-agent/example/Cargo.lock
+++ b/src/mem-agent/example/Cargo.lock
--- a/src/mem-agent/example/Cargo.toml
+++ b/src/mem-agent/example/Cargo.toml
@@ -1,36 +0,0 @@
-[package]
-name = "mem-agent-bin"
-version = "0.1.0"
-edition = "2018"
-
-[dependencies]
-slog = "2.5.2"
-slog-scope = "4.1.2"
-slog-term = "2.9.0"
-slog-async = "2.7"
-structopt = "0.3"
-anyhow = "1.0"
-libc = "0.2"
-page_size = "0.6"
-chrono = "0.4"
-maplit = "1.0"
-ttrpc = { version = "0.8", features = ["async"] }
-tokio = { version = "1.44.2", features = ["full"] }
-async-trait = "0.1"
-byteorder = "1.5"
-protobuf = "3.1"
-lazy_static = "1.4"
-# Rust 1.68 doesn't support 0.5.9
-home = "=0.5.5"
-mem-agent = { path = "../" }
-
-[[example]]
-name = "mem-agent-srv"
-path = "./srv.rs"
-
-[[example]]
-name = "mem-agent-ctl"
-path = "./ctl.rs"
-
-[build-dependencies]
-ttrpc-codegen = "0.4"
--- a/src/mem-agent/example/build.rs
+++ b/src/mem-agent/example/build.rs
@@ -1,29 +0,0 @@
-// Copyright (C) 2024 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-use ttrpc_codegen::{Codegen, Customize, ProtobufCustomize};
-
-fn main() -> Result<(), Box<dyn std::error::Error>> {
-    let protos = vec![
-        "protocols/protos/mem-agent.proto",
-        "protocols/protos/google/protobuf/empty.proto",
-        "protocols/protos/google/protobuf/timestamp.proto",
-    ];
-
-    let protobuf_customized = ProtobufCustomize::default().gen_mod_rs(false);
-
-    Codegen::new()
-        .out_dir("protocols/")
-        .inputs(&protos)
-        .include("protocols/protos/")
-        .rust_protobuf()
-        .customize(Customize {
-            async_all: true,
-            ..Default::default()
-        })
-        .rust_protobuf_customize(protobuf_customized.clone())
-        .run()?;
-
-    Ok(())
-}
--- a/src/mem-agent/example/ctl.rs
+++ b/src/mem-agent/example/ctl.rs
@@ -1,79 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-mod protocols;
-mod share;
-
-use anyhow::{anyhow, Result};
-use protocols::empty;
-use protocols::mem_agent_ttrpc;
-use share::option::{CompactSetOption, MemcgSetOption};
-use structopt::StructOpt;
-use ttrpc::r#async::Client;
-
-#[derive(Debug, StructOpt)]
-enum Command {
-    #[structopt(name = "memcgstatus", about = "get memory cgroup status")]
-    MemcgStatus,
-
-    #[structopt(name = "memcgset", about = "set memory cgroup")]
-    MemcgSet(MemcgSetOption),
-
-    #[structopt(name = "compactset", about = "set compact")]
-    CompactSet(CompactSetOption),
-}
-
-#[derive(StructOpt, Debug)]
-#[structopt(name = "mem-agent-ctl", about = "Memory agent controler")]
-struct Opt {
-    #[structopt(long, default_value = "unix:///var/run/mem-agent.sock")]
-    addr: String,
-
-    #[structopt(subcommand)]
-    command: Command,
-}
-
-#[tokio::main]
-async fn main() -> Result<()> {
-    let opt = Opt::from_args();
-
-    // setup client
-    let c = Client::connect(&opt.addr).unwrap();
-    let client = mem_agent_ttrpc::ControlClient::new(c.clone());
-
-    match opt.command {
-        Command::MemcgStatus => {
-            let mss = client
-                .memcg_status(ttrpc::context::with_timeout(0), &empty::Empty::new())
-                .await
-                .map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
-            for mcg in mss.mem_cgroups {
-                println!("{:?}", mcg);
-                for (numa_id, n) in mcg.numa {
-                    if let Some(t) = n.last_inc_time.into_option() {
-                        println!("{} {:?}", numa_id, share::misc::timestamp_to_datetime(t)?);
-                    }
-                }
-            }
-        }
-
-        Command::MemcgSet(c) => {
-            let config = c.to_rpc_memcg_config();
-            client
-                .memcg_set(ttrpc::context::with_timeout(0), &config)
-                .await
-                .map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
-        }
-
-        Command::CompactSet(c) => {
-            let config = c.to_rpc_compact_config();
-            client
-                .compact_set(ttrpc::context::with_timeout(0), &config)
-                .await
-                .map_err(|e| anyhow!("client.memcg_status fail: {}", e))?;
-        }
-    }
-
-    Ok(())
-}
--- a/src/mem-agent/example/protocols/mod.rs
+++ b/src/mem-agent/example/protocols/mod.rs
@@ -1,8 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-pub mod empty;
-pub mod mem_agent;
-pub mod mem_agent_ttrpc;
-pub mod timestamp;
--- a/src/mem-agent/example/protocols/protos/google/protobuf/empty.proto
+++ b/src/mem-agent/example/protocols/protos/google/protobuf/empty.proto
@@ -1,52 +0,0 @@
-// Protocol Buffers - Google's data interchange format
-// Copyright 2008 Google Inc.  All rights reserved.
-// https://developers.google.com/protocol-buffers/
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-//     * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//     * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-//     * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-syntax = "proto3";
-
-package google.protobuf;
-
-option csharp_namespace = "Google.Protobuf.WellKnownTypes";
-option go_package = "types";
-option java_package = "com.google.protobuf";
-option java_outer_classname = "EmptyProto";
-option java_multiple_files = true;
-option objc_class_prefix = "GPB";
-option cc_enable_arenas = true;
-
-// A generic empty message that you can re-use to avoid defining duplicated
-// empty messages in your APIs. A typical example is to use it as the request
-// or the response type of an API method. For instance:
-//
-//     service Foo {
-//       rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
-//     }
-//
-// The JSON representation for `Empty` is empty JSON object `{}`.
-message Empty {}
--- a/src/mem-agent/example/protocols/protos/google/protobuf/timestamp.proto
+++ b/src/mem-agent/example/protocols/protos/google/protobuf/timestamp.proto
@@ -1,138 +0,0 @@
-// Protocol Buffers - Google's data interchange format
-// Copyright 2008 Google Inc.  All rights reserved.
-// https://developers.google.com/protocol-buffers/
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-//     * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//     * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-//     * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-syntax = "proto3";
-
-package google.protobuf;
-
-option csharp_namespace = "Google.Protobuf.WellKnownTypes";
-option cc_enable_arenas = true;
-option go_package = "github.com/golang/protobuf/ptypes/timestamp";
-option java_package = "com.google.protobuf";
-option java_outer_classname = "TimestampProto";
-option java_multiple_files = true;
-option objc_class_prefix = "GPB";
-
-// A Timestamp represents a point in time independent of any time zone or local
-// calendar, encoded as a count of seconds and fractions of seconds at
-// nanosecond resolution. The count is relative to an epoch at UTC midnight on
-// January 1, 1970, in the proleptic Gregorian calendar which extends the
-// Gregorian calendar backwards to year one.
-//
-// All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap
-// second table is needed for interpretation, using a [24-hour linear
-// smear](https://developers.google.com/time/smear).
-//
-// The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By
-// restricting to that range, we ensure that we can convert to and from [RFC
-// 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings.
-//
-// # Examples
-//
-// Example 1: Compute Timestamp from POSIX `time()`.
-//
-//     Timestamp timestamp;
-//     timestamp.set_seconds(time(NULL));
-//     timestamp.set_nanos(0);
-//
-// Example 2: Compute Timestamp from POSIX `gettimeofday()`.
-//
-//     struct timeval tv;
-//     gettimeofday(&tv, NULL);
-//
-//     Timestamp timestamp;
-//     timestamp.set_seconds(tv.tv_sec);
-//     timestamp.set_nanos(tv.tv_usec * 1000);
-//
-// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`.
-//
-//     FILETIME ft;
-//     GetSystemTimeAsFileTime(&ft);
-//     UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime;
-//
-//     // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z
-//     // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z.
-//     Timestamp timestamp;
-//     timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL));
-//     timestamp.set_nanos((INT32) ((ticks % 10000000) * 100));
-//
-// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`.
-//
-//     long millis = System.currentTimeMillis();
-//
-//     Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000)
-//         .setNanos((int) ((millis % 1000) * 1000000)).build();
-//
-//
-// Example 5: Compute Timestamp from current time in Python.
-//
-//     timestamp = Timestamp()
-//     timestamp.GetCurrentTime()
-//
-// # JSON Mapping
-//
-// In JSON format, the Timestamp type is encoded as a string in the
-// [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the
-// format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z"
-// where {year} is always expressed using four digits while {month}, {day},
-// {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional
-// seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution),
-// are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone
-// is required. A proto3 JSON serializer should always use UTC (as indicated by
-// "Z") when printing the Timestamp type and a proto3 JSON parser should be
-// able to accept both UTC and other timezones (as indicated by an offset).
-//
-// For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past
-// 01:30 UTC on January 15, 2017.
-//
-// In JavaScript, one can convert a Date object to this format using the
-// standard
-// [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString)
-// method. In Python, a standard `datetime.datetime` object can be converted
-// to this format using
-// [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with
-// the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use
-// the Joda Time's [`ISODateTimeFormat.dateTime()`](
-// http://www.joda.org/joda-time/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime%2D%2D
-// ) to obtain a formatter capable of generating timestamps in this format.
-//
-//
-message Timestamp {
-  // Represents seconds of UTC time since Unix epoch
-  // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-  // 9999-12-31T23:59:59Z inclusive.
-  int64 seconds = 1;
-
-  // Non-negative fractions of a second at nanosecond resolution. Negative
-  // second values with fractions must still have non-negative nanos values
-  // that count forward in time. Must be from 0 to 999,999,999
-  // inclusive.
-  int32 nanos = 2;
-}
--- a/src/mem-agent/example/protocols/protos/mem-agent.proto
+++ b/src/mem-agent/example/protocols/protos/mem-agent.proto
@@ -1,66 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-syntax = "proto3";
-
-package MemAgent;
-
-import "google/protobuf/empty.proto";
-import "google/protobuf/timestamp.proto";
-
-service Control {
-    rpc MemcgStatus(google.protobuf.Empty) returns (MemcgStatusReply);
-    rpc MemcgSet(MemcgConfig) returns (google.protobuf.Empty);
-    rpc CompactSet(CompactConfig) returns (google.protobuf.Empty);
-}
-
-message EvictionCount {
-    uint64 page = 1;
-    uint64 no_min_lru_file = 2;
-    uint64 min_lru_inc = 3;
-    uint64 other_error = 4;
-    uint64 error = 5;
-    uint64 psi_exceeds_limit = 6;
-}
-
-message StatusNuma {
-    google.protobuf.Timestamp last_inc_time = 1;
-    uint64 max_seq = 2;
-    uint64 min_seq = 3;
-    uint64 run_aging_count = 4;
-    EvictionCount eviction_count = 5;
-}
-
-message MemCgroup {
-    uint32 id = 1;
-    uint64 ino = 2;
-    string path = 3;
-    uint64 sleep_psi_exceeds_limit = 4;
-    map<uint32, StatusNuma> numa = 5;
-}
-
-message MemcgStatusReply {
-    repeated MemCgroup mem_cgroups = 1;
-}
-
-message MemcgConfig {
-    optional bool disabled = 1;
-    optional bool swap = 2;
-    optional uint32 swappiness_max = 3;
-    optional uint64 period_secs = 4;
-    optional uint32 period_psi_percent_limit = 5;
-    optional uint32 eviction_psi_percent_limit = 6;
-    optional uint64 eviction_run_aging_count_min = 7;
-}
-
-message CompactConfig {
-    optional bool disabled = 1;
-    optional uint64 period_secs = 2;
-    optional uint32 period_psi_percent_limit = 3;
-    optional uint32 compact_psi_percent_limit = 4;
-    optional int64 compact_sec_max = 5;
-    optional uint32 compact_order = 6;
-    optional uint64 compact_threshold = 7;
-    optional uint64 compact_force_times = 8;
-}
--- a/src/mem-agent/example/share/misc.rs
+++ b/src/mem-agent/example/share/misc.rs
@@ -1,29 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-use anyhow::{anyhow, Result};
-use chrono::{DateTime, LocalResult, TimeZone, Utc};
-use protobuf::well_known_types::timestamp::Timestamp;
-
-pub fn datatime_to_timestamp(dt: DateTime<Utc>) -> Timestamp {
-    let seconds = dt.timestamp();
-    let nanos = dt.timestamp_subsec_nanos();
-
-    Timestamp {
-        seconds,
-        nanos: nanos as i32,
-        ..Default::default()
-    }
-}
-
-#[allow(dead_code)]
-pub fn timestamp_to_datetime(timestamp: Timestamp) -> Result<DateTime<Utc>> {
-    let seconds = timestamp.seconds;
-    let nanos = timestamp.nanos;
-
-    match Utc.timestamp_opt(seconds, nanos as u32) {
-        LocalResult::Single(t) => Ok(t),
-        _ => Err(anyhow!("Utc.timestamp_opt {} fail", timestamp)),
-    }
-}
--- a/src/mem-agent/example/share/mod.rs
+++ b/src/mem-agent/example/share/mod.rs
@@ -1,7 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-pub mod misc;
-pub mod option;
-pub mod rpc;
--- a/src/mem-agent/example/share/option.rs
+++ b/src/mem-agent/example/share/option.rs
@@ -1,146 +0,0 @@
-// Copyright (C) 2024 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-use crate::protocols::mem_agent as rpc;
-use structopt::StructOpt;
-
-#[derive(Debug, StructOpt)]
-pub struct MemcgSetOption {
-    #[structopt(long)]
-    memcg_disabled: Option<bool>,
-    #[structopt(long)]
-    memcg_swap: Option<bool>,
-    #[structopt(long)]
-    memcg_swappiness_max: Option<u8>,
-    #[structopt(long)]
-    memcg_period_secs: Option<u64>,
-    #[structopt(long)]
-    memcg_period_psi_percent_limit: Option<u8>,
-    #[structopt(long)]
-    memcg_eviction_psi_percent_limit: Option<u8>,
-    #[structopt(long)]
-    memcg_eviction_run_aging_count_min: Option<u64>,
-}
-
-impl MemcgSetOption {
-    #[allow(dead_code)]
-    pub fn to_rpc_memcg_config(&self) -> rpc::MemcgConfig {
-        let config = rpc::MemcgConfig {
-            disabled: self.memcg_disabled,
-            swap: self.memcg_swap,
-            swappiness_max: self.memcg_swappiness_max.map(|v| v as u32),
-            period_secs: self.memcg_period_secs,
-            period_psi_percent_limit: self.memcg_period_psi_percent_limit.map(|v| v as u32),
-            eviction_psi_percent_limit: self.memcg_eviction_psi_percent_limit.map(|v| v as u32),
-            eviction_run_aging_count_min: self.memcg_eviction_run_aging_count_min,
-            ..Default::default()
-        };
-
-        config
-    }
-
-    #[allow(dead_code)]
-    pub fn to_mem_agent_memcg_config(&self) -> mem_agent::memcg::Config {
-        let mut config = mem_agent::memcg::Config {
-            ..Default::default()
-        };
-
-        if let Some(v) = self.memcg_disabled {
-            config.disabled = v;
-        }
-        if let Some(v) = self.memcg_swap {
-            config.swap = v;
-        }
-        if let Some(v) = self.memcg_swappiness_max {
-            config.swappiness_max = v;
-        }
-        if let Some(v) = self.memcg_period_secs {
-            config.period_secs = v;
-        }
-        if let Some(v) = self.memcg_period_psi_percent_limit {
-            config.period_psi_percent_limit = v;
-        }
-        if let Some(v) = self.memcg_eviction_psi_percent_limit {
-            config.eviction_psi_percent_limit = v;
-        }
-        if let Some(v) = self.memcg_eviction_run_aging_count_min {
-            config.eviction_run_aging_count_min = v;
-        }
-
-        config
-    }
-}
-
-#[derive(Debug, StructOpt)]
-pub struct CompactSetOption {
-    #[structopt(long)]
-    compact_disabled: Option<bool>,
-    #[structopt(long)]
-    compact_period_secs: Option<u64>,
-    #[structopt(long)]
-    compact_period_psi_percent_limit: Option<u8>,
-    #[structopt(long)]
-    compact_psi_percent_limit: Option<u8>,
-    #[structopt(long)]
-    compact_sec_max: Option<i64>,
-    #[structopt(long)]
-    compact_order: Option<u8>,
-    #[structopt(long)]
-    compact_threshold: Option<u64>,
-    #[structopt(long)]
-    compact_force_times: Option<u64>,
-}
-
-impl CompactSetOption {
-    #[allow(dead_code)]
-    pub fn to_rpc_compact_config(&self) -> rpc::CompactConfig {
-        let config = rpc::CompactConfig {
-            disabled: self.compact_disabled,
-            period_secs: self.compact_period_secs,
-            period_psi_percent_limit: self.compact_period_psi_percent_limit.map(|v| v as u32),
-            compact_psi_percent_limit: self.compact_psi_percent_limit.map(|v| v as u32),
-            compact_sec_max: self.compact_sec_max,
-            compact_order: self.compact_order.map(|v| v as u32),
-            compact_threshold: self.compact_threshold,
-            compact_force_times: self.compact_force_times,
-            ..Default::default()
-        };
-
-        config
-    }
-
-    #[allow(dead_code)]
-    pub fn to_mem_agent_compact_config(&self) -> mem_agent::compact::Config {
-        let mut config = mem_agent::compact::Config {
-            ..Default::default()
-        };
-
-        if let Some(v) = self.compact_disabled {
-            config.disabled = v;
-        }
-        if let Some(v) = self.compact_period_secs {
-            config.period_secs = v;
-        }
-        if let Some(v) = self.compact_period_psi_percent_limit {
-            config.period_psi_percent_limit = v;
-        }
-        if let Some(v) = self.compact_psi_percent_limit {
-            config.compact_psi_percent_limit = v;
-        }
-        if let Some(v) = self.compact_sec_max {
-            config.compact_sec_max = v;
-        }
-        if let Some(v) = self.compact_order {
-            config.compact_order = v;
-        }
-        if let Some(v) = self.compact_threshold {
-            config.compact_threshold = v;
-        }
-        if let Some(v) = self.compact_force_times {
-            config.compact_force_times = v;
-        }
-
-        config
-    }
-}
--- a/src/mem-agent/example/share/rpc.rs
+++ b/src/mem-agent/example/share/rpc.rs
@@ -1,221 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-use crate::protocols::mem_agent as rpc_mem_agent;
-use crate::protocols::{empty, mem_agent_ttrpc};
-use anyhow::{anyhow, Result};
-use async_trait::async_trait;
-use mem_agent::{agent, compact, memcg};
-use slog_scope::{error, info};
-use std::fs;
-use std::os::unix::fs::PermissionsExt;
-use std::sync::Arc;
-use tokio::signal::unix::{signal, SignalKind};
-use ttrpc::asynchronous::Server;
-use ttrpc::error::Error;
-use ttrpc::proto::Code;
-
-#[derive(Debug)]
-pub struct MyControl {
-    agent: agent::MemAgent,
-}
-
-impl MyControl {
-    #[allow(dead_code)]
-    pub fn new(agent: agent::MemAgent) -> Self {
-        Self { agent }
-    }
-}
-
-fn mem_cgroup_to_mem_cgroup_rpc(mcg: &memcg::MemCgroup) -> rpc_mem_agent::MemCgroup {
-    rpc_mem_agent::MemCgroup {
-        id: mcg.id as u32,
-        ino: mcg.ino as u64,
-        path: mcg.path.clone(),
-        sleep_psi_exceeds_limit: mcg.sleep_psi_exceeds_limit,
-        numa: mcg
-            .numa
-            .iter()
-            .map(|(numa_id, n)| {
-                (
-                    *numa_id,
-                    rpc_mem_agent::StatusNuma {
-                        last_inc_time: protobuf::MessageField::some(
-                            crate::share::misc::datatime_to_timestamp(n.last_inc_time),
-                        ),
-                        max_seq: n.max_seq,
-                        min_seq: n.min_seq,
-                        run_aging_count: n.run_aging_count,
-                        eviction_count: protobuf::MessageField::some(
-                            rpc_mem_agent::EvictionCount {
-                                page: n.eviction_count.page,
-                                no_min_lru_file: n.eviction_count.no_min_lru_file,
-                                min_lru_inc: n.eviction_count.min_lru_inc,
-                                other_error: n.eviction_count.other_error,
-                                error: n.eviction_count.error,
-                                psi_exceeds_limit: n.eviction_count.psi_exceeds_limit,
-                                ..Default::default()
-                            },
-                        ),
-                        ..Default::default()
-                    },
-                )
-            })
-            .collect(),
-        ..Default::default()
-    }
-}
-
-fn mem_cgroups_to_memcg_status_reply(
-    mgs: Vec<memcg::MemCgroup>,
-) -> rpc_mem_agent::MemcgStatusReply {
-    let mem_cgroups: Vec<rpc_mem_agent::MemCgroup> = mgs
-        .iter()
-        .map(|x| mem_cgroup_to_mem_cgroup_rpc(&x))
-        .collect();
-
-    rpc_mem_agent::MemcgStatusReply {
-        mem_cgroups,
-        ..Default::default()
-    }
-}
-
-fn memcgconfig_to_memcg_optionconfig(mc: &rpc_mem_agent::MemcgConfig) -> memcg::OptionConfig {
-    let moc = memcg::OptionConfig {
-        disabled: mc.disabled,
-        swap: mc.swap,
-        swappiness_max: mc.swappiness_max.map(|val| val as u8),
-        period_secs: mc.period_secs,
-        period_psi_percent_limit: mc.period_psi_percent_limit.map(|val| val as u8),
-        eviction_psi_percent_limit: mc.eviction_psi_percent_limit.map(|val| val as u8),
-        eviction_run_aging_count_min: mc.eviction_run_aging_count_min,
-        ..Default::default()
-    };
-
-    moc
-}
-
-fn compactconfig_to_compact_optionconfig(
-    cc: &rpc_mem_agent::CompactConfig,
-) -> compact::OptionConfig {
-    let coc = compact::OptionConfig {
-        disabled: cc.disabled,
-        period_secs: cc.period_secs,
-        period_psi_percent_limit: cc.period_psi_percent_limit.map(|val| val as u8),
-        compact_psi_percent_limit: cc.compact_psi_percent_limit.map(|val| val as u8),
-        compact_sec_max: cc.compact_sec_max,
-        compact_order: cc.compact_order.map(|val| val as u8),
-        compact_threshold: cc.compact_threshold,
-        compact_force_times: cc.compact_force_times,
-        ..Default::default()
-    };
-
-    coc
-}
-
-#[async_trait]
-impl mem_agent_ttrpc::Control for MyControl {
-    async fn memcg_status(
-        &self,
-        _ctx: &::ttrpc::r#async::TtrpcContext,
-        _: empty::Empty,
-    ) -> ::ttrpc::Result<rpc_mem_agent::MemcgStatusReply> {
-        Ok(mem_cgroups_to_memcg_status_reply(
-            self.agent.memcg_status_async().await.map_err(|e| {
-                let estr = format!("agent.memcg_status_async fail: {}", e);
-                error!("{}", estr);
-                Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
-            })?,
-        ))
-    }
-
-    async fn memcg_set(
-        &self,
-        _ctx: &::ttrpc::r#async::TtrpcContext,
-        mc: rpc_mem_agent::MemcgConfig,
-    ) -> ::ttrpc::Result<empty::Empty> {
-        self.agent
-            .memcg_set_config_async(memcgconfig_to_memcg_optionconfig(&mc))
-            .await
-            .map_err(|e| {
-                let estr = format!("agent.memcg_set_config_async fail: {}", e);
-                error!("{}", estr);
-                Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
-            })?;
-        Ok(empty::Empty::new())
-    }
-
-    async fn compact_set(
-        &self,
-        _ctx: &::ttrpc::r#async::TtrpcContext,
-        cc: rpc_mem_agent::CompactConfig,
-    ) -> ::ttrpc::Result<empty::Empty> {
-        self.agent
-            .compact_set_config_async(compactconfig_to_compact_optionconfig(&cc))
-            .await
-            .map_err(|e| {
-                let estr = format!("agent.compact_set_config_async fail: {}", e);
-                error!("{}", estr);
-                Error::RpcStatus(ttrpc::get_status(Code::INTERNAL, estr))
-            })?;
-        Ok(empty::Empty::new())
-    }
-}
-
-#[allow(dead_code)]
-#[tokio::main]
-pub async fn rpc_loop(agent: agent::MemAgent, addr: String) -> Result<()> {
-    let path = addr
-        .strip_prefix("unix://")
-        .ok_or(anyhow!("format of addr {} is not right", addr))?;
-    if std::path::Path::new(path).exists() {
-        return Err(anyhow!("addr {} is exist", addr));
-    }
-
-    let control = MyControl::new(agent);
-    let c = Box::new(control) as Box<dyn mem_agent_ttrpc::Control + Send + Sync>;
-    let c = Arc::new(c);
-    let service = mem_agent_ttrpc::create_control(c);
-
-    let mut server = Server::new().bind(&addr).unwrap().register_service(service);
-
-    let metadata = fs::metadata(path).map_err(|e| anyhow!("fs::metadata {} fail: {}", path, e))?;
-    let mut permissions = metadata.permissions();
-    permissions.set_mode(0o600);
-    fs::set_permissions(path, permissions)
-        .map_err(|e| anyhow!("fs::set_permissions {} fail: {}", path, e))?;
-
-    let mut interrupt = signal(SignalKind::interrupt())
-        .map_err(|e| anyhow!("signal(SignalKind::interrupt()) fail: {}", e))?;
-    let mut quit = signal(SignalKind::quit())
-        .map_err(|e| anyhow!("signal(SignalKind::quit()) fail: {}", e))?;
-    let mut terminate = signal(SignalKind::terminate())
-        .map_err(|e| anyhow!("signal(SignalKind::terminate()) fail: {}", e))?;
-    server
-        .start()
-        .await
-        .map_err(|e| anyhow!("server.start() fail: {}", e))?;
-
-    tokio::select! {
-        _ = interrupt.recv() => {
-            info!("mem-agent: interrupt shutdown");
-        }
-
-        _ = quit.recv() => {
-            info!("mem-agent: quit shutdown");
-        }
-
-        _ = terminate.recv() => {
-            info!("mem-agent: terminate shutdown");
-        }
-    };
-
-    server
-        .shutdown()
-        .await
-        .map_err(|e| anyhow!("server.shutdown() fail: {}", e))?;
-    fs::remove_file(&path).map_err(|e| anyhow!("fs::remove_file {} fail: {}", path, e))?;
-
-    Ok(())
-}
--- a/src/mem-agent/example/srv.rs
+++ b/src/mem-agent/example/srv.rs
@@ -1,95 +0,0 @@
-// Copyright (C) 2023 Ant group. All rights reserved.
-//
-// SPDX-License-Identifier: Apache-2.0
-
-use anyhow::{anyhow, Result};
-use share::option::{CompactSetOption, MemcgSetOption};
-use slog::{Drain, Level, Logger};
-use slog_async;
-use slog_scope::set_global_logger;
-use slog_scope::{error, info};
-use slog_term;
-use std::fs::OpenOptions;
-use std::io::BufWriter;
-use structopt::StructOpt;
-
-mod protocols;
-mod share;
-
-#[derive(StructOpt, Debug)]
-#[structopt(name = "mem-agent", about = "Memory agent")]
-struct Opt {
-    #[structopt(long, default_value = "unix:///var/run/mem-agent.sock")]
-    addr: String,
-    #[structopt(long)]
-    log_file: Option<String>,
-    #[structopt(long, default_value = "trace", parse(try_from_str = parse_slog_level))]
-    log_level: Level,
-    #[structopt(flatten)]
-    memcg: MemcgSetOption,
-    #[structopt(flatten)]
-    compact: CompactSetOption,
-}
-
-fn parse_slog_level(src: &str) -> Result<Level, String> {
-    match src.to_lowercase().as_str() {
-        "trace" => Ok(Level::Trace),
-        "debug" => Ok(Level::Debug),
-        "info" => Ok(Level::Info),
-        "warning" => Ok(Level::Warning),
-        "warn" => Ok(Level::Warning),
-        "error" => Ok(Level::Error),
-        _ => Err(format!("Invalid log level: {}", src)),
-    }
-}
-
-fn setup_logging(opt: &Opt) -> Result<slog_scope::GlobalLoggerGuard> {
-    let drain = if let Some(f) = &opt.log_file {
-        let log_file = OpenOptions::new()
-            .create(true)
-            .write(true)
-            .append(true)
-            .open(f)
-            .map_err(|e| anyhow!("Open log file {} fail: {}", f, e))?;
-        let buffered = BufWriter::new(log_file);
-        let decorator = slog_term::PlainDecorator::new(buffered);
-        let drain = slog_term::CompactFormat::new(decorator)
-            .build()
-            .filter_level(opt.log_level)
-            .fuse();
-        slog_async::Async::new(drain).build().fuse()
-    } else {
-        let decorator = slog_term::TermDecorator::new().stderr().build();
-        let drain = slog_term::CompactFormat::new(decorator)
-            .build()
-            .filter_level(opt.log_level)
-            .fuse();
-        slog_async::Async::new(drain).build().fuse()
-    };
-
-    let logger = Logger::root(drain, slog::o!());
-    Ok(set_global_logger(logger.clone()))
-}
-
-fn main() -> Result<()> {
-    // Check opt
-    let opt = Opt::from_args();
-
-    let _ = setup_logging(&opt).map_err(|e| anyhow!("setup_logging fail: {}", e))?;
-
-    let memcg_config = opt.memcg.to_mem_agent_memcg_config();
-    let compact_config = opt.compact.to_mem_agent_compact_config();
-
-    let (ma, _rt) = mem_agent::agent::MemAgent::new(memcg_config, compact_config)
-        .map_err(|e| anyhow!("MemAgent::new fail: {}", e))?;
-
-    info!("MemAgent started");
-
-    share::rpc::rpc_loop(ma, opt.addr).map_err(|e| {
-        let estr = format!("rpc::rpc_loop fail: {}", e);
-        error!("{}", estr);
-        anyhow!("{}", estr)
-    })?;
-
-    Ok(())
-}
--- a/Show More
+++ b/Show More