Merge pull request #5600 from BbolroC/image-rs-s390x

CC: Make agent build differently for image-rs on s390x
2026-02-22 14:54:23 +00:00 · 2022-11-08 07:57:25 +01:00 · 2022-11-07 18:37:24 +01:00 · 2022-11-07 15:54:23 +01:00 · 2022-11-07 12:45:15 +01:00 · 2022-11-07 12:44:58 +01:00
6757 changed files with 389950 additions and 1329416 deletions
--- a/.github/actionlint.yaml
+++ b/.github/actionlint.yaml
@@ -1,32 +0,0 @@
-# Copyright (c) 2024 Red Hat
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Configuration file with rules for the actionlint tool.
-#
-self-hosted-runner:
-  # Labels of self-hosted runner that linter should ignore
-  labels:
-    - amd64-nvidia-a100
-    - arm64-k8s
-    - containerd-v1.7
-    - containerd-v2.0
-    - containerd-v2.1
-    - containerd-v2.2
-    - garm-ubuntu-2004
-    - garm-ubuntu-2004-smaller
-    - garm-ubuntu-2204
-    - garm-ubuntu-2304
-    - garm-ubuntu-2304-smaller
-    - garm-ubuntu-2204-smaller
-    - k8s-ppc64le
-    - ubuntu-24.04-ppc64le
-    - metrics
-    - ppc64le
-    - riscv-builder
-    - sev-snp
-    - s390x
-    - s390x-large
-    - tdx
-    - ubuntu-22.04-arm
-    - ubuntu-24.04-s390x
--- a/.github/cargo-deny-composite-action/cargo-deny-generator.sh
+++ b/.github/cargo-deny-composite-action/cargo-deny-generator.sh
@@ -8,7 +8,7 @@
 script_dir=$(dirname "$(readlink -f "$0")")
 parent_dir=$(realpath "${script_dir}/../..")
 cidir="${parent_dir}/ci"
-source "${cidir}/../tests/common.bash"
+source "${cidir}/lib.sh"

 cargo_deny_file="${script_dir}/action.yaml"

--- a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
+++ b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
@@ -21,7 +21,7 @@ runs:
        override: true

    - name: Cache
-      uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+      uses: Swatinem/rust-cache@v2

    - name: Install Cargo deny
      shell: bash
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,93 +0,0 @@
---
-version: 2
-updates:
-  - package-ecosystem: "cargo"
-    directories:
-      - "/src/agent"
-      - "/src/dragonball"
-      - "/src/libs"
-      - "/src/mem-agent"
-      - "/src/mem-agent/example"
-      - "/src/runtime-rs"
-      - "/src/tools/agent-ctl"
-      - "/src/tools/genpolicy"
-      - "/src/tools/kata-ctl"
-      - "/src/tools/runk"
-      - "/src/tools/trace-forwarder"
-    schedule:
-      interval: "daily"
-    ignore:
-    # rust-vmm repos might cause incompatibilities on patch versions, so
-    # lets handle them manually for now.
-      - dependency-name: "event-manager"
-      - dependency-name: "kvm-bindings"
-      - dependency-name: "kvm-ioctls"
-      - dependency-name: "linux-loader"
-      - dependency-name: "seccompiler"
-      - dependency-name: "vfio-bindings"
-      - dependency-name: "vfio-ioctls"
-      - dependency-name: "virtio-bindings"
-      - dependency-name: "virtio-queue"
-      - dependency-name: "vm-fdt"
-      - dependency-name: "vm-memory"
-      - dependency-name: "vm-superio"
-      - dependency-name: "vmm-sys-util"
-    # As we often have up to 8/9 components that need the same versions bumps
-    # create groups for common dependencies, so they can all go in a single PR
-    # We can extend this as we see more frequent groups
-    groups:
-      bit-vec:
-        patterns:
-          - bit-vec
-      bumpalo:
-        patterns:
-          - bumpalo
-      clap:
-        patterns:
-          - clap
-      crossbeam:
-        patterns:
-          - crossbeam
-      h2:
-        patterns:
-          - h2
-      idna:
-        patterns:
-          - idna
-      openssl:
-        patterns:
-          - openssl
-      protobuf:
-        patterns:
-          - protobuf
-      rsa:
-        patterns:
-          - rsa
-      rustix:
-        patterns:
-          - rustix
-      slab:
-        patterns:
-          - slab
-      time:
-        patterns:
-          - time
-      tokio:
-        patterns:
-          - tokio
-      tracing:
-        patterns:
-          - tracing
-
-  - package-ecosystem: "gomod"
-    directories:
-      - "src/runtime"
-      - "tools/testing/kata-webhook"
-      - "src/tools/csi-kata-directvolume"
-    schedule:
-      interval: "daily"
-
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "monthly"
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@@ -9,19 +9,14 @@ on:
      - labeled
      - unlabeled

-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 jobs:
  pr_wip_check:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
    name: WIP Check
    steps:
    - name: WIP Check
-      uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755 # master (2021-06-10)
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: tim-actions/wip-check@1c2a1ca6c110026b3e2297bb2ef39e1747b5a755
      with:
        labels: '["do-not-merge", "wip", "rfc"]'
        keywords: '["WIP", "wip", "RFC", "rfc", "dnm", "DNM", "do-not-merge"]'
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@@ -1,30 +0,0 @@
-name: Lint GHA workflows
-
-on:
-  workflow_dispatch:
-  pull_request:
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  run-actionlint:
-    name: run-actionlint
-    env:
-      GH_TOKEN: ${{ github.token }}
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Install actionlint gh extension
-        run: gh extension install https://github.com/cschleiden/gh-actionlint
-
-      - name: Run actionlint
-        run:  gh actionlint
--- a/.github/workflows/add-backport-label.yaml
+++ b/.github/workflows/add-backport-label.yaml
@@ -0,0 +1,100 @@
+name: Add backport label
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+      - labeled
+      - unlabeled
+
+jobs:
+  check-issues:
+    if: ${{ github.event.label.name != 'auto-backport' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code to allow hub to communicate with the project
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/checkout@v3
+
+      - name: Install hub extension script
+        run: |
+          pushd $(mktemp -d) &>/dev/null
+          git clone --single-branch --depth 1 "https://github.com/kata-containers/.github" && cd .github/scripts
+          sudo install hub-util.sh /usr/local/bin
+          popd &>/dev/null
+
+      - name: Determine whether to add label 
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CONTAINS_AUTO_BACKPORT: ${{ contains(github.event.pull_request.labels.*.name, 'auto-backport') }}
+        id: add_label
+        run: |
+          pr=${{ github.event.pull_request.number }}
+          linked_issue_urls=$(hub-util.sh \
+            list-issues-for-pr "$pr" |\
+            grep -v "^\#"  |\
+            cut -d';' -f3 || true)
+          [ -z "$linked_issue_urls" ] && {
+            echo "::error::No linked issues for PR $pr"
+            exit 1
+          }
+          has_bug=false
+          for issue_url in $(echo "$linked_issue_urls")
+          do
+            issue=$(echo "$issue_url"| awk -F\/ '{print $NF}' || true)
+            [ -z "$issue" ] && {
+              echo "::error::Cannot determine issue number from $issue_url for PR $pr"
+              exit 1
+            }
+            labels=$(hub-util.sh list-labels-for-issue "$issue")
+            
+            label_names=$(echo $labels | jq -r '.[].name' || true)
+            if [[ "$label_names" =~ "bug" ]]; then
+              has_bug=true
+              break
+            fi
+          done
+
+          has_backport_needed_label=${{ contains(github.event.pull_request.labels.*.name, 'needs-backport') }}
+          has_no_backport_needed_label=${{ contains(github.event.pull_request.labels.*.name, 'no-backport-needed') }}
+
+          echo "::set-output name=add_backport_label::false"
+          if [ $has_backport_needed_label  = true ] || [ $has_bug  = true ]; then
+            if [[ $has_no_backport_needed_label = false ]]; then
+              echo "::set-output name=add_backport_label::true"
+            fi
+          fi
+
+          # Do not spam comment, only if auto-backport label is going to be newly added.
+          echo "::set-output name=auto_backport_added::$CONTAINS_AUTO_BACKPORT"
+
+      - name: Add comment
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && steps.add_label.outputs.add_backport_label == 'true' && steps.add_label.outputs.auto_backport_added == 'false' }}
+        uses: actions/github-script@v6
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'This issue has been marked for auto-backporting. Add label(s) backport-to-BRANCHNAME to backport to them'
+            })
+
+      # Allow label to be removed by adding no-backport-needed label
+      - name: Remove auto-backport label
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && steps.add_label.outputs.add_backport_label == 'false' }}
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          remove-labels: "auto-backport"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Add auto-backport label
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && steps.add_label.outputs.add_backport_label == 'true' }}
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "auto-backport"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/add-issues-to-project.yaml
+++ b/.github/workflows/add-issues-to-project.yaml
@@ -0,0 +1,55 @@
+# Copyright (c) 2020 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+name: Add newly created issues to the backlog project
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  add-new-issues-to-backlog:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install hub
+        run: |
+          HUB_ARCH="amd64"
+          HUB_VER=$(curl -sL "https://api.github.com/repos/github/hub/releases/latest" |\
+            jq -r .tag_name | sed 's/^v//')
+          curl -sL \
+            "https://github.com/github/hub/releases/download/v${HUB_VER}/hub-linux-${HUB_ARCH}-${HUB_VER}.tgz" |\
+          tar xz --strip-components=2 --wildcards '*/bin/hub' && \
+          sudo install hub /usr/local/bin
+
+      - name: Install hub extension script
+        run: |
+          # Clone into a temporary directory to avoid overwriting
+          # any existing github directory.
+          pushd $(mktemp -d) &>/dev/null
+          git clone --single-branch --depth 1 "https://github.com/kata-containers/.github" && cd .github/scripts
+          sudo install hub-util.sh /usr/local/bin
+          popd &>/dev/null
+
+      - name: Checkout code to allow hub to communicate with the project
+        uses: actions/checkout@v2
+
+      - name: Add issue to issue backlog
+        env:
+          GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_TOKEN }}
+        run: |
+          issue=${{ github.event.issue.number }}
+
+          project_name="Issue backlog"
+          project_type="org"
+          project_column="To do"
+
+          hub-util.sh \
+            add-issue \
+            "$issue" \
+            "$project_name" \
+            "$project_type" \
+            "$project_column"
--- a/.github/workflows/add-pr-sizing-label.yaml
+++ b/.github/workflows/add-pr-sizing-label.yaml
@@ -0,0 +1,40 @@
+# Copyright (c) 2022 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+name: Add PR sizing label
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  add-pr-size-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v1
+
+      - name: Install PR sizing label script
+        run: |
+          # Clone into a temporary directory to avoid overwriting
+          # any existing github directory.
+          pushd $(mktemp -d) &>/dev/null
+          git clone --single-branch --depth 1 "https://github.com/kata-containers/.github" && cd .github/scripts
+          sudo install pr-add-size-label.sh /usr/local/bin
+          popd &>/dev/null
+
+      - name: Add PR sizing label
+        env:
+          GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_PR_SIZE_TOKEN }}
+        run: |
+          pr=${{ github.event.number }}
+          # Removing man-db, workflow kept failing, fixes: #4480
+          sudo apt -y remove --purge man-db
+          sudo apt -y install diffstat patchutils
+
+          pr-add-size-label.sh -p "$pr"
--- a/.github/workflows/auto-backport.yaml
+++ b/.github/workflows/auto-backport.yaml
@@ -0,0 +1,29 @@
+on:
+  pull_request_target:
+    types: ["labeled", "closed"]
+
+jobs:
+  backport:
+    name: Backport PR
+    runs-on: ubuntu-latest
+    if: |
+      github.event.pull_request.merged == true
+      && contains(github.event.pull_request.labels.*.name, 'auto-backport')
+      && (
+        (github.event.action == 'labeled' && github.event.label.name == 'auto-backport')
+        || (github.event.action == 'closed')
+      )
+    steps:
+      - name: Backport Action
+        uses: sqren/backport-github-action@v8.9.2
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          auto_backport_label_prefix: backport-to-
+
+      - name: Info log
+        if: ${{ success() }}
+        run: cat /home/runner/.backport/backport.info.log
+        
+      - name: Debug log
+        if: ${{ failure() }}
+        run: cat /home/runner/.backport/backport.debug.log
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@@ -1,417 +0,0 @@
-name: CI | Basic amd64 tests
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-containerd-sandboxapi:
-    name: run-containerd-sandboxapi
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # the all the tests are not flaky, otherwise we'll fail
-      # all the tests due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        containerd_version: ['active']
-        vmm: ['dragonball', 'cloud-hypervisor', 'qemu-runtime-rs']
-    # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
-    if: false
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      SANDBOXER: "shim"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
-
-      - name: Run containerd-sandboxapi tests
-        timeout-minutes: 10
-        run: bash tests/integration/cri-containerd/gha-run.sh run
-
-  run-containerd-stability:
-    name: run-containerd-stability
-    strategy:
-      fail-fast: false
-      matrix:
-        containerd_version: ['lts', 'active']
-        vmm: ['clh', 'cloud-hypervisor', 'dragonball', 'qemu', 'stratovirt']
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      SANDBOXER: "podsandbox"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/stability/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/stability/gha-run.sh install-kata kata-artifacts
-
-      - name: Run containerd-stability tests
-        timeout-minutes: 15
-        run: bash tests/stability/gha-run.sh run
-
-  run-nydus:
-    name: run-nydus
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # the all the tests are not flaky, otherwise we'll fail
-      # all the tests due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        containerd_version: ['lts', 'active']
-        vmm: ['clh', 'qemu', 'dragonball', 'stratovirt']
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/nydus/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/nydus/gha-run.sh install-kata kata-artifacts
-
-      - name: Run nydus tests
-        timeout-minutes: 10
-        run: bash tests/integration/nydus/gha-run.sh run
-
-  run-runk:
-    name: run-runk
-    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
-    if: false
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINERD_VERSION: lts
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/runk/gha-run.sh install-dependencies
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/runk/gha-run.sh install-kata kata-artifacts
-
-      - name: Run runk tests
-        timeout-minutes: 10
-        run: bash tests/integration/runk/gha-run.sh run
-
-  run-tracing:
-    name: run-tracing
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - clh # cloud-hypervisor
-          - qemu
-    # TODO: enable me when https://github.com/kata-containers/kata-containers/issues/9763 is fixed
-    # TODO: Transition to free runner (see #9940).
-    if: false
-    runs-on: garm-ubuntu-2204-smaller
-    env:
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/functional/tracing/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/functional/tracing/gha-run.sh install-kata kata-artifacts
-
-      - name: Run tracing tests
-        timeout-minutes: 15
-        run: bash tests/functional/tracing/gha-run.sh run
-
-  run-vfio:
-    name: run-vfio
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - clh
-          - qemu
-    # TODO: enable with clh when https://github.com/kata-containers/kata-containers/issues/9764 is fixed
-    # TODO: enable with qemu when https://github.com/kata-containers/kata-containers/issues/9851 is fixed
-    # TODO: Transition to free runner (see #9940).
-    if: false
-    runs-on: garm-ubuntu-2304
-    env:
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/functional/vfio/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Run vfio tests
-        timeout-minutes: 15
-        run: bash tests/functional/vfio/gha-run.sh run
-
-  run-docker-tests:
-    name: run-docker-tests
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # all the tests are not flaky, otherwise we'll fail them
-      # all due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-    runs-on: ubuntu-22.04
-    env:
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/docker/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/docker/gha-run.sh install-kata kata-artifacts
-
-      - name: Run docker smoke test
-        timeout-minutes: 5
-        run: bash tests/integration/docker/gha-run.sh run
-
-  run-nerdctl-tests:
-    name: run-nerdctl-tests
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # all the tests are not flaky, otherwise we'll fail them
-      # all due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        vmm:
-          - clh
-          - dragonball
-          - qemu
-          - cloud-hypervisor
-    runs-on: ubuntu-22.04
-    env:
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        env:
-          GITHUB_API_TOKEN: ${{ github.token }}
-          GH_TOKEN: ${{ github.token }}
-        run: bash tests/integration/nerdctl/gha-run.sh install-dependencies
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/nerdctl/gha-run.sh install-kata kata-artifacts
-
-      - name: Run nerdctl smoke test
-        timeout-minutes: 5
-        run: bash tests/integration/nerdctl/gha-run.sh run
-
-      - name: Collect artifacts ${{ matrix.vmm }}
-        if: always()
-        run: bash tests/integration/nerdctl/gha-run.sh collect-artifacts
-        continue-on-error: true
-
-      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: nerdctl-tests-garm-${{ matrix.vmm }}
-          path: /tmp/artifacts
-          retention-days: 1
-
-  run-kata-agent-apis:
-    name: run-kata-agent-apis
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/functional/kata-agent-apis/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/functional/kata-agent-apis/gha-run.sh install-kata kata-artifacts
-
-      - name: Run kata agent api tests with agent-ctl
-        run: bash tests/functional/kata-agent-apis/gha-run.sh run
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@@ -1,149 +0,0 @@
-name: CI | Basic s390x tests
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-containerd-sandboxapi:
-    name: run-containerd-sandboxapi
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # the all the tests are not flaky, otherwise we'll fail
-      # all the tests due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        containerd_version: ['active']
-        vmm: ['qemu-runtime-rs']
-    # TODO: enable me when https://github.com/containerd/containerd/issues/11640 is fixed
-    if: false
-    runs-on: s390x-large
-    env:
-      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      SANDBOXER: "shim"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/cri-containerd/gha-run.sh
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
-
-      - name: Run containerd-sandboxapi tests
-        timeout-minutes: 10
-        run: bash tests/integration/cri-containerd/gha-run.sh run
-
-  run-containerd-stability:
-    name: run-containerd-stability
-    strategy:
-      fail-fast: false
-      matrix:
-        containerd_version: ['lts', 'active']
-        vmm: ['qemu']
-    runs-on: s390x-large
-    env:
-      CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      SANDBOXER: "podsandbox"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/stability/gha-run.sh install-dependencies
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/stability/gha-run.sh install-kata kata-artifacts
-
-      - name: Run containerd-stability tests
-        timeout-minutes: 15
-        run: bash tests/stability/gha-run.sh run
-
-  run-docker-tests:
-    name: run-docker-tests
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # all the tests are not flaky, otherwise we'll fail them
-      # all due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        vmm: ['qemu']
-    runs-on: s390x-large
-    env:
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/docker/gha-run.sh install-dependencies
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/docker/gha-run.sh install-kata kata-artifacts
-
-      - name: Run docker smoke test
-        timeout-minutes: 5
-        run: bash tests/integration/docker/gha-run.sh run
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@@ -1,134 +0,0 @@
-# This yaml is designed to be used until all components listed in
-# `build-checks.yaml` are supported
-on:
-  workflow_dispatch:
-    inputs:
-      instance:
-        default: "riscv-builder"
-        description: "Default instance when manually triggering"
-  workflow_call:
-    inputs:
-      instance:
-        required: true
-        type: string
-
-permissions: {}
-
-name: Build checks preview riscv64
-jobs:
-  check:
-    name: check
-    runs-on: ${{ inputs.instance }}
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - "make vendor"
-          - "make check"
-          - "make test"
-          - "sudo -E PATH=\"$PATH\" make test"
-        component:
-          - name: agent
-            path: src/agent
-            needs:
-              - rust
-              - libdevmapper
-              - libseccomp
-              - protobuf-compiler
-              - clang
-          - name: agent-ctl
-            path: src/tools/agent-ctl
-            needs:
-              - rust
-              - musl-tools
-              - protobuf-compiler
-              - clang
-          - name: trace-forwarder
-            path: src/tools/trace-forwarder
-            needs:
-              - rust
-              - musl-tools
-          - name: genpolicy
-            path: src/tools/genpolicy
-            needs:
-              - rust
-              - musl-tools
-              - protobuf-compiler
-          - name: runtime
-            path: src/runtime
-            needs:
-              - golang
-              - XDG_RUNTIME_DIR
-          - name: runtime-rs
-            path: src/runtime-rs
-            needs:
-              - rust
-
-    steps:
-      - name: Adjust a permission for repo
-        run: |
-          sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE" "$HOME"
-          sudo rm -rf "$GITHUB_WORKSPACE"/* || { sleep 10 && sudo rm -rf "$GITHUB_WORKSPACE"/*; }
-          sudo rm -f /tmp/kata_hybrid*  # Sometime we got leftover from test_setup_hvsock_failed()
-
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-      - name: Install golang
-        if: contains(matrix.component.needs, 'golang')
-        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
-      - name: Setup rust
-        if: contains(matrix.component.needs, 'rust')
-        run: |
-          ./tests/install_rust.sh
-          echo "${HOME}/.cargo/bin" >> "$GITHUB_PATH"
-          if [ "$(uname -m)" == "x86_64" ] || [ "$(uname -m)" == "aarch64" ]; then
-            sudo apt-get update && sudo apt-get -y install musl-tools
-          fi
-      - name: Install devicemapper
-        if: contains(matrix.component.needs, 'libdevmapper') && matrix.command == 'make check'
-        run: sudo apt-get update && sudo apt-get -y install libdevmapper-dev
-      - name: Install libseccomp
-        if: contains(matrix.component.needs, 'libseccomp') && matrix.command != 'make vendor' && matrix.command != 'make check'
-        run: |
-          libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
-          gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
-          ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
-          echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
-          echo "LIBSECCOMP_LINK_TYPE=static" >> "$GITHUB_ENV"
-          echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> "$GITHUB_ENV"
-      - name: Install protobuf-compiler
-        if: contains(matrix.component.needs, 'protobuf-compiler') && matrix.command != 'make vendor'
-        run: sudo apt-get update && sudo apt-get -y install protobuf-compiler
-      - name: Install clang
-        if: contains(matrix.component.needs, 'clang') && matrix.command == 'make check'
-        run: sudo apt-get update && sudo apt-get -y install clang
-      - name: Setup XDG_RUNTIME_DIR
-        if: contains(matrix.component.needs, 'XDG_RUNTIME_DIR') && matrix.command != 'make check'
-        run: |
-          XDG_RUNTIME_DIR=$(mktemp -d "/tmp/kata-tests-$USER.XXX" | tee >(xargs chmod 0700))
-          echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> "$GITHUB_ENV"
-      - name: Skip tests that depend on virtualization capable runners when needed
-        if: inputs.instance == 'riscv-builder'
-        run: |
-          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
-      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
-        run: |
-          cd "${COMPONENT_PATH}"
-          ${COMMAND}
-        env:
-          COMMAND: ${{ matrix.command }}
-          COMPONENT_PATH: ${{ matrix.component.path }}
-          RUST_BACKTRACE: "1"
-          RUST_LIB_BACKTRACE: "0"
-          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@@ -1,139 +0,0 @@
-on:
-  workflow_call:
-    inputs:
-      instance:
-        required: true
-        type: string
-
-permissions: {}
-
-
-name: Build checks
-jobs:
-  check:
-    name: check
-    runs-on: ${{ inputs.instance }}
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - "make vendor"
-          - "make check"
-          - "make test"
-          - "sudo -E PATH=\"$PATH\" make test"
-        component:
-          - name: agent
-            path: src/agent
-            needs:
-              - rust
-              - libdevmapper
-              - libseccomp
-              - protobuf-compiler
-              - clang
-          - name: dragonball
-            path: src/dragonball
-            needs:
-              - rust
-          - name: runtime
-            path: src/runtime
-            needs:
-              - golang
-              - XDG_RUNTIME_DIR
-          - name: runtime-rs
-            path: src/runtime-rs
-            needs:
-              - rust
-          - name: libs
-            path: src/libs
-            needs:
-              - rust
-              - protobuf-compiler
-          - name: agent-ctl
-            path: src/tools/agent-ctl
-            needs:
-              - rust
-              - protobuf-compiler
-              - clang
-          - name: kata-ctl
-            path: src/tools/kata-ctl
-            needs:
-              - rust
-              - protobuf-compiler
-          - name: trace-forwarder
-            path: src/tools/trace-forwarder
-            needs:
-              - rust
-          - name: genpolicy
-            path: src/tools/genpolicy
-            needs:
-              - rust
-              - protobuf-compiler
-
-    steps:
-      - name: Adjust a permission for repo
-        run: |
-          sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE" "$HOME"
-          sudo rm -rf "$GITHUB_WORKSPACE"/* || { sleep 10 && sudo rm -rf "$GITHUB_WORKSPACE"/*; }
-          sudo rm -f /tmp/kata_hybrid*  # Sometime we got leftover from test_setup_hvsock_failed()
-
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Install yq
-        run: |
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-      - name: Install golang
-        if: contains(matrix.component.needs, 'golang')
-        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
-      - name: Setup rust
-        if: contains(matrix.component.needs, 'rust')
-        run: |
-          ./tests/install_rust.sh
-          echo "${HOME}/.cargo/bin" >> "$GITHUB_PATH"
-          if [ "$(uname -m)" == "x86_64" ] || [ "$(uname -m)" == "aarch64" ]; then
-            sudo apt-get update && sudo apt-get -y install musl-tools
-          fi
-      - name: Install devicemapper
-        if: contains(matrix.component.needs, 'libdevmapper') && matrix.command == 'make check'
-        run: sudo apt-get update && sudo apt-get -y install libdevmapper-dev
-      - name: Install libseccomp
-        if: contains(matrix.component.needs, 'libseccomp') && matrix.command != 'make vendor' && matrix.command != 'make check'
-        run: |
-          libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
-          gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
-          ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
-          echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
-          echo "LIBSECCOMP_LINK_TYPE=static" >> "$GITHUB_ENV"
-          echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> "$GITHUB_ENV"
-      - name: Install protobuf-compiler
-        if: contains(matrix.component.needs, 'protobuf-compiler') && matrix.command != 'make vendor'
-        run: sudo apt-get update && sudo apt-get -y install protobuf-compiler
-      - name: Install clang
-        if: contains(matrix.component.needs, 'clang') && matrix.command == 'make check'
-        run: sudo apt-get update && sudo apt-get -y install clang
-      - name: Setup XDG_RUNTIME_DIR
-        if: contains(matrix.component.needs, 'XDG_RUNTIME_DIR') && matrix.command != 'make check'
-        run: |
-          XDG_RUNTIME_DIR=$(mktemp -d "/tmp/kata-tests-$USER.XXX" | tee >(xargs chmod 0700))
-          echo "XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR}" >> "$GITHUB_ENV"
-      - name: Skip tests that depend on virtualization capable runners when needed
-        if: ${{ endsWith(inputs.instance, '-arm') }}
-        run: |
-          echo "GITHUB_RUNNER_CI_NON_VIRT=true" >> "$GITHUB_ENV"
-      - name: Running `${{ matrix.command }}` for ${{ matrix.component.name }}
-        run: |
-          cd "${COMPONENT_PATH}"
-          eval "${COMMAND}"
-        env:
-          COMMAND: ${{ matrix.command }}
-          COMPONENT_PATH: ${{ matrix.component.path }}
-          RUST_BACKTRACE: "1"
-          RUST_LIB_BACKTRACE: "0"
-          SKIP_GO_VERSION_CHECK: "1"
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -1,365 +0,0 @@
-name: CI | Build kata-static tarball for amd64
-on:
-  workflow_call:
-    inputs:
-      stage:
-        required: false
-        type: string
-        default: test
-      tarball-suffix:
-        required: false
-        type: string
-      push-to-registry:
-        required: false
-        type: string
-        default: no
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: false
-      KBUILD_SIGN_PIN:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-asset:
-    name: build-asset
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    strategy:
-      matrix:
-        asset:
-          - agent
-          - agent-ctl
-          - busybox
-          - cloud-hypervisor
-          - cloud-hypervisor-glibc
-          - coco-guest-components
-          - csi-kata-directvolume
-          - firecracker
-          - genpolicy
-          - kata-ctl
-          - kata-manager
-          - kernel
-          - kernel-confidential
-          - kernel-dragonball-experimental
-          - kernel-nvidia-gpu
-          - kernel-nvidia-gpu-confidential
-          - nydus
-          - ovmf
-          - ovmf-sev
-          - pause-image
-          - qemu
-          - qemu-snp-experimental
-          - qemu-tdx-experimental
-          - stratovirt
-          - trace-forwarder
-          - virtiofsd
-        stage:
-          - ${{ inputs.stage }}
-        exclude:
-          - asset: cloud-hypervisor-glibc
-            stage: release
-    env:
-      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Build ${{ matrix.asset }}
-        id: build
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
-
-      - name: Parse OCI image name and digest
-        id: parse-oci-segments
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-        run: |
-          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
-          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
-          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
-
-      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          version: "1.2.0"
-
-      # for pushing attestations to the registry
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
-          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
-          push-to-registry: true
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-      - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-amd64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  build-asset-rootfs:
-    name: build-asset-rootfs
-    runs-on: ubuntu-22.04
-    needs: build-asset
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        asset:
-          - rootfs-image
-          - rootfs-image-confidential
-          - rootfs-image-mariner
-          - rootfs-initrd
-          - rootfs-initrd-confidential
-          - rootfs-initrd-nvidia-gpu
-          - rootfs-initrd-nvidia-gpu-confidential
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build ${{ matrix.asset }}
-        id: build
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          KBUILD_SIGN_PIN: ${{ contains(matrix.asset, 'nvidia') && secrets.KBUILD_SIGN_PIN || '' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts:
-    name: remove-rootfs-binary-artifacts
-    runs-on: ubuntu-22.04
-    needs: build-asset-rootfs
-    strategy:
-      matrix:
-        asset:
-          - busybox
-          - coco-guest-components
-          - kernel-nvidia-gpu-headers
-          - kernel-nvidia-gpu-confidential-headers
-          - pause-image
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        with:
-          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts-for-release:
-    name: remove-rootfs-binary-artifacts-for-release
-    runs-on: ubuntu-22.04
-    needs: build-asset-rootfs
-    strategy:
-      matrix:
-        asset:
-          - agent
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        if: ${{ inputs.stage == 'release' }}
-        with:
-          name: kata-artifacts-amd64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  build-asset-shim-v2:
-    name: build-asset-shim-v2
-    runs-on: ubuntu-22.04
-    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build shim-v2
-        id: build
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: shim-v2
-          TAR_OUTPUT: shim-v2.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          MEASURED_ROOTFS: yes
-
-      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-amd64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  create-kata-tarball:
-    name: create-kata-tarball
-    runs-on: ubuntu-22.04
-    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          fetch-tags: true
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
-        env:
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: store-artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.zst
-          retention-days: 15
-          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -1,332 +0,0 @@
-name: CI | Build kata-static tarball for arm64
-on:
-  workflow_call:
-    inputs:
-      stage:
-        required: false
-        type: string
-        default: test
-      tarball-suffix:
-        required: false
-        type: string
-      push-to-registry:
-        required: false
-        type: string
-        default: no
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: false
-
-permissions: {}
-
-jobs:
-  build-asset:
-    name: build-asset
-    runs-on: ubuntu-22.04-arm
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    strategy:
-      matrix:
-        asset:
-          - agent
-          - busybox
-          - cloud-hypervisor
-          - firecracker
-          - kernel
-          - kernel-dragonball-experimental
-          - kernel-nvidia-gpu
-          - kernel-cca-confidential
-          - nydus
-          - ovmf
-          - qemu
-          - stratovirt
-          - virtiofsd
-    env:
-      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: Parse OCI image name and digest
-        id: parse-oci-segments
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-        run: |
-          oci_image="$(<"build/${KATA_ASSET}-oci-image")"
-          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
-          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
-
-      - uses: oras-project/setup-oras@5c0b487ce3fe0ce3ab0d034e63669e426e294e4d # v1.2.2
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          version: "1.2.0"
-
-      # for pushing attestations to the registry
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
-          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
-          push-to-registry: true
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-      - name: store-extratarballs-artifact ${{ matrix.asset }}
-        if: ${{ startsWith(matrix.asset, 'kernel-nvidia-gpu') }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-arm64-${{ matrix.asset }}-headers${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}-headers.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  build-asset-rootfs:
-    name: build-asset-rootfs
-    runs-on: ubuntu-22.04-arm
-    needs: build-asset
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        asset:
-          - rootfs-image
-          - rootfs-initrd
-          - rootfs-initrd-nvidia-gpu
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts:
-    name: remove-rootfs-binary-artifacts
-    runs-on: ubuntu-22.04-arm
-    needs: build-asset-rootfs
-    strategy:
-      matrix:
-        asset:
-          - busybox
-          - kernel-nvidia-gpu-headers
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        with:
-          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts-for-release:
-    name: remove-rootfs-binary-artifacts-for-release
-    runs-on: ubuntu-22.04-arm
-    needs: build-asset-rootfs
-    strategy:
-      matrix:
-        asset:
-          - agent
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        if: ${{ inputs.stage == 'release' }}
-        with:
-          name: kata-artifacts-arm64-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  build-asset-shim-v2:
-    name: build-asset-shim-v2
-    runs-on: ubuntu-22.04-arm
-    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build shim-v2
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: shim-v2
-          TAR_OUTPUT: shim-v2.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-arm64-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  create-kata-tarball:
-    name: create-kata-tarball
-    runs-on: ubuntu-22.04-arm
-    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          fetch-tags: true
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
-        env:
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: store-artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-static-tarball-arm64${{ inputs.tarball-suffix }}
-          path: kata-static.tar.zst
-          retention-days: 15
-          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@@ -1,271 +0,0 @@
-name: CI | Build kata-static tarball for ppc64le
-on:
-  workflow_call:
-    inputs:
-      stage:
-        required: false
-        type: string
-        default: test
-      tarball-suffix:
-        required: false
-        type: string
-      push-to-registry:
-        required: false
-        type: string
-        default: no
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-asset:
-    name: build-asset
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-24.04-ppc64le
-    strategy:
-      matrix:
-        asset:
-          - agent
-          - kernel
-          - qemu
-          - virtiofsd
-        stage:
-          - ${{ inputs.stage }}
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 1
-          if-no-files-found: error
-
-  build-asset-rootfs:
-    name: build-asset-rootfs
-    runs-on: ubuntu-24.04-ppc64le
-    needs: build-asset
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        asset:
-          - rootfs-initrd
-        stage:
-          - ${{ inputs.stage }}
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 1
-          if-no-files-found: error
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts:
-    name: remove-rootfs-binary-artifacts
-    runs-on: ubuntu-22.04
-    needs: build-asset-rootfs
-    strategy:
-      matrix:
-        asset:
-          - agent
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        if: ${{ inputs.stage == 'release' }}
-        with:
-          name: kata-artifacts-ppc64le-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  build-asset-shim-v2:
-    name: build-asset-shim-v2
-    runs-on: ubuntu-24.04-ppc64le
-    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build shim-v2
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: shim-v2
-          TAR_OUTPUT: shim-v2.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-ppc64le-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.zst
-          retention-days: 1
-          if-no-files-found: error
-
-  create-kata-tarball:
-    name: create-kata-tarball
-    runs-on: ubuntu-24.04-ppc64le
-    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Adjust a permission for repo
-        run: |
-          sudo chown -R "$USER":"$USER" "$GITHUB_WORKSPACE"
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          fetch-tags: true
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
-        env:
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: store-artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-static-tarball-ppc64le${{ inputs.tarball-suffix }}
-          path: kata-static.tar.zst
-          retention-days: 1
-          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@@ -1,86 +0,0 @@
-name: CI | Build kata-static tarball for riscv64
-on:
-  workflow_call:
-    inputs:
-      stage:
-        required: false
-        type: string
-        default: test
-      tarball-suffix:
-        required: false
-        type: string
-      push-to-registry:
-        required: false
-        type: string
-        default: no
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-asset:
-    name: build-asset
-    runs-on: riscv-builder
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    strategy:
-      matrix:
-        asset:
-          - kernel
-          - virtiofsd
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Build ${{ matrix.asset }}
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-riscv64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -1,360 +0,0 @@
-name: CI | Build kata-static tarball for s390x
-on:
-  workflow_call:
-    inputs:
-      stage:
-        required: false
-        type: string
-        default: test
-      tarball-suffix:
-        required: false
-        type: string
-      push-to-registry:
-        required: false
-        type: string
-        default: no
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      CI_HKD_PATH:
-        required: true
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-
-permissions: {}
-
-jobs:
-  build-asset:
-    name: build-asset
-    runs-on: ubuntu-24.04-s390x
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    strategy:
-      matrix:
-        asset:
-          - agent
-          - coco-guest-components
-          - kernel
-          - kernel-confidential
-          - pause-image
-          - qemu
-          - virtiofsd
-    env:
-      PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Build ${{ matrix.asset }}
-        id: build
-        run: |
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: Parse OCI image name and digest
-        id: parse-oci-segments
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        env:
-          ASSET: ${{ matrix.asset }}
-        run: |
-          oci_image="$(<"build/${ASSET}-oci-image")"
-          echo "oci-name=${oci_image%@*}" >> "$GITHUB_OUTPUT"
-          echo "oci-digest=${oci_image#*@}" >> "$GITHUB_OUTPUT"
-
-      # for pushing attestations to the registry
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
-        if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
-        with:
-          subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
-          subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
-          push-to-registry: true
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  build-asset-rootfs:
-    name: build-asset-rootfs
-    runs-on: s390x
-    needs: build-asset
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        asset:
-          - rootfs-image
-          - rootfs-image-confidential
-          - rootfs-initrd
-          - rootfs-initrd-confidential
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build ${{ matrix.asset }}
-        id: build
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: ${{ matrix.asset }}
-          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-
-      - name: store-artifact ${{ matrix.asset }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  build-asset-boot-image-se:
-    name: build-asset-boot-image-se
-    runs-on: s390x
-    needs: [build-asset, build-asset-rootfs]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Place a host key document
-        run: |
-          mkdir -p "host-key-document"
-          cp "${CI_HKD_PATH}" "host-key-document"
-        env:
-          CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-
-      - name: Build boot-image-se
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se"
-          make boot-image-se-tarball
-          build_dir=$(readlink -f build)
-          sudo cp -r "${build_dir}" "kata-build"
-          sudo chown -R "$(id -u)":"$(id -g)" "kata-build"
-        env:
-          HKD_PATH: "host-key-document"
-
-      - name: store-artifact boot-image-se
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-boot-image-se.tar.zst
-          retention-days: 1
-          if-no-files-found: error
-
-  # We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
-  remove-rootfs-binary-artifacts:
-    name: remove-rootfs-binary-artifacts
-    runs-on: ubuntu-22.04
-    needs: [build-asset-rootfs, build-asset-boot-image-se]
-    strategy:
-      matrix:
-        asset:
-          - agent
-          - coco-guest-components
-          - pause-image
-    steps:
-      - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
-        if: ${{ inputs.stage == 'release' }}
-        with:
-          name: kata-artifacts-s390x-${{ matrix.asset}}${{ inputs.tarball-suffix }}
-
-  build-asset-shim-v2:
-    name: build-asset-shim-v2
-    runs-on: ubuntu-24.04-s390x
-    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.push-to-registry == 'yes' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0 # This is needed in order to keep the commit ids history
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-
-      - name: Build shim-v2
-        id: build
-        run: |
-          ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
-          make "${KATA_ASSET}-tarball"
-          build_dir=$(readlink -f build)
-          # store-artifact does not work with symlink
-          mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
-        env:
-          KATA_ASSET: shim-v2
-          TAR_OUTPUT: shim-v2.tar.gz
-          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
-          ARTEFACT_REGISTRY: ghcr.io
-          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
-          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          MEASURED_ROOTFS: no
-
-      - name: store-artifact shim-v2
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-artifacts-s390x-shim-v2${{ inputs.tarball-suffix }}
-          path: kata-build/kata-static-shim-v2.tar.zst
-          retention-days: 15
-          if-no-files-found: error
-
-  create-kata-tarball:
-    name: create-kata-tarball
-    runs-on: ubuntu-24.04-s390x
-    needs:
-      - build-asset
-      - build-asset-rootfs
-      - build-asset-boot-image-se
-      - build-asset-shim-v2
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          fetch-tags: true
-          persist-credentials: false
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-      - name: get-artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-          merge-multiple: true
-      - name: merge-artifacts
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts versions.yaml
-        env:
-          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-      - name: store-artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: kata-static-tarball-s390x${{ inputs.tarball-suffix }}
-          path: kata-static.tar.zst
-          retention-days: 15
-          if-no-files-found: error
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@@ -1,32 +1,19 @@
 name: Cargo Crates Check Runner
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
+on: [pull_request]
 jobs:
  cargo-deny-runner:
-    name: cargo-deny-runner
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/checkout@v3
      - name: Generate Action
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
        run: bash cargo-deny-generator.sh
        working-directory: ./.github/cargo-deny-composite-action/
        env:
-          GOPATH: ${{ github.workspace }}/kata-containers
+          GOPATH: ${{ runner.workspace }}/kata-containers
      - name: Run Action
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
        uses: ./.github/cargo-deny-composite-action
--- a/.github/workflows/cc-payload-after-push.yaml
+++ b/.github/workflows/cc-payload-after-push.yaml
@@ -0,0 +1,98 @@
+name: CI | Publish Kata Containers payload for Confidential Containers
+on:
+  push:
+    branches:
+      - CCv0
+
+jobs:
+  build-asset:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        asset:
+          - cc-cloud-hypervisor
+          - cc-kernel
+          - cc-qemu
+          - cc-rootfs-image
+          - cc-shim-v2
+          - cc-virtiofsd
+          - cc-sev-kernel
+          - cc-sev-ovmf
+          - cc-sev-rootfs-initrd
+          - cc-tdx-kernel
+          - cc-tdx-rootfs-image
+          - cc-tdx-qemu
+          - cc-tdx-td-shim
+          - cc-tdx-tdvf
+    steps:
+      - name: Login to Kata Containers quay.io
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # This is needed in order to keep the commit ids history
+      - name: Build ${{ matrix.asset }}
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+          PUSH_TO_REGISTRY: yes
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+      - name: get-artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-artifacts
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+      - name: store-artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  kata-payload:
+    needs: create-kata-tarball
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Confidential Containers quay.io
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball
+
+      - name: build-and-push-kata-payload
+        id: build-and-push-kata-payload
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz "quay.io/confidential-containers/runtime-payload-ci" "kata-containers-latest"
--- a/.github/workflows/cc-payload.yaml
+++ b/.github/workflows/cc-payload.yaml
@@ -0,0 +1,88 @@
+name: Publish Kata Containers payload for Confidential Containers
+on:
+  push:
+    tags:
+      - 'CC\-[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  build-asset:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        asset:
+          - cc-cloud-hypervisor
+          - cc-kernel
+          - cc-qemu
+          - cc-rootfs-image
+          - cc-shim-v2
+          - cc-virtiofsd
+          - cc-sev-kernel
+          - cc-sev-ovmf
+          - cc-sev-rootfs-initrd
+          - cc-tdx-kernel
+          - cc-tdx-rootfs-image
+          - cc-tdx-qemu
+          - cc-tdx-td-shim
+          - cc-tdx-tdvf
+    steps:
+      - uses: actions/checkout@v3
+      - name: Build ${{ matrix.asset }}
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+      - name: get-artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-artifacts
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+      - name: store-artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  kata-payload:
+    needs: create-kata-tarball
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to quay.io
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.COCO_QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.COCO_QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@v3
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: kata-static-tarball
+
+      - name: build-and-push-kata-payload
+        id: build-and-push-kata-payload
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh $(pwd)/kata-static.tar.xz
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -1,33 +0,0 @@
-name: Kata Containers CoCo Stability Tests Weekly
-on:
-  # Note: This workload is not currently maintained, so skipping it's scheduled runs
-  # schedule:
-  #   - cron: '0 0 * * 0'
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  kata-containers-ci-on-push:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/ci-weekly.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      pr-number: "weekly"
-      tag: ${{ github.sha }}-weekly
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -1,35 +0,0 @@
-name: Kata Containers CI (manually triggered)
-on:
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  kata-containers-ci-on-push:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/ci.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      pr-number: "dev"
-      tag: ${{ github.sha }}-dev
-      target-branch: ${{ github.ref_name }}
-
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-
-  build-checks:
-    uses: ./.github/workflows/build-checks.yaml
-    with:
-      instance: ubuntu-22.04
--- a/.github/workflows/ci-nightly-s390x.yaml
+++ b/.github/workflows/ci-nightly-s390x.yaml
@@ -1,27 +0,0 @@
-on:
-  schedule:
-    - cron: '0 5 * * *'
-
-name: Nightly CI for s390x
-
-permissions: {}
-
-jobs:
-  check-internal-test-result:
-    name: check-internal-test-result
-    runs-on: s390x
-    strategy:
-      fail-fast: false
-      matrix:
-        test_title:
-          - kata-vfio-ap-e2e-tests
-          - cc-vfio-ap-e2e-tests
-          - cc-se-e2e-tests-go
-          - cc-se-e2e-tests-rs
-    steps:
-    - name: Fetch a test result for {{ matrix.test_title }}
-      run: |
-        file_name="${TEST_TITLE}-$(date +%Y-%m-%d).log"
-        "/home/${USER}/script/handle_test_log.sh" download "$file_name"
-      env:
-        TEST_TITLE: ${{ matrix.test_title }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -1,34 +0,0 @@
-name: Kata Containers Nightly CI
-on:
-  schedule:
-    - cron: '0 0 * * *'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-permissions: {}
-
-jobs:
-  kata-containers-ci-on-push:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/ci.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      pr-number: "nightly"
-      tag: ${{ github.sha }}-nightly
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -1,54 +0,0 @@
-name: Kata Containers CI
-on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
-    branches:
-      - 'main'
-    types:
-      # Adding 'labeled' to the list of activity types that trigger this event
-      # (default: opened, synchronize, reopened) so that we can run this
-      # workflow when the 'ok-to-test' label is added.
-      # Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  skipper:
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
-    uses: ./.github/workflows/gatekeeper-skipper.yaml
-    with:
-      commit-hash: ${{ github.event.pull_request.head.sha }}
-      target-branch: ${{ github.event.pull_request.base.ref }}
-
-  kata-containers-ci-on-push:
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/ci.yaml
-    with:
-      commit-hash: ${{ github.event.pull_request.head.sha }}
-      pr-number: ${{ github.event.pull_request.number }}
-      tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}
-      target-branch: ${{ github.event.pull_request.base.ref }}
-      skip-test: ${{ needs.skipper.outputs.skip_test }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -1,128 +0,0 @@
-name: Run the CoCo Kata Containers Stability CI
-on:
-  workflow_call:
-    inputs:
-      commit-hash:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD:
-        required: true
-
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-      KBUILD_SIGN_PIN:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-amd64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-
-  publish-kata-deploy-payload-amd64:
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-and-publish-tee-confidential-unencrypted-image:
-    name: build-and-publish-tee-confidential-unencrypted-image
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
-          push: true
-          context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
-          platforms: linux/amd64
-          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
-
-  run-kata-coco-stability-tests:
-    needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
-    uses: ./.github/workflows/run-kata-coco-stability-tests.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-      tarball-suffix: -${{ inputs.tag }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-    permissions:
-      contents: read
-      id-token: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,518 +0,0 @@
-name: Run the Kata Containers CI
-on:
-  workflow_call:
-    inputs:
-      commit-hash:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-      skip-test:
-        required: false
-        type: string
-        default: no
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD:
-        required: true
-
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-      CI_HKD_PATH:
-        required: true
-      ITA_KEY:
-        required: true
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-      NGC_API_KEY:
-        required: true
-      KBUILD_SIGN_PIN:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-amd64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-
-  publish-kata-deploy-payload-amd64:
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-kata-static-tarball-arm64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  publish-kata-deploy-payload-arm64:
-    needs: build-kata-static-tarball-arm64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04-arm
-      arch: arm64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-kata-static-tarball-s390x:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-kata-static-tarball-ppc64le:
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-kata-static-tarball-riscv64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-s390x:
-    needs: build-kata-static-tarball-s390x
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-24.04-s390x
-      arch: s390x
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-ppc64le:
-    needs: build-kata-static-tarball-ppc64le
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
-      arch: ppc64le
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-and-publish-tee-confidential-unencrypted-image:
-    name: build-and-publish-tee-confidential-unencrypted-image
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
-          push: true
-          context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
-          platforms: linux/amd64, linux/s390x
-          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
-
-  publish-csi-driver-amd64:
-    name: publish-csi-driver-amd64
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64-${{ inputs.tag }}
-          path: kata-artifacts
-
-      - name: Install tools
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
-
-      - name: Copy binary into Docker context
-        run: |
-          # Copy to the location where the Dockerfile expects the binary.
-          mkdir -p src/tools/csi-kata-directvolume/bin/
-          cp /opt/kata/bin/csi-kata-directvolume src/tools/csi-kata-directvolume/bin/directvolplugin
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          tags: ghcr.io/kata-containers/csi-kata-directvolume:${{ inputs.pr-number }}
-          push: true
-          context: src/tools/csi-kata-directvolume/
-          platforms: linux/amd64
-          file: src/tools/csi-kata-directvolume/Dockerfile
-
-  run-kata-monitor-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/run-kata-monitor-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-k8s-tests-on-aks:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
-
-    permissions:
-      contents: read
-      id-token: write # Used for OIDC access to log into Azure
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-  run-k8s-tests-on-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-amd64.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-k8s-tests-on-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-arm64
-    uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-arm64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-k8s-tests-on-nvidia-gpu:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-
-
-  run-kata-coco-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs:
-     - publish-kata-deploy-payload-amd64
-     - build-and-publish-tee-confidential-unencrypted-image
-     - publish-csi-driver-amd64
-    uses: ./.github/workflows/run-kata-coco-tests.yaml
-    permissions:
-      contents: read
-      id-token: write # Used for OIDC access to log into Azure
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-
-  run-k8s-tests-on-zvsi:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
-    uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-
-  run-k8s-tests-on-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-ppc64le
-    uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-kata-deploy-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-amd64]
-    uses: ./.github/workflows/run-kata-deploy-tests.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-basic-amd64-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/basic-ci-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-basic-s390x-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    uses: ./.github/workflows/basic-ci-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-cri-containerd-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: lts,    vmm: clh              },
-          { containerd_version: lts,    vmm: dragonball       },
-          { containerd_version: lts,    vmm: qemu             },
-          { containerd_version: lts,    vmm: stratovirt       },
-          { containerd_version: lts,    vmm: cloud-hypervisor },
-          { containerd_version: lts,    vmm: qemu-runtime-rs  },
-          { containerd_version: active, vmm: clh              },
-          { containerd_version: active, vmm: dragonball       },
-          { containerd_version: active, vmm: qemu             },
-          { containerd_version: active, vmm: stratovirt       },
-          { containerd_version: active, vmm: cloud-hypervisor },
-          { containerd_version: active, vmm: qemu-runtime-rs  },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-s390x:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu            },
-          { containerd_version: active, vmm: qemu-runtime-rs },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: s390x-large
-      arch: s390x
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-tests-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-ppc64le
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le
-      arch: ppc64le
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-tests-arm64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: arm64-non-k8s
-      arch: arm64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -1,38 +0,0 @@
-name: Cleanup dangling Azure resources
-on:
-  schedule:
-    - cron: "0 0 * * *"
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  cleanup-resources:
-    name: cleanup-resources
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write # Used for OIDC access to log into Azure
-    environment: ci
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Log into Azure
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Install Python dependencies
-        run: |
-          pip3 install --user --upgrade \
-            azure-identity==1.16.0 \
-            azure-mgmt-resource==23.0.1
-
-      - name: Cleanup resources
-        env:
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-          CLEANUP_AFTER_HOURS: 24 # Clean up resources created more than this many hours ago.
-        run: python3 tests/cleanup_resources.py
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,100 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL Advanced"
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-  schedule:
-    - cron: '45 0 * * 1'
-
-permissions: {}
-
-
-jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
-    # Runner size impacts CodeQL analysis time. To learn more, please see:
-    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
-    #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners (GitHub.com only)
-    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
-    runs-on: ubuntu-24.04
-    permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - language: go
-          build-mode: manual
-        - language: python
-          build-mode: none
-        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
-        # Use `c-cpp` to analyze code written in C, C++ or both
-        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
-        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
-        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-
-    # Add any setup steps before running the `github/codeql-action/init` action.
-    # This includes steps like installing compilers or runtimes (`actions/setup-node`
-    # or others). This is typically only required for manual builds.
-    # - name: Setup runtime (example)
-    #   uses: actions/setup-example@v1
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
-      with:
-        languages: ${{ matrix.language }}
-        build-mode: ${{ matrix.build-mode }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-    # If the analyze step fails for one of the languages you are analyzing with
-    # "We were unable to automatically build your code", modify the matrix above
-    # to set the build mode to "manual" for that language. Then modify this step
-    # to build your code.
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-    - if: matrix.build-mode == 'manual' && matrix.language == 'go'
-      shell: bash
-      run: |
-        make -C src/runtime
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
-      with:
-        category: "/language:${{matrix.language}}"
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -6,12 +6,6 @@ on:
      - reopened
      - synchronize

-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 env:
  error_msg: |+
    See the document below for help on formatting commits for the project.
@@ -20,14 +14,13 @@ env:

 jobs:
  commit-message-check:
-    runs-on: ubuntu-22.04
-    env:
-      PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+    runs-on: ubuntu-latest
    name: Commit Message Check
    steps:
    - name: Get PR Commits
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      id: 'get-pr-commits'
-      uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
+      uses: tim-actions/get-pr-commits@v1.2.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        # Filter out revert commits
@@ -35,34 +28,32 @@ jobs:
        #
        # Revert "<original-subject-line>"
        #
-        # The format of a re-re-vert commit as follows:
-        #
-        # Reapply "<original-subject-line>"
-        filter_out_pattern: '^Revert "|^Reapply "'
+        filter_out_pattern: '^Revert "'

    - name: DCO Check
-      uses: tim-actions/dco@f2279e6e62d5a7d9115b0cb8e837b777b1b02e21 # v1.1.0
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Commit Body Missing Check
-      if: ${{ success() || failure() }}
-      uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      uses: tim-actions/commit-body-check@v1.0.2
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Check Subject Line Length
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
-        pattern: '^.{0,75}(\n.*)*$'
+        pattern: '^.{0,75}(\n.*)*$|^Merge pull request (?:kata-containers)?#[\d]+ from.*'
        error: 'Subject too long (max 75)'
        post_error: ${{ env.error_msg }}

    - name: Check Body Line Length
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        # Notes:
@@ -71,9 +62,6 @@ jobs:
        #   to be specified at the start of the regex as the action is passed
        #   the entire commit message.
        #
-        # - This check will pass if the commit message only contains a subject
-        #   line, as other body message properties are enforced elsewhere.
-        #
        # - Body lines *can* be longer than the maximum if they start
        #   with a non-alphabetic character or if there is no whitespace in
        #   the line.
@@ -87,15 +75,26 @@ jobs:
        #
        # - A SoB comment can be any length (as it is unreasonable to penalise
        #   people with long names/email addresses :)
-        pattern: '(^[^\n]+$|^.+(\n([a-zA-Z].{0,150}|[^a-zA-Z\n].*|[^\s\n]*|Signed-off-by:.*|))+$)'
+        pattern: '^.+(\n([a-zA-Z].{0,150}|[^a-zA-Z\n].*|[^\s\n]*|Signed-off-by:.*|))+$'
        error: 'Body line too long (max 150)'
        post_error: ${{ env.error_msg }}

-    - name: Check Subsystem
-      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
+    - name: Check Fixes
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
-        pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:'
+        pattern: '\s*Fixes\s*:?\s*(#\d+|github\.com\/kata-containers\/[a-z-.]*#\d+)|^\s*release\s*:'
+        flags: 'i'
+        error: 'No "Fixes" found'
+        post_error: ${{ env.error_msg }}
+        one_pass_all_pass: 'true'
+
+    - name: Check Subsystem
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
+      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      with:
+        commits: ${{ steps.get-pr-commits.outputs.commits }}
+        pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:|^Merge pull request (?:kata-containers)?#[\d]+ from.*'
        error: 'Failed to find subsystem in subject'
        post_error: ${{ env.error_msg }}
--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@@ -6,38 +6,20 @@ on:
      - reopened
      - synchronize

-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
 name: Darwin tests
 jobs:
  test:
-    name: test
-    runs-on: macos-latest
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+        os: [macos-latest]
+    runs-on: ${{ matrix.os }}
    steps:
-    - name: Install Protoc
-      run: |
-        f=$(mktemp)
-        curl -sSLo "$f" https://github.com/protocolbuffers/protobuf/releases/download/v28.2/protoc-28.2-osx-aarch_64.zip
-        mkdir -p "$HOME/.local"
-        unzip -d "$HOME/.local" "$f"
-        echo "$HOME/.local/bin" >> "${GITHUB_PATH}"
-
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Install Go
+      uses: actions/setup-go@v2
      with:
-        persist-credentials: false
-
-    - name: Install golang
-      run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
-
-    - name: Install Rust
-      run: ./tests/install_rust.sh
-
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
    - name: Build utils
      run: ./ci/darwin-test.sh
--- a/.github/workflows/deploy-ccv0-demo.yaml
+++ b/.github/workflows/deploy-ccv0-demo.yaml
@@ -0,0 +1,129 @@
+on:
+  issue_comment:
+    types: [created, edited]
+
+name: deploy-ccv0-demo
+
+jobs:
+  check-comment-and-membership:
+    runs-on: ubuntu-latest
+    if: |
+      github.event.issue.pull_request
+      && github.event_name == 'issue_comment'
+      && github.event.action == 'created'
+      && startsWith(github.event.comment.body, '/deploy-ccv0-demo')
+    steps:
+      - name: Check membership
+        uses: kata-containers/is-organization-member@1.0.1
+        id: is_organization_member
+        with:
+          organization: kata-containers
+          username: ${{ github.event.comment.user.login }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fail if not member
+        run: |
+          result=${{ steps.is_organization_member.outputs.result }}
+          if [ $result == false ]; then
+              user=${{ github.event.comment.user.login }}
+              echo Either ${user} is not part of the kata-containers organization
+              echo or ${user} has its Organization Visibility set to Private at
+              echo https://github.com/orgs/kata-containers/people?query=${user}
+              echo 
+              echo Ensure you change your Organization Visibility to Public and
+              echo trigger the test again.
+              exit 1
+          fi
+
+  build-asset:
+    runs-on: ubuntu-latest
+    needs: check-comment-and-membership
+    strategy:
+      matrix:
+        asset:
+          - cloud-hypervisor
+          - firecracker
+          - kernel
+          - qemu
+          - rootfs-image
+          - rootfs-initrd
+          - shim-v2
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install docker
+        run: |
+          curl -fsSL https://test.docker.com -o test-docker.sh
+          sh test-docker.sh
+
+      - name: Prepare confidential container rootfs
+        if: ${{ matrix.asset == 'rootfs-initrd' }}
+        run: |
+          pushd include_rootfs/etc
+          curl -LO https://raw.githubusercontent.com/confidential-containers/documentation/main/demos/ssh-demo/aa-offline_fs_kbc-keys.json
+          mkdir kata-containers
+          envsubst < docs/how-to/data/confidential-agent-config.toml.in > kata-containers/agent.toml
+          popd
+        env:
+          AA_KBC_PARAMS: offline_fs_kbc::null
+
+      - name: Build ${{ matrix.asset }}
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          AA_KBC: offline_fs_kbc
+          INCLUDE_ROOTFS: include_rootfs
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-artifacts
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+      - name: store-artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz
+
+  kata-deploy:
+    needs: create-kata-tarball
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v2
+        with:
+          name: kata-static-tarball
+      - name: build-and-push-kata-deploy-ci
+        id: build-and-push-kata-deploy-ci
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          pushd $GITHUB_WORKSPACE
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
+          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/confidential-containers/runtime-payload:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
+          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
+          docker push quay.io/confidential-containers/runtime-payload:$pkg_sha
+          mkdir -p packaging/kata-deploy
+          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
+          echo "::set-output name=PKG_SHA::${pkg_sha}"
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@@ -1,34 +1,41 @@
 on:
  schedule:
    - cron:  '0 23 * * 0'
-  workflow_dispatch:
-
-permissions: {}

 name: Docs URL Alive Check
 jobs:
  test:
-    name: test
-    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        go-version: [1.17.x]
+        os: [ubuntu-20.04]
+    runs-on: ${{ matrix.os }}
    # don't run this action on forks
    if: github.repository_owner == 'kata-containers'
    env:
      target_branch: ${{ github.base_ref }}
    steps:
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: ${{ matrix.go-version }}
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
    - name: Set env
      run: |
-        echo "GOPATH=${GITHUB_WORKSPACE}" >> "$GITHUB_ENV"
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@v2
      with:
        fetch-depth: 0
-        persist-credentials: false
-
-    - name: Install golang
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup
      run: |
-        ./tests/install_go.sh -f -p
-        echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
-
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    # docs url alive check
    - name: Docs URL Alive Check
      run: |
-        make docs-url-alive-check
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make docs-url-alive-check
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@@ -1,55 +0,0 @@
-name: Skipper
-
-# This workflow sets various "skip_*" output values that can be used to
-# determine what workflows/jobs are expected to be executed. Sample usage:
-#
-#   skipper:
-#     uses: ./.github/workflows/gatekeeper-skipper.yaml
-#     with:
-#       commit-hash: ${{ github.event.pull_request.head.sha }}
-#       target-branch: ${{ github.event.pull_request.base.ref }}
-#
-#   your-workflow:
-#     needs: skipper
-#     if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
-
-on:
-  workflow_call:
-    inputs:
-      commit-hash:
-        required: true
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    outputs:
-      skip_build:
-        value: ${{ jobs.skipper.outputs.skip_build }}
-      skip_test:
-        value: ${{ jobs.skipper.outputs.skip_test }}
-      skip_static:
-        value: ${{ jobs.skipper.outputs.skip_static }}
-
-permissions: {}
-
-jobs:
-  skipper:
-    name: skipper
-    runs-on: ubuntu-22.04
-    outputs:
-      skip_build: ${{ steps.skipper.outputs.skip_build }}
-      skip_test: ${{ steps.skipper.outputs.skip_test }}
-      skip_static: ${{ steps.skipper.outputs.skip_static }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-      - id: skipper
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-        run: |
-          python3 tools/testing/gatekeeper/skips.py | tee -a "$GITHUB_OUTPUT"
-        shell: /usr/bin/bash -x {0}
--- a/.github/workflows/gatekeeper.yaml
+++ b/.github/workflows/gatekeeper.yaml
@@ -1,53 +0,0 @@
-name: Gatekeeper
-
-# Gatekeeper uses the "skips.py" to determine which job names/regexps are
-# required for given PR and waits for them to either complete or fail
-# reporting the status.
-
-on:
-  pull_request_target: # zizmor: ignore[dangerous-triggers] See #11332.
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  gatekeeper:
-    name: gatekeeper
-    runs-on: ubuntu-22.04
-    permissions:
-      actions: read
-      contents: read
-      issues: read
-      pull-requests: read
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-          persist-credentials: false
-      - id: gatekeeper
-        env:
-          TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
-          GH_PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          #!/usr/bin/env bash -x
-          mapfile -t lines < <(python3 tools/testing/gatekeeper/skips.py -t)
-          export REQUIRED_JOBS="${lines[0]}"
-          export REQUIRED_REGEXPS="${lines[1]}"
-          export REQUIRED_LABELS="${lines[2]}"
-          echo "REQUIRED_JOBS: $REQUIRED_JOBS"
-          echo "REQUIRED_REGEXPS: $REQUIRED_REGEXPS"
-          echo "REQUIRED_LABELS: $REQUIRED_LABELS"
-          python3 tools/testing/gatekeeper/jobs.py
-          exit $?
-        shell: /usr/bin/bash -x {0}
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -1,53 +0,0 @@
-on:
-  workflow_call:
-
-name: Govulncheck
-
-permissions: {}
-
-jobs:
-  govulncheck:
-    name: govulncheck
-    runs-on: ubuntu-22.04
-    strategy:
-      matrix:
-        include:
-          - binary: "kata-runtime"
-            make_target: "runtime"
-          - binary: "containerd-shim-kata-v2"
-            make_target: "containerd-shim-v2"
-          - binary: "kata-monitor"
-            make_target: "monitor"
-      fail-fast: false
-
-    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Install golang
-        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "${GITHUB_PATH}"
-
-      - name: Install govulncheck
-        run: |
-          go install golang.org/x/vuln/cmd/govulncheck@latest
-          echo "${HOME}/go/bin" >> "${GITHUB_PATH}"
-
-      - name: Build runtime binaries
-        run: |
-          cd src/runtime
-          make "${MAKE_TARGET}"
-        env:
-          MAKE_TARGET: ${{ matrix.make_target }}
-          SKIP_GO_VERSION_CHECK: "1"
-
-      - name: Run govulncheck on ${{ matrix.binary }}
-        env:
-          BINARY: ${{ matrix.binary }}
-        run: |
-          cd src/runtime
-          bash ../../tests/govulncheck-runner.sh "./${BINARY}"
--- a/.github/workflows/kata-deploy-push.yaml
+++ b/.github/workflows/kata-deploy-push.yaml
@@ -0,0 +1,84 @@
+name: kata deploy build
+
+on: 
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+    paths:
+      - tools/**
+      - versions.yaml
+
+jobs:
+  build-asset:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        asset:
+          - kernel
+          - shim-v2
+          - qemu
+          - cloud-hypervisor
+          - firecracker
+          - rootfs-image
+          - rootfs-initrd
+          - virtiofsd
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install docker
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          curl -fsSL https://test.docker.com -o test-docker.sh
+          sh test-docker.sh
+
+      - name: Build ${{ matrix.asset }}
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r --preserve=all "${build_dir}" "kata-build"
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+
+      - name: store-artifact ${{ matrix.asset }}
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
+    steps:
+      - uses: actions/checkout@v2
+      - name: get-artifacts
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/download-artifact@v2
+        with:
+          name: kata-artifacts
+          path: build
+      - name: merge-artifacts
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          make merge-builds
+      - name: store-artifacts
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz
+
+  make-kata-tarball:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: make kata-tarball
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          make kata-tarball
+          sudo make install-tarball
--- a/.github/workflows/kata-deploy-test.yaml
+++ b/.github/workflows/kata-deploy-test.yaml
@@ -0,0 +1,167 @@
+on:
+  workflow_dispatch: # this is used to trigger the workflow on non-main branches
+    inputs:
+      pr:
+        description: 'PR number from the selected branch to test'
+        type: string
+        required: true
+  issue_comment:
+    types: [created, edited]
+
+name: test-kata-deploy
+
+jobs:
+  check-comment-and-membership:
+    runs-on: ubuntu-latest
+    if: |
+      github.event.issue.pull_request
+      && github.event_name == 'issue_comment'
+      && github.event.action == 'created'
+      && startsWith(github.event.comment.body, '/test_kata_deploy')
+      || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Check membership on comment or dispatch
+        uses: kata-containers/is-organization-member@1.0.1
+        id: is_organization_member
+        with:
+          organization: kata-containers
+          username: ${{ github.event.comment.user.login || github.event.sender.login }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fail if not member
+        run: |
+          result=${{ steps.is_organization_member.outputs.result }}
+          if [ $result == false ]; then
+              user=${{ github.event.comment.user.login || github.event.sender.login }}
+              echo Either ${user} is not part of the kata-containers organization
+              echo or ${user} has its Organization Visibility set to Private at
+              echo https://github.com/orgs/kata-containers/people?query=${user}
+              echo 
+              echo Ensure you change your Organization Visibility to Public and
+              echo trigger the test again.
+              exit 1
+          fi
+
+  build-asset:
+    runs-on: ubuntu-latest
+    needs: check-comment-and-membership
+    strategy:
+      matrix:
+        asset:
+          - cloud-hypervisor
+          - firecracker
+          - kernel
+          - qemu
+          - rootfs-image
+          - rootfs-initrd
+          - shim-v2
+          - virtiofsd
+    steps:
+      - name: get-PR-ref
+        id: get-PR-ref
+        run: |
+            if [ ${{ github.event_name }} == 'issue_comment' ]; then
+                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
+            else # workflow_dispatch
+                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
+            fi
+            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
+            echo "##[set-output name=pr-ref;]${ref}"
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
+
+      - name: Install docker
+        run: |
+          curl -fsSL https://test.docker.com -o test-docker.sh
+          sh test-docker.sh
+
+      - name: Build ${{ matrix.asset }}
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
+    steps:
+      - name: get-PR-ref
+        id: get-PR-ref
+        run: |
+            if [ ${{ github.event_name }} == 'issue_comment' ]; then
+                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
+            else # workflow_dispatch
+                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
+            fi
+            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
+            echo "##[set-output name=pr-ref;]${ref}"
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
+      - name: get-artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-artifacts
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+      - name: store-artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz
+
+  kata-deploy:
+    needs: create-kata-tarball
+    runs-on: ubuntu-latest
+    steps:
+      - name: get-PR-ref
+        id: get-PR-ref
+        run: |
+            if [ ${{ github.event_name }} == 'issue_comment' ]; then
+                ref=$(cat $GITHUB_EVENT_PATH | jq -r '.issue.pull_request.url' | sed  's#^.*\/pulls#refs\/pull#' | sed 's#$#\/merge#')
+            else # workflow_dispatch
+                ref="refs/pull/${{ github.event.inputs.pr }}/merge"
+            fi
+            echo "reference for PR: " ${ref} "event:" ${{ github.event_name }}
+            echo "##[set-output name=pr-ref;]${ref}"
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ steps.get-PR-ref.outputs.pr-ref }}
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v2
+        with:
+          name: kata-static-tarball
+      - name: build-and-push-kata-deploy-ci
+        id: build-and-push-kata-deploy-ci
+        run: |
+          PR_SHA=$(git log --format=format:%H -n1)
+          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
+          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t quay.io/kata-containers/kata-deploy-ci:$PR_SHA $GITHUB_WORKSPACE/tools/packaging/kata-deploy
+          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
+          docker push quay.io/kata-containers/kata-deploy-ci:$PR_SHA
+          mkdir -p packaging/kata-deploy
+          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
+          echo "::set-output name=PKG_SHA::${PR_SHA}"
+      - name: test-kata-deploy-ci-in-aks
+        uses: ./packaging/kata-deploy/action
+        with:
+          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+        env:
+          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+          AZ_APPID: ${{ secrets.AZ_APPID }}
+          AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
--- a/.github/workflows/kata-runtime-classes-sync.yaml
+++ b/.github/workflows/kata-runtime-classes-sync.yaml
@@ -1,43 +0,0 @@
-name: kata-runtime-classes-sync
-
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  kata-deploy-runtime-classes-check:
-    name: kata-deploy-runtime-classes-check
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Ensure the split out runtime classes match the all-in-one file
-      run: |
-        pushd tools/packaging/kata-deploy/runtimeclasses/
-        echo "::group::Combine runtime classes"
-        for runtimeClass in $(find . -type f \( -name "*.yaml" -and -not -name "kata-runtimeClasses.yaml" \) | sort); do
-            echo "Adding ${runtimeClass} to the resultingRuntimeClasses.yaml"
-            cat "${runtimeClass}" >> resultingRuntimeClasses.yaml;
-        done
-        echo "::endgroup::"
-        echo "::group::Displaying the content of resultingRuntimeClasses.yaml"
-        cat resultingRuntimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        echo "::group::Displaying the content of kata-runtimeClasses.yaml"
-        cat kata-runtimeClasses.yaml
-        echo "::endgroup::"
-        echo ""
-        diff resultingRuntimeClasses.yaml kata-runtimeClasses.yaml
--- a/.github/workflows/move-issues-to-in-progress.yaml
+++ b/.github/workflows/move-issues-to-in-progress.yaml
@@ -0,0 +1,82 @@
+# Copyright (c) 2020 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+name: Move issues to "In progress" in backlog project when referenced by a PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  move-linked-issues-to-in-progress:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install hub
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          HUB_ARCH="amd64"
+          HUB_VER=$(curl -sL "https://api.github.com/repos/github/hub/releases/latest" |\
+            jq -r .tag_name | sed 's/^v//')
+          curl -sL \
+            "https://github.com/github/hub/releases/download/v${HUB_VER}/hub-linux-${HUB_ARCH}-${HUB_VER}.tgz" |\
+          tar xz --strip-components=2 --wildcards '*/bin/hub' && \
+          sudo install hub /usr/local/bin
+
+      - name: Install hub extension script
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          # Clone into a temporary directory to avoid overwriting
+          # any existing github directory.
+          pushd $(mktemp -d) &>/dev/null
+          git clone --single-branch --depth 1 "https://github.com/kata-containers/.github" && cd .github/scripts
+          sudo install hub-util.sh /usr/local/bin
+          popd &>/dev/null
+
+      - name: Checkout code to allow hub to communicate with the project
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/checkout@v2
+
+      - name: Move issue to "In progress"
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_TOKEN }}
+        run: |
+          pr=${{ github.event.pull_request.number }}
+
+          linked_issue_urls=$(hub-util.sh \
+            list-issues-for-pr "$pr" |\
+            grep -v "^\#"  |\
+            cut -d';' -f3 || true)
+
+          # PR doesn't have any linked issues
+          # (it should, but maybe a new user forgot to add a "Fixes: #XXX" commit).
+          [ -z "$linked_issue_urls" ] && {
+            echo "::error::No linked issues for PR $pr"
+            exit 1
+          }
+
+          project_name="Issue backlog"
+          project_type="org"
+          project_column="In progress"
+
+          for issue_url in $(echo "$linked_issue_urls")
+          do
+            issue=$(echo "$issue_url"| awk -F\/ '{print $NF}' || true)
+
+            [ -z "$issue" ] && {
+              echo "::error::Cannot determine issue number from $issue_url for PR $pr"
+              exit 1
+            }
+
+            # Move the issue to the correct column on the project board
+            hub-util.sh \
+              move-issue \
+              "$issue" \
+              "$project_name" \
+              "$project_type" \
+              "$project_column"
+          done
--- a/.github/workflows/nydus-snapshotter-version-in-sync.yaml
+++ b/.github/workflows/nydus-snapshotter-version-in-sync.yaml
@@ -1,35 +0,0 @@
-name: nydus-snapshotter-version-sync
-
-on:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  nydus-snapshotter-version-check:
-    name: nydus-snapshotter-version-check
-    runs-on: ubuntu-22.04
-    steps:
-    - name: Checkout code
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Ensure nydus-snapshotter-version is in sync inside our repo
-      run: |
-        dockerfile_version=$(grep "ARG NYDUS_SNAPSHOTTER_VERSION" tools/packaging/kata-deploy/Dockerfile | cut -f2 -d'=')
-        versions_version=$(yq ".externals.nydus-snapshotter.version | explode(.)" versions.yaml)
-        if [[ "${dockerfile_version}" != "${versions_version}" ]]; then
-          echo "nydus-snapshotter version must be the same in the following places: "
-          echo "- versions.yaml: ${versions_version}"
-          echo "- tools/packaging/kata-deploy/Dockerfile: ${dockerfile_version}"
-          exit 1
-        fi
--- a/.github/workflows/osv-scanner.yaml
+++ b/.github/workflows/osv-scanner.yaml
@@ -1,43 +0,0 @@
-# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
-# in addition to a PR check which fails if new vulnerabilities are introduced.
-#
-# For more examples and options, including how to ignore specific vulnerabilities,
-# see https://google.github.io/osv-scanner/github-action/
-
-name: OSV-Scanner
-
-on:
-  workflow_dispatch:
-  pull_request:
-    branches: [ "main" ]
-  schedule:
-    - cron: '0 1 * * 0'
-  push:
-    branches: [ "main" ]
-
-permissions: {}
-
-jobs:
-  scan-scheduled:
-    permissions:
-      actions: read # # Required to upload SARIF file to CodeQL
-      contents: read  # Read commit contents
-      security-events: write  # Require writing security events to upload SARIF file to security tab
-    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
-    with:
-      scan-args: |-
-        -r
-        ./
-  scan-pr:
-    permissions:
-      actions: read # Required to upload SARIF file to CodeQL
-      contents: read  # Read commit contents
-      security-events: write  # Require writing security events to upload SARIF file to security tab
-    if: ${{ github.event_name == 'pull_request' }}
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6" # v2.1.0
-    with:
-      # Example of specifying custom arguments
-      scan-args: |-
-        -r
-        ./
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@@ -1,163 +0,0 @@
-name: CI | Publish Kata Containers payload
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-
-jobs:
-  build-assets-amd64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      push-to-registry: yes
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-
-  build-assets-arm64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      push-to-registry: yes
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-assets-s390x:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      push-to-registry: yes
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-assets-ppc64le:
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      push-to-registry: yes
-      target-branch: ${{ github.ref_name }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-amd64:
-    needs: build-assets-amd64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      registry: quay.io
-      repo: kata-containers/kata-deploy-ci
-      tag: kata-containers-latest-amd64
-      target-branch: ${{ github.ref_name }}
-      runner: ubuntu-22.04
-      arch: amd64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-arm64:
-    needs: build-assets-arm64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      registry: quay.io
-      repo: kata-containers/kata-deploy-ci
-      tag: kata-containers-latest-arm64
-      target-branch: ${{ github.ref_name }}
-      runner: ubuntu-22.04-arm
-      arch: arm64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-s390x:
-    needs: build-assets-s390x
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      registry: quay.io
-      repo: kata-containers/kata-deploy-ci
-      tag: kata-containers-latest-s390x
-      target-branch: ${{ github.ref_name }}
-      runner: s390x
-      arch: s390x
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-ppc64le:
-    needs: build-assets-ppc64le
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      commit-hash: ${{ github.sha }}
-      registry: quay.io
-      repo: kata-containers/kata-deploy-ci
-      tag: kata-containers-latest-ppc64le
-      target-branch: ${{ github.ref_name }}
-      runner: ppc64le
-      arch: ppc64le
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-manifest:
-    name: publish-manifest
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-    needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - name: Push multi-arch manifest
-        run: |
-          ./tools/packaging/release/release.sh publish-multiarch-manifest
-        env:
-          KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
-          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@@ -1,90 +0,0 @@
-name: CI | Publish kata-deploy payload
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-      runner:
-        default: 'ubuntu-22.04'
-        description: The runner to execute the workflow on. Defaults to 'ubuntu-22.04'.
-        required: false
-        type: string
-      arch:
-        description: The arch of the tarball.
-        required: true
-        type: string
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  kata-payload:
-    name: kata-payload
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ${{ inputs.runner }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tarball for ${{ inputs.arch }}
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-${{ inputs.arch}}${{ inputs.tarball-suffix }}
-
-      - name: Login to Kata Containers quay.io
-        if: ${{ inputs.registry == 'quay.io' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - name: Login to Kata Containers ghcr.io
-        if: ${{ inputs.registry == 'ghcr.io' }}
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: build-and-push-kata-payload for ${{ inputs.arch }}
-        id: build-and-push-kata-payload
-        env:
-          REGISTRY: ${{ inputs.registry }}
-          REPO: ${{ inputs.repo }}
-          TAG: ${{ inputs.tag }}
-        run: |
-          ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-          "$(pwd)/kata-static.tar.zst" \
-          "${REGISTRY}/${REPO}" \
-          "${TAG}"
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@@ -1,82 +0,0 @@
-name: Publish Kata release artifacts for amd64
-on:
-  workflow_call:
-    inputs:
-      target-arch:
-        required: true
-        type: string
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-      KBUILD_SIGN_PIN:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-amd64:
-    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
-    with:
-      push-to-registry: yes
-      stage: release
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-  kata-deploy:
-    name: kata-deploy
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64
-
-      - name: build-and-push-kata-deploy-ci-amd64
-        id: build-and-push-kata-deploy-ci-amd64
-        env:
-          TARGET_ARCH: ${{ inputs.target-arch }}
-        run: |
-          # We need to do such trick here as the format of the $GITHUB_REF
-          # is "refs/tags/<tag>"
-          tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
-              tag=$(./tools/packaging/release/release.sh release-version)
-              tags=("${tag}" "latest")
-          else
-              tags=("${tag}")
-          fi
-          for tag in "${tags[@]}"; do
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-          done
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@@ -1,79 +0,0 @@
-name: Publish Kata release artifacts for arm64
-on:
-  workflow_call:
-    inputs:
-      target-arch:
-        required: true
-        type: string
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-arm64:
-    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
-    with:
-      push-to-registry: yes
-      stage: release
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-  kata-deploy:
-    name: kata-deploy
-    needs: build-kata-static-tarball-arm64
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04-arm
-    steps:
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-arm64
-
-      - name: build-and-push-kata-deploy-ci-arm64
-        id: build-and-push-kata-deploy-ci-arm64
-        env:
-          TARGET_ARCH: ${{ inputs.target-arch }}
-        run: |
-          # We need to do such trick here as the format of the $GITHUB_REF
-          # is "refs/tags/<tag>"
-          tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
-              tag=$(./tools/packaging/release/release.sh release-version)
-              tags=("${tag}" "latest")
-          else
-              tags=("${tag}")
-          fi
-          for tag in "${tags[@]}"; do
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-          done
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@@ -1,79 +0,0 @@
-name: Publish Kata release artifacts for ppc64le
-on:
-  workflow_call:
-    inputs:
-      target-arch:
-        required: true
-        type: string
-    secrets:
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-ppc64le:
-    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
-    with:
-      push-to-registry: yes
-      stage: release
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-  kata-deploy:
-    name: kata-deploy
-    needs: build-kata-static-tarball-ppc64le
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ppc64le
-    steps:
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-ppc64le
-
-      - name: build-and-push-kata-deploy-ci-ppc64le
-        id: build-and-push-kata-deploy-ci-ppc64le
-        env:
-          TARGET_ARCH: ${{ inputs.target-arch }}
-        run: |
-          # We need to do such trick here as the format of the $GITHUB_REF
-          # is "refs/tags/<tag>"
-          tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
-              tag=$(./tools/packaging/release/release.sh release-version)
-              tags=("${tag}" "latest")
-          else
-              tags=("${tag}")
-          fi
-          for tag in "${tags[@]}"; do
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-          done
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@@ -1,83 +0,0 @@
-name: Publish Kata release artifacts for s390x
-on:
-  workflow_call:
-    inputs:
-      target-arch:
-        required: true
-        type: string
-    secrets:
-      CI_HKD_PATH:
-        required: true
-      QUAY_DEPLOYER_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  build-kata-static-tarball-s390x:
-    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
-    with:
-      push-to-registry: yes
-      stage: release
-    secrets:
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-
-  kata-deploy:
-    name: kata-deploy
-    needs: build-kata-static-tarball-s390x
-    permissions:
-      contents: read
-      packages: write
-    runs-on: s390x
-    steps:
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-s390x
-
-      - name: build-and-push-kata-deploy-ci-s390x
-        id: build-and-push-kata-deploy-ci-s390x
-        env:
-          TARGET_ARCH: ${{ inputs.target-arch }}
-        run: |
-          # We need to do such trick here as the format of the $GITHUB_REF
-          # is "refs/tags/<tag>"
-          tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
-          if [ "${tag}" = "main" ]; then
-              tag=$(./tools/packaging/release/release.sh release-version)
-              tags=("${tag}" "latest")
-          else
-              tags=("${tag}")
-          fi
-          for tag in "${tags[@]}"; do
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
-                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
-                  "${tag}-${TARGET_ARCH}"
-          done
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,291 +1,178 @@
-name: Release Kata Containers
+name: Publish Kata release artifacts
 on:
-  workflow_dispatch
-
-permissions: {}
+  push:
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+*'

 jobs:
-  release:
-    name: release
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release create` command
+  build-asset:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        asset:
+          - cloud-hypervisor
+          - firecracker
+          - kernel
+          - qemu
+          - rootfs-image
+          - rootfs-initrd
+          - shim-v2
+          - virtiofsd
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Create a new release
+      - uses: actions/checkout@v2
+      - name: Install docker
        run: |
-          ./tools/packaging/release/release.sh create-new-release
+          curl -fsSL https://test.docker.com -o test-docker.sh
+          sh test-docker.sh
+
+      - name: Build ${{ matrix.asset }}
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-copy-yq-installer.sh
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh --build="${KATA_ASSET}"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
        env:
-          GH_TOKEN: ${{ github.token }}
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz

-  build-and-push-assets-amd64:
-    needs: release
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/release-amd64.yaml
-    with:
-      target-arch: amd64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
+          if-no-files-found: error

-  build-and-push-assets-arm64:
-    needs: release
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/release-arm64.yaml
-    with:
-      target-arch: arm64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-and-push-assets-s390x:
-    needs: release
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/release-s390x.yaml
-    with:
-      target-arch: s390x
-    secrets:
-      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-and-push-assets-ppc64le:
-    needs: release
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/release-ppc64le.yaml
-    with:
-      target-arch: ppc64le
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-multi-arch-images:
-    name: publish-multi-arch-images
-    runs-on: ubuntu-22.04
-    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
-    permissions:
-      contents: write # needed for the `gh release` commands
-      packages: write # needed to push the multi-arch manifest to ghcr.io
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: build-asset
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v2
+      - name: get-artifacts
+        uses: actions/download-artifact@v2
        with:
-          persist-credentials: false
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Kata Containers quay.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: quay.io
-          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-      - name: Get the image tags
+          name: kata-artifacts
+          path: kata-artifacts
+      - name: merge-artifacts
        run: |
-          release_version=$(./tools/packaging/release/release.sh release-version)
-          echo "KATA_DEPLOY_IMAGE_TAGS=$release_version latest" >> "$GITHUB_ENV"
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-artifacts
+      - name: store-artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: kata-static-tarball
+          path: kata-static.tar.xz

-      - name: Publish multi-arch manifest on quay.io & ghcr.io
-        run: |
-          ./tools/packaging/release/release.sh publish-multiarch-manifest
-        env:
-          KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy ghcr.io/kata-containers/kata-deploy"
-
-  upload-multi-arch-static-tarball:
-    name: upload-multi-arch-static-tarball
-    needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
-    permissions:
-      contents: write # needed for the `gh release` commands
-    runs-on: ubuntu-22.04
+  kata-deploy:
+    needs: create-kata-tarball
+    runs-on: ubuntu-latest
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v2
+      - name: get-kata-tarball
+        uses: actions/download-artifact@v2
        with:
-          persist-credentials: false
-
-      - name: Set KATA_STATIC_TARBALL env var
+          name: kata-static-tarball
+      - name: build-and-push-kata-deploy-ci
+        id: build-and-push-kata-deploy-ci
        run: |
-          tarball=$(pwd)/kata-static.tar.zst
-          echo "KATA_STATIC_TARBALL=${tarball}" >> "$GITHUB_ENV"
-
-      - name: Download amd64 artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          pushd $GITHUB_WORKSPACE
+          git checkout $tag
+          pkg_sha=$(git rev-parse HEAD)
+          popd
+          mv kata-static.tar.xz $GITHUB_WORKSPACE/tools/packaging/kata-deploy/kata-static.tar.xz
+          docker build --build-arg KATA_ARTIFACTS=kata-static.tar.xz -t katadocker/kata-deploy-ci:$pkg_sha -t quay.io/kata-containers/kata-deploy-ci:$pkg_sha $GITHUB_WORKSPACE/tools/packaging/kata-deploy
+          docker login -u ${{ secrets.DOCKER_USERNAME }} -p ${{ secrets.DOCKER_PASSWORD }}
+          docker push katadocker/kata-deploy-ci:$pkg_sha
+          docker login -u ${{ secrets.QUAY_DEPLOYER_USERNAME }} -p ${{ secrets.QUAY_DEPLOYER_PASSWORD }} quay.io
+          docker push quay.io/kata-containers/kata-deploy-ci:$pkg_sha
+          mkdir -p packaging/kata-deploy
+          ln -s $GITHUB_WORKSPACE/tools/packaging/kata-deploy/action packaging/kata-deploy/action
+          echo "::set-output name=PKG_SHA::${pkg_sha}"
+      - name: test-kata-deploy-ci-in-aks
+        uses: ./packaging/kata-deploy/action
        with:
-          name: kata-static-tarball-amd64
-
-      - name: Upload amd64 static tarball to GitHub
-        run: |
-          ./tools/packaging/release/release.sh upload-kata-static-tarball
+          packaging-sha: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
        env:
-          GH_TOKEN: ${{ github.token }}
-          ARCHITECTURE: amd64
-
-      - name: Download arm64 artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-arm64
-
-      - name: Upload arm64 static tarball to GitHub
+          PKG_SHA: ${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}}
+          AZ_APPID: ${{ secrets.AZ_APPID }}
+          AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      - name: push-tarball
        run: |
-          ./tools/packaging/release/release.sh upload-kata-static-tarball
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ARCHITECTURE: arm64
+          # tag the container image we created and push to DockerHub
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tags=($tag)
+          tags+=($([[ "$tag" =~ "alpha"|"rc" ]] && echo "latest" || echo "stable"))
+          for tag in ${tags[@]}; do \
+            docker tag katadocker/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} katadocker/kata-deploy:${tag} && \
+            docker tag quay.io/kata-containers/kata-deploy-ci:${{steps.build-and-push-kata-deploy-ci.outputs.PKG_SHA}} quay.io/kata-containers/kata-deploy:${tag} && \
+            docker push katadocker/kata-deploy:${tag} && \
+            docker push quay.io/kata-containers/kata-deploy:${tag}; \
+          done

-      - name: Download s390x artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-s390x
-
-      - name: Upload s390x static tarball to GitHub
-        run: |
-          ./tools/packaging/release/release.sh upload-kata-static-tarball
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ARCHITECTURE: s390x
-
-      - name: Download ppc64le artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-ppc64le
-
-      - name: Upload ppc64le static tarball to GitHub
-        run: |
-          ./tools/packaging/release/release.sh upload-kata-static-tarball
-        env:
-          GH_TOKEN: ${{ github.token }}
-          ARCHITECTURE: ppc64le
-
-  upload-versions-yaml:
-    name: upload-versions-yaml
-    needs: release
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release` commands
+  upload-static-tarball:
+    needs: kata-deploy
+    runs-on: ubuntu-latest
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v2
+      - name: download-artifacts
+        uses: actions/download-artifact@v2
        with:
-          persist-credentials: false
-
-      - name: Upload versions.yaml to GitHub
+          name: kata-static-tarball
+      - name: install hub
        run: |
-          ./tools/packaging/release/release.sh upload-versions-yaml-file
-        env:
-          GH_TOKEN: ${{ github.token }}
+          HUB_VER=$(curl -s "https://api.github.com/repos/github/hub/releases/latest" | jq -r .tag_name | sed 's/^v//')
+          wget -q -O- https://github.com/github/hub/releases/download/v$HUB_VER/hub-linux-amd64-$HUB_VER.tgz | \
+          tar xz --strip-components=2 --wildcards '*/bin/hub' && sudo mv hub /usr/local/bin/hub
+      - name: push static tarball to github
+        run: |
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tarball="kata-static-$tag-x86_64.tar.xz"
+          mv kata-static.tar.xz "$GITHUB_WORKSPACE/${tarball}"
+          pushd $GITHUB_WORKSPACE
+          echo "uploading asset '${tarball}' for tag: ${tag}"
+          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}"
+          popd

  upload-cargo-vendored-tarball:
-    name: upload-cargo-vendored-tarball
-    needs: release
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release` commands
+    needs: upload-static-tarball
+    runs-on: ubuntu-latest
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Generate and upload vendored code tarball
+      - uses: actions/checkout@v2
+      - name: generate-and-upload-tarball
        run: |
-          ./tools/packaging/release/release.sh upload-vendored-code-tarball
-        env:
-          GH_TOKEN: ${{ github.token }}
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          tarball="kata-containers-$tag-vendor.tar.gz"
+          pushd $GITHUB_WORKSPACE
+          bash -c "tools/packaging/release/generate_vendor.sh ${tarball}"
+          GITHUB_TOKEN=${{ secrets.GIT_UPLOAD_TOKEN }} hub release edit -m "" -a "${tarball}" "${tag}" 
+          popd

  upload-libseccomp-tarball:
-    name: upload-libseccomp-tarball
-    needs: release
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release` commands
+    needs: upload-cargo-vendored-tarball
+    runs-on: ubuntu-latest
    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Download libseccomp tarball and upload it to GitHub
-        run: |
-          ./tools/packaging/release/release.sh upload-libseccomp-tarball
+      - uses: actions/checkout@v2
+      - name: download-and-upload-tarball
        env:
-          GH_TOKEN: ${{ github.token }}
-
-  upload-helm-chart-tarball:
-    name: upload-helm-chart-tarball
-    needs: release
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release` commands
-      packages: write # needed to push the helm chart to ghcr.io
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Install helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
-        id: install
-
-      - name: Generate and upload helm chart tarball
+          GITHUB_TOKEN: ${{ secrets.GIT_UPLOAD_TOKEN }}
+          GOPATH: ${HOME}/go
        run: |
-          ./tools/packaging/release/release.sh upload-helm-chart-tarball
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: Login to the OCI registries
-        env:
-          QUAY_DEPLOYER_USERNAME: ${{ vars.QUAY_DEPLOYER_USERNAME }}
-          QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-          GITHUB_TOKEN: ${{ github.token }}
-        run: |
-          echo "${QUAY_DEPLOYER_PASSWORD}" | helm registry login quay.io --username "${QUAY_DEPLOYER_USERNAME}" --password-stdin
-          echo "${GITHUB_TOKEN}" | helm registry login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
-
-      - name: Push helm chart to the OCI registries
-        run: |
-          release_version=$(./tools/packaging/release/release.sh release-version)
-          helm push "kata-deploy-${release_version}.tgz" oci://quay.io/kata-containers/kata-deploy-charts
-          helm push "kata-deploy-${release_version}.tgz" oci://ghcr.io/kata-containers/kata-deploy-charts
-
-  publish-release:
-    name: publish-release
-    needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: write # needed for the `gh release` commands
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Publish a release
-        run: |
-          ./tools/packaging/release/release.sh publish-release
-        env:
-          GH_TOKEN: ${{ github.token }}
+          pushd $GITHUB_WORKSPACE
+          ./ci/install_yq.sh
+          tag=$(echo $GITHUB_REF | cut -d/ -f3-)
+          versions_yaml="versions.yaml"
+          version=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.version")
+          repo_url=$(${GOPATH}/bin/yq read ${versions_yaml} "externals.libseccomp.url")
+          download_url="${repo_url}/releases/download/v${version}"
+          tarball="libseccomp-${version}.tar.gz"
+          asc="${tarball}.asc"
+          curl -sSLO "${download_url}/${tarball}"
+          curl -sSLO "${download_url}/${asc}"
+          # "-m" option should be empty to re-use the existing release title
+          # without opening a text editor.
+          # For the details, check https://hub.github.com/hub-release.1.html.
+          hub release edit -m "" -a "${tarball}" "${tag}"
+          hub release edit -m "" -a "${asc}" "${tag}"
+          popd
--- a/.github/workflows/require-pr-porting-labels.yaml
+++ b/.github/workflows/require-pr-porting-labels.yaml
@@ -0,0 +1,54 @@
+# Copyright (c) 2020 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+name: Ensure PR has required porting labels
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - labeled
+      - unlabeled
+    branches:
+      - main
+
+jobs:
+  check-pr-porting-labels:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install hub
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          HUB_ARCH="amd64"
+          HUB_VER=$(curl -sL "https://api.github.com/repos/github/hub/releases/latest" |\
+            jq -r .tag_name | sed 's/^v//')
+          curl -sL \
+            "https://github.com/github/hub/releases/download/v${HUB_VER}/hub-linux-${HUB_ARCH}-${HUB_VER}.tgz" |\
+          tar xz --strip-components=2 --wildcards '*/bin/hub' && \
+          sudo install hub /usr/local/bin
+
+      - name: Checkout code to allow hub to communicate with the project
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/checkout@v2
+
+      - name: Install porting checker script
+        run: |
+          # Clone into a temporary directory to avoid overwriting
+          # any existing github directory.
+          pushd $(mktemp -d) &>/dev/null
+          git clone --single-branch --depth 1 "https://github.com/kata-containers/.github" && cd .github/scripts
+          sudo install pr-porting-checks.sh /usr/local/bin
+          popd &>/dev/null
+
+      - name: Stop PR being merged unless it has a correct set of porting labels
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.KATA_GITHUB_ACTIONS_TOKEN }}
+        run: |
+          pr=${{ github.event.number }}
+          repo=${{ github.repository }}
+
+          pr-porting-checks.sh "$pr" "$repo"
--- a/.github/workflows/run-containerd-multi-snapshotter-stability-test.yaml
+++ b/.github/workflows/run-containerd-multi-snapshotter-stability-test.yaml
@@ -1,164 +0,0 @@
-name: CI | Run containerd multi-snapshotter stability test
-on:
-  schedule:
-    - cron: "0 */1 * * *" #run every hour
-
-permissions: {}
-
-# This job relies on k8s pre-installed using kubeadm
-jobs:
-  run-containerd-multi-snapshotter-stability-tests:
-    name: run-containerd-multi-snapshotter-stability-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        containerd:
-          - v1.7
-          - v2.0
-          - v2.1
-          - v2.2
-    env:
-      # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here.
-      IMAGES_LIST: quay.io/mongodb/mongodb-community-server@sha256:8b73733842da21b6bbb6df4d7b2449229bb3135d2ec8c6880314d88205772a11 ghcr.io/edgelesssys/redis@sha256:ecb0a964c259a166a1eb62f0eb19621d42bd1cce0bc9bb0c71c828911d4ba93d
-    runs-on: containerd-${{ matrix.containerd }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Rotate the journal
-        run: sudo journalctl --rotate --vacuum-time 1s
-
-      - name: Pull the kata-deploy image to be used
-        run: sudo ctr -n k8s.io image pull quay.io/kata-containers/kata-deploy-ci:kata-containers-latest
-
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      - name: Run a few containers using overlayfs
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "overlayfs | Using on image: ${img}"
-            pod="$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image=${img} \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              -- uname -r
-          done
-          
-      - name: Deploy Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
-
-      # This is needed as we may hit the createContainerTimeout
-      - name: Adjust Kata Containers' create_container_timeout
-        run: |
-          sudo sed -i -e 's/^\(create_container_timeout\).*=.*$/\1 = 600/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "create_container_timeout.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      # This is needed in order to have enough tmpfs space inside the guest to pull the image
-      - name: Adjust Kata Containers' default_memory
-        run: |
-          sudo sed -i -e 's/^\(default_memory\).*=.*$/\1 = 4096/g' /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-          grep "default_memory.*=" /opt/kata/share/defaults/kata-containers/configuration-qemu-coco-dev.toml
-
-      - name: Run a the same few containers using a different snapshotter
-        run: |
-          # I don't want those to be inside double quotes, so I'm deliberately ignoring the double quotes here
-          # shellcheck disable=SC2086
-          for img in ${IMAGES_LIST}; do
-            echo "nydus | Using on image: ${img}"
-            pod="kata-$(echo ${img} | tr ':.@/' '-' | awk '{print substr($0,1,56)}')"
-            kubectl run "${pod}" \
-              -it --rm \
-              --restart=Never \
-              --image="${img}" \
-              --image-pull-policy=Always \
-              --pod-running-timeout=10m \
-              --overrides='{
-                "spec": {
-                  "runtimeClassName": "kata-qemu-coco-dev"
-                }
-              }' \
-              -- uname -r
-          done
-
-      - name: Uninstall Kata Containers
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup || true
-        if: always()
-        env:
-          KATA_HYPERVISOR: qemu-coco-dev
-          KUBERNETES: vanilla
-          SNAPSHOTTER: nydus
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: true
--- a/.github/workflows/run-cri-containerd-tests.yaml
+++ b/.github/workflows/run-cri-containerd-tests.yaml
@@ -1,75 +0,0 @@
-name: CI | Run cri-containerd tests
-
-permissions: {}
-
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-      runner:
-        description: The runner to execute the workflow on.
-        required: true
-        type: string
-      arch:
-        description: The arch of the tarball.
-        required: true
-        type: string
-      containerd_version:
-        description: The version of containerd for testing.
-        required: true
-        type: string
-      vmm:
-        description: The kata hypervisor for testing.
-        required: true
-        type: string
-
-jobs:
-  run-cri-containerd:
-    name: run-cri-containerd-${{ inputs.arch }} (${{ inputs.containerd_version }}, ${{ inputs.vmm }})
-    strategy:
-      fail-fast: false
-    runs-on: ${{ inputs.runner }}
-    env:
-      CONTAINERD_VERSION: ${{ inputs.containerd_version }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ inputs.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        timeout-minutes: 15
-        run: bash tests/integration/cri-containerd/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball for ${{ inputs.arch }}
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/cri-containerd/gha-run.sh install-kata kata-artifacts
-
-      - name: Run cri-containerd tests for ${{ inputs.arch }}
-        timeout-minutes: 10
-        run: bash tests/integration/cri-containerd/gha-run.sh run
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -1,160 +0,0 @@
-name: CI | Run kubernetes tests on AKS
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-
-
-permissions: {}
-
-jobs:
-  run-k8s-tests:
-    name: run-k8s-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        host_os:
-          - ubuntu
-        vmm:
-          - clh
-          - dragonball
-          - qemu
-          - qemu-runtime-rs
-          - stratovirt
-          - cloud-hypervisor
-        instance-type:
-          - small
-          - normal
-        include:
-          - host_os: cbl-mariner
-            vmm: clh
-            instance-type: small
-            genpolicy-pull-method: oci-distribution
-            auto-generate-policy: yes
-          - host_os: cbl-mariner
-            vmm: clh
-            instance-type: small
-            genpolicy-pull-method: containerd
-            auto-generate-policy: yes
-          - host_os: cbl-mariner
-            vmm: clh
-            instance-type: normal
-            auto-generate-policy: yes
-    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      id-token: write # Used for OIDC access to log into Azure
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HOST_OS: ${{ matrix.host_os }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }}
-      GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }}
-      AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
-
-      - name: Download Azure CLI
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Log into the Azure account
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Create AKS cluster
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
-        with:
-          timeout_minutes: 15
-          max_attempts: 20
-          retry_on: error
-          retry_wait_seconds: 10
-          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Install `kubectl`
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Download credentials for the Kubernetes CLI to use them
-        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
-
-      - name: Run tests
-        timeout-minutes: 60
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Refresh OIDC token in case access token expired
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Delete AKS cluster
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
--- a/.github/workflows/run-k8s-tests-on-amd64.yaml
+++ b/.github/workflows/run-k8s-tests-on-amd64.yaml
@@ -1,130 +0,0 @@
-name: CI | Run kubernetes tests on amd64
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-k8s-tests-amd64:
-    name: run-k8s-tests-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        container_runtime:
-          - containerd
-        snapshotter:
-          - devmapper
-        k8s:
-          - k3s
-        include:
-          - vmm: qemu
-            container_runtime: crio
-            snapshotter: ""
-            k8s: k0s
-    runs-on: ubuntu-22.04
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      KUBERNETES_EXTRA_PARAMS: ${{ matrix.container_runtime != 'crio' && '' || '--cri-socket remote:unix:///var/run/crio/crio.sock --kubelet-extra-args --cgroup-driver="systemd"' }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
-      K8S_TEST_HOST_TYPE: all
-      CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Configure CRI-O
-        if: matrix.container_runtime == 'crio'
-        run: bash tests/integration/kubernetes/gha-run.sh setup-crio
-
-      - name: Deploy ${{ matrix.k8s }}
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-        env:
-          CONTAINER_RUNTIME: ${{ matrix.container_runtime }}
-
-      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        if: matrix.snapshotter != ''
-        run: bash tests/integration/kubernetes/gha-run.sh configure-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Run tests
-        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Collect artifacts ${{ matrix.vmm }}
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
-        continue-on-error: true
-
-      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.snapshotter }}-${{ matrix.k8s }}-${{ inputs.tag }}
-          path: /tmp/artifacts
-          retention-days: 1
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -1,87 +0,0 @@
-name: CI | Run kubernetes tests on arm64
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-k8s-tests-on-arm64:
-    name: run-k8s-tests-on-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        k8s:
-          - kubeadm
-    runs-on: arm64-k8s
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
-      K8S_TEST_HOST_TYPE: all
-      TARGET_ARCH: "aarch64"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Run tests
-        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Collect artifacts ${{ matrix.vmm }}
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
-        continue-on-error: true
-
-      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
-          path: /tmp/artifacts
-          retention-days: 1
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+++ b/.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
@@ -1,90 +0,0 @@
-name: CI | Run NVIDIA GPU kubernetes tests on arm64
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      NGC_API_KEY:
-        required: true
-
-permissions: {}
-
-jobs:
-  run-nvidia-gpu-tests-on-amd64:
-    name: run-nvidia-gpu-tests-on-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-nvidia-gpu
-        k8s:
-          - kubeadm
-    runs-on: amd64-nvidia-a100
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
-      K8S_TEST_HOST_TYPE: all
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Run tests
-        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-nv-tests
-        env:
-          NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-      - name: Collect artifacts ${{ matrix.vmm }}
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
-        continue-on-error: true
-
-      - name: Archive artifacts ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
-          path: /tmp/artifacts
-          retention-days: 1
-
-      - name: Delete kata-deploy
-        if: always()
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@@ -1,81 +0,0 @@
-name: CI | Run kubernetes tests on Power(ppc64le)
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-k8s-tests:
-    name: run-k8s-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        k8s:
-          - kubeadm
-    runs-on: k8s-ppc64le
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
-      TARGET_ARCH: "ppc64le"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install golang
-        run: |
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
-
-      - name: Prepare the runner for k8s cluster creation
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
-
-      - name: Create k8s cluster using kubeadm
-        run: bash "${HOME}/scripts/k8s_cluster_create.sh"
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm
-
-      - name: Run tests
-        timeout-minutes: 30
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete cluster and post cleanup actions
-        run: bash "${HOME}/scripts/k8s_cluster_cleanup.sh"
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@@ -1,146 +0,0 @@
-name: CI | Run kubernetes tests on IBM Cloud Z virtual server instance (zVSI)
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  run-k8s-tests:
-    name: run-k8s-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        snapshotter:
-          - overlayfs
-          - devmapper
-          - nydus
-        vmm:
-          - qemu
-          - qemu-runtime-rs
-          - qemu-coco-dev
-        k8s:
-          - kubeadm
-        include:
-          - snapshotter: devmapper
-            pull-type: default
-            using-nfd: true
-            deploy-cmd: configure-snapshotter
-          - snapshotter: nydus
-            pull-type: guest-pull
-            using-nfd: false
-            deploy-cmd: deploy-snapshotter
-        exclude:
-          - snapshotter: overlayfs
-            vmm: qemu
-          - snapshotter: overlayfs
-            vmm: qemu-coco-dev
-          - snapshotter: devmapper
-            vmm: qemu-runtime-rs
-          - snapshotter: devmapper
-            vmm: qemu-coco-dev
-          - snapshotter: nydus
-            vmm: qemu
-          - snapshotter: nydus
-            vmm: qemu-runtime-rs
-    runs-on: s390x-large
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HOST_OS: "ubuntu"
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      PULL_TYPE: ${{ matrix.pull-type }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: ${{ matrix.using-nfd }}
-      TARGET_ARCH: "s390x"
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Set SNAPSHOTTER to empty if overlayfs
-        run: echo "SNAPSHOTTER=" >> "$GITHUB_ENV"
-        if: ${{ matrix.snapshotter == 'overlayfs' }}
-
-      - name: Set KBS and KBS_INGRESS if qemu-coco-dev
-        run: |
-          echo "KBS=true" >> "$GITHUB_ENV"
-          echo "KBS_INGRESS=nodeport" >> "$GITHUB_ENV"
-        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
-
-      # qemu-runtime-rs only works with overlayfs
-      # See: https://github.com/kata-containers/kata-containers/issues/10066
-      - name: Configure the ${{ matrix.snapshotter }} snapshotter
-        env:
-          DEPLOY_CMD: ${{ matrix.deploy-cmd }}
-        run: bash tests/integration/kubernetes/gha-run.sh "${DEPLOY_CMD}"
-        if: ${{ matrix.snapshotter != 'overlayfs' }}
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-zvsi
-
-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
-        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-        if: ${{ matrix.vmm == 'qemu-coco-dev' }}
-
-      - name: Run tests
-        timeout-minutes: 60
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-zvsi
-
-      - name: Delete CoCo KBS
-        if: always()
-        run: |
-          if [ "${KBS}" == "true" ]; then
-            bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-          fi
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -1,152 +0,0 @@
-name: CI | Run Kata CoCo k8s Stability Tests
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-      tarball-suffix:
-        required: false
-        type: string
-    secrets:
-
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-      AUTHENTICATED_IMAGE_PASSWORD:
-        required: true
-
-permissions: {}
-
-jobs:
-  # Generate jobs for testing CoCo on non-TEE environments
-  run-stability-k8s-tests-coco-nontee:
-    name: run-stability-k8s-tests-coco-nontee
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-coco-dev
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-    runs-on: ubuntu-22.04
-    permissions:
-
-      id-token: write # Used for OIDC access to log into Azure
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      # Some tests rely on that variable to run (or not)
-      KBS: "true"
-      # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: "aks"
-      KUBERNETES: "vanilla"
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USING_NFD: "false"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
-
-      - name: Log into the Azure account
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Create AKS cluster
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
-        with:
-          timeout_minutes: 15
-          max_attempts: 20
-          retry_on: error
-          retry_wait_seconds: 10
-          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Install `kubectl`
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Download credentials for the Kubernetes CLI to use them
-        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
-
-      - name: Deploy Snapshotter
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Run stability tests
-        timeout-minutes: 300
-        run: bash tests/stability/gha-stability-run.sh run-tests
-
-      - name: Refresh OIDC token in case access token expired
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Delete AKS cluster
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -1,345 +0,0 @@
-name: CI | Run kata coco tests
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD:
-        required: true
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-      ITA_KEY:
-        required: true
-
-permissions: {}
-
-jobs:
-  run-k8s-tests-on-tee:
-    name: run-k8s-tests-on-tee
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: tdx
-            vmm: qemu-tdx
-          - runner: sev-snp
-            vmm: qemu-snp
-    runs-on: ${{ matrix.runner }}
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-      KBS: "true"
-      K8S_TEST_HOST_TYPE: "baremetal"
-      KBS_INGRESS: "nodeport"
-      SNAPSHOTTER: "nydus"
-      PULL_TYPE: "guest-pull"
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      GH_ITA_KEY: ${{ secrets.ITA_KEY }}
-      AUTO_GENERATE_POLICY: "yes"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Uninstall previous `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-        env:
-          ITA_KEY: ${{ env.KATA_HYPERVISOR == 'qemu-tdx' && env.GH_ITA_KEY || '' }}
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 100
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Delete kata-deploy
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup
-
-      - name: Delete CoCo KBS
-        if: always()
-        run: |
-          [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && echo "ITA_KEY=${GH_ITA_KEY}" >> "${GITHUB_ENV}"
-          bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
-
-      - name: Delete CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
-
-  # Generate jobs for testing CoCo on non-TEE environments
-  run-k8s-tests-coco-nontee:
-    name: run-k8s-tests-coco-nontee
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-coco-dev
-        snapshotter:
-          - nydus
-        pull-type:
-          - guest-pull
-        include:
-          - pull-type: experimental-force-guest-pull
-            snapshotter: ""
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write # Used for OIDC access to log into Azure
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      # Some tests rely on that variable to run (or not)
-      KBS: "true"
-      # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: "aks"
-      KUBERNETES: "vanilla"
-      PULL_TYPE: ${{ matrix.pull-type }}
-      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      # Caution: current ingress controller used to expose the KBS service
-      # requires much vCPUs, lefting only a few for the tests. Depending on the
-      # host type chose it will result on the creation of a cluster with
-      # insufficient resources.
-      K8S_TEST_HOST_TYPE: "all"
-      USING_NFD: "false"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-artifacts
-
-      - name: Log into the Azure account
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Create AKS cluster
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
-        with:
-          timeout_minutes: 15
-          max_attempts: 20
-          retry_on: error
-          retry_wait_seconds: 10
-          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Install `kubectl`
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Download credentials for the Kubernetes CLI to use them
-        run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks
-        env:
-          EXPERIMENTAL_FORCE_GUEST_PULL: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && env.KATA_HYPERVISOR || '' }}
-          USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: ${{ env.SNAPSHOTTER == 'nydus' }}
-          AUTO_GENERATE_POLICY: ${{ env.PULL_TYPE == 'experimental-force-guest-pull' && 'no' || 'yes' }}
-
-      - name: Deploy CoCo KBS
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
-
-      - name: Install `kbs-client`
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 80
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
-
-      - name: Refresh OIDC token in case access token expired
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Delete AKS cluster
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh delete-cluster
-
-  # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
-  run-k8s-tests-coco-nontee-with-erofs-snapshotter:
-    name: run-k8s-tests-coco-nontee-with-erofs-snapshotter
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu-coco-dev
-        snapshotter:
-          - erofs
-        pull-type:
-          - default
-    runs-on: ubuntu-24.04
-    environment: ci
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      # Some tests rely on that variable to run (or not)
-      KBS: "false"
-      # Set the KBS ingress handler (empty string disables handling)
-      KBS_INGRESS: ""
-      KUBERNETES: "vanilla"
-      CONTAINER_ENGINE: "containerd"
-      CONTAINER_ENGINE_VERSION: "v2.2"
-      PULL_TYPE: ${{ matrix.pull-type }}
-      SNAPSHOTTER: ${{ matrix.snapshotter }}
-      USE_EXPERIMENTAL_SETUP_SNAPSHOTTER: "true"
-      K8S_TEST_HOST_TYPE: "all"
-      USING_NFD: "false"
-      # We are skipping the auto generated policy tests for now,
-      # but those should be enabled as soon as we work on that.
-      AUTO_GENERATE_POLICY: "no"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Deploy kubernetes
-        timeout-minutes: 15
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-k8s
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: Install `bats`
-        run: bash tests/integration/kubernetes/gha-run.sh install-bats
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
-
-      - name: Deploy CSI driver
-        timeout-minutes: 5
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
-
-      - name: Run tests
-        timeout-minutes: 80
-        run: bash tests/integration/kubernetes/gha-run.sh run-tests
-
-      - name: Report tests
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh report-tests
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -1,115 +0,0 @@
-name: CI | Run kata-deploy tests on AKS
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-    secrets:
-      AZ_APPID:
-        required: true
-      AZ_TENANT_ID:
-       required: true
-      AZ_SUBSCRIPTION_ID:
-        required: true
-
-permissions: {}
-
-jobs:
-  run-kata-deploy-tests:
-    name: run-kata-deploy-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        host_os:
-          - ubuntu
-        vmm:
-          - clh
-          - dragonball
-          - qemu
-          - qemu-runtime-rs
-        include:
-          - host_os: cbl-mariner
-            vmm: clh
-    runs-on: ubuntu-22.04
-    environment: ci
-    permissions:
-      id-token: write # Used for OIDC access to log into Azure
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HOST_OS: ${{ matrix.host_os }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: "vanilla"
-      USING_NFD: "false"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Log into the Azure account
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Create AKS cluster
-        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
-        with:
-          timeout_minutes: 15
-          max_attempts: 20
-          retry_on: error
-          retry_wait_seconds: 10
-          command: bash tests/integration/kubernetes/gha-run.sh create-cluster
-
-      - name: Install `bats`
-        run: bash tests/functional/kata-deploy/gha-run.sh install-bats
-
-      - name: Install `kubectl`
-        uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
-        with:
-          version: 'latest'
-
-      - name: Download credentials for the Kubernetes CLI to use them
-        run: bash tests/functional/kata-deploy/gha-run.sh get-cluster-credentials
-
-      - name: Run tests
-        run: bash tests/functional/kata-deploy/gha-run.sh run-tests
-
-      - name: Refresh OIDC token in case access token expired
-        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
-        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-      - name: Delete AKS cluster
-        if: always()
-        run: bash tests/functional/kata-deploy/gha-run.sh delete-cluster
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@@ -1,88 +0,0 @@
-name: CI | Run kata-deploy tests
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-kata-deploy-tests:
-    name: run-kata-deploy-tests
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        k8s:
-          - k0s
-          - k3s
-          - rke2
-          - microk8s
-    runs-on: ubuntu-22.04
-    env:
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      KUBERNETES: ${{ matrix.k8s }}
-      USING_NFD: "false"
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Remove unnecessary directories to free up space
-        run: |
-          sudo rm -rf /usr/local/.ghcup
-          sudo rm -rf /opt/hostedtoolcache/CodeQL
-          sudo rm -rf /usr/local/lib/android
-          sudo rm -rf /usr/share/dotnet
-          sudo rm -rf /opt/ghc
-          sudo rm -rf /usr/local/share/boost
-          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
-          sudo rm -rf /usr/lib/jvm
-          sudo rm -rf /usr/share/swift
-          sudo rm -rf /usr/local/share/powershell
-          sudo rm -rf /usr/local/julia*
-          sudo rm -rf /opt/az
-          sudo rm -rf /usr/local/share/chromium
-          sudo rm -rf /opt/microsoft
-          sudo rm -rf /opt/google
-          sudo rm -rf /usr/lib/firefox
-
-      - name: Deploy ${{ matrix.k8s }}
-        run:  bash tests/functional/kata-deploy/gha-run.sh deploy-k8s
-
-      - name: Install `bats`
-        run: bash tests/functional/kata-deploy/gha-run.sh install-bats
-
-      - name: Run tests
-        run: bash tests/functional/kata-deploy/gha-run.sh run-tests
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@@ -1,70 +0,0 @@
-name: CI | Run kata-monitor tests
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-monitor:
-    name: run-monitor
-    strategy:
-      fail-fast: false
-      matrix:
-        vmm:
-          - qemu
-        container_engine:
-          - crio
-          - containerd
-        # TODO: enable when https://github.com/kata-containers/kata-containers/issues/9853 is fixed
-        #include:
-        #  - container_engine: containerd
-        #    containerd_version: lts
-        exclude:
-          # TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed
-          - container_engine: containerd
-            vmm: qemu
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINER_ENGINE: ${{ matrix.container_engine }}
-      #CONTAINERD_VERSION: ${{ matrix.containerd_version }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/functional/kata-monitor/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/functional/kata-monitor/gha-run.sh install-kata kata-artifacts
-
-      - name: Run kata-monitor tests
-        run: bash tests/functional/kata-monitor/gha-run.sh run
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@@ -1,129 +0,0 @@
-name: CI | Run test metrics
-on:
-  workflow_call:
-    inputs:
-      registry:
-        required: true
-        type: string
-      repo:
-        required: true
-        type: string
-      tag:
-        required: true
-        type: string
-      pr-number:
-        required: true
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-metrics:
-    name: run-metrics
-    strategy:
-      # We can set this to true whenever we're 100% sure that
-      # the all the tests are not flaky, otherwise we'll fail
-      # all the tests due to a single flaky instance.
-      fail-fast: false
-      matrix:
-        vmm: ['clh', 'qemu']
-      max-parallel: 1
-    runs-on: metrics
-    env:
-      GOPATH: ${{ github.workspace }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
-      DOCKER_REGISTRY: ${{ inputs.registry }}
-      DOCKER_REPO: ${{ inputs.repo }}
-      DOCKER_TAG: ${{ inputs.tag }}
-      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      K8S_TEST_HOST_TYPE: "baremetal"
-      USING_NFD: "false"
-      KUBERNETES: kubeadm
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Deploy Kata
-        timeout-minutes: 10
-        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-kubeadm
-
-      - name: Install check metrics
-        run: bash tests/metrics/gha-run.sh install-checkmetrics
-
-      - name: enabling the hypervisor
-        run: bash tests/metrics/gha-run.sh enabling-hypervisor
-
-      - name: run launch times test
-        timeout-minutes: 15
-        continue-on-error: true
-        run: bash tests/metrics/gha-run.sh run-test-launchtimes
-
-      - name: run memory foot print test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-memory-usage
-
-      - name: run memory usage inside container test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-memory-usage-inside-container
-
-      - name: run blogbench test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-blogbench
-
-      - name: run tensorflow test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-tensorflow
-
-      - name: run fio test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-fio
-
-      - name: run iperf test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-iperf
-
-      - name: run latency test
-        timeout-minutes: 15
-        continue-on-error: true
-        run:  bash tests/metrics/gha-run.sh run-test-latency
-
-      - name: check metrics
-        run:  bash tests/metrics/gha-run.sh check-metrics
-
-      - name: make metrics tarball ${{ matrix.vmm }}
-        run: bash tests/metrics/gha-run.sh make-tarball-results
-
-      - name: archive metrics results ${{ matrix.vmm }}
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: metrics-artifacts-${{ matrix.vmm }}
-          path: results-${{ matrix.vmm }}.tar.gz
-          retention-days: 1
-          if-no-files-found: error
-
-      - name: Delete kata-deploy
-        timeout-minutes: 10
-        if: always()
-        run: bash tests/integration/kubernetes/gha-run.sh cleanup-kubeadm
--- a/.github/workflows/run-runk-tests.yaml
+++ b/.github/workflows/run-runk-tests.yaml
@@ -1,54 +0,0 @@
-name: CI | Run runk tests
-on:
-  workflow_call:
-    inputs:
-      tarball-suffix:
-        required: false
-        type: string
-      commit-hash:
-        required: false
-        type: string
-      target-branch:
-        required: false
-        type: string
-        default: ""
-
-permissions: {}
-
-jobs:
-  run-runk:
-    name: run-runk
-    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
-    if: false
-    runs-on: ubuntu-22.04
-    env:
-      CONTAINERD_VERSION: lts
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Install dependencies
-        run: bash tests/integration/runk/gha-run.sh install-dependencies
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-      - name: get-kata-tarball
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          name: kata-static-tarball-amd64${{ inputs.tarball-suffix }}
-          path: kata-artifacts
-
-      - name: Install kata
-        run: bash tests/integration/runk/gha-run.sh install-kata kata-artifacts
-
-      - name: Run runk tests
-        run: bash tests/integration/runk/gha-run.sh run
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -1,60 +0,0 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
-on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  push:
-    branches: [ "main" ]
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  analysis:
-    name: Scorecard analysis
-    runs-on: ubuntu-latest
-    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
-    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
-    permissions:
-      # Needed to upload the results to code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-
-    steps:
-      - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
-        with:
-          results_file: results.sarif
-          results_format: sarif
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          publish_results: true
-
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
-
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: results.sarif
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@@ -1,32 +0,0 @@
-# https://github.com/marketplace/actions/shellcheck
-name: Check shell scripts
-
-on:
-  workflow_dispatch:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  shellcheck:
-    name: shellcheck
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
-        with:
-          ignore_paths: "**/vendor/**"
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@@ -1,35 +0,0 @@
-
-# https://github.com/marketplace/actions/shellcheck
-name: Shellcheck required
-
-on:
-  workflow_dispatch:
-  pull_request:
-    types:
-      - opened
-      - edited
-      - reopened
-      - synchronize
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  shellcheck-required:
-    name: shellcheck-required
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
-        with:
-          severity: error
-          ignore_paths: "**/vendor/**"
--- a/.github/workflows/snap-release.yaml
+++ b/.github/workflows/snap-release.yaml
@@ -0,0 +1,42 @@
+name: Release Kata in snapcraft store
+on:
+  push:
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+*'
+
+jobs:
+  release-snap:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Snapcraft
+        uses: samuelmeuli/action-snapcraft@v1
+        with:
+          snapcraft_token: ${{ secrets.snapcraft_token }}
+
+      - name: Build snap
+        run: |
+          # Removing man-db, workflow kept failing, fixes: #4480
+          sudo apt -y remove --purge man-db
+          sudo apt-get install -y git git-extras
+          kata_url="https://github.com/kata-containers/kata-containers"
+          latest_version=$(git ls-remote --tags ${kata_url}  | egrep -o "refs.*" | egrep -v "\-alpha|\-rc|{}" | egrep -o "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+" | sort -V -r | head -1)
+          current_version="$(echo ${GITHUB_REF} | cut -d/ -f3)"
+          # Check semantic versioning format (x.y.z) and if the current tag is the latest tag
+          if echo "${current_version}" | grep -q "^[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+$" && echo -e "$latest_version\n$current_version" | sort -C -V; then
+            # Current version is the latest version, build it
+            snapcraft snap --debug --destructive-mode
+          fi
+
+      - name: Upload snap
+        run: |
+          snap_version="$(echo ${GITHUB_REF} | cut -d/ -f3)"
+          snap_file="kata-containers_${snap_version}_amd64.snap"
+          # Upload the snap if it exists
+          if [ -f ${snap_file} ]; then
+            snapcraft upload --release=stable ${snap_file}
+          fi
--- a/.github/workflows/snap.yaml
+++ b/.github/workflows/snap.yaml
@@ -0,0 +1,27 @@
+name: snap CI
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - edited
+
+jobs:
+  test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Snapcraft
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        uses: samuelmeuli/action-snapcraft@v1
+
+      - name: Build snap
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          snapcraft snap --debug --destructive-mode
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -1,20 +0,0 @@
-name: 'Automatically close stale PRs'
-on:
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
-
-permissions: {}
-
-jobs:
-  stale:
-    name: stale
-    runs-on: ubuntu-22.04
-    steps:
-      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
-        with:
-          stale-pr-message: 'This PR has been opened without with no activity for 180 days. Comment on the issue otherwise it will be closed in 7 days'
-          days-before-pr-stale: 180
-          days-before-pr-close: 7
-          days-before-issue-stale: -1
-          days-before-issue-close: -1
--- a/.github/workflows/static-checks-self-hosted.yaml
+++ b/.github/workflows/static-checks-self-hosted.yaml
@@ -1,48 +0,0 @@
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled # a workflow runs only when the 'ok-to-test' label is added
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-name: Static checks self-hosted
-jobs:
-  skipper:
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
-    uses: ./.github/workflows/gatekeeper-skipper.yaml
-    with:
-      commit-hash: ${{ github.event.pull_request.head.sha }}
-      target-branch: ${{ github.event.pull_request.base.ref }}
-
-  build-checks:
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        instance:
-          - "ubuntu-22.04-arm"
-          - "ubuntu-24.04-s390x"
-          - "ubuntu-24.04-ppc64le"
-    uses: ./.github/workflows/build-checks.yaml
-    with:
-      instance: ${{ matrix.instance }}
-
-  build-checks-preview:
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        instance:
-          - "riscv-builder"
-    uses: ./.github/workflows/build-checks-preview-riscv64.yaml
-    with:
-      instance: ${{ matrix.instance }}
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@@ -5,188 +5,356 @@ on:
      - edited
      - reopened
      - synchronize
-  workflow_dispatch:
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 name: Static checks
 jobs:
-  skipper:
-    uses: ./.github/workflows/gatekeeper-skipper.yaml
-    with:
-      commit-hash: ${{ github.event.pull_request.head.sha }}
-      target-branch: ${{ github.event.pull_request.base.ref }}
-
-  check-kernel-config-version:
-    name: check-kernel-config-version
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Ensure the kernel config version has been updated
-        run: |
-          kernel_dir="tools/packaging/kernel/"
-          kernel_version_file="${kernel_dir}kata_config_version"
-          modified_files=$(git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD)
-          if git diff --name-only origin/"$GITHUB_BASE_REF"..HEAD "${kernel_dir}" | grep "${kernel_dir}"; then
-            echo "Kernel directory has changed, checking if $kernel_version_file has been updated"
-            if echo "$modified_files" | grep -v "README.md" | grep "${kernel_dir}" >>"/dev/null"; then
-              echo "$modified_files" | grep "$kernel_version_file" >>/dev/null || ( echo "Please bump version in $kernel_version_file" && exit 1)
-            else
-              echo "Readme file changed, no need for kernel config version update."
-            fi
-            echo "Check passed"
-          fi
-
-  build-checks:
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    uses: ./.github/workflows/build-checks.yaml
-    with:
-      instance: ubuntu-22.04
-
-  build-checks-depending-on-kvm:
-    name: build-checks-depending-on-kvm
-    runs-on: ubuntu-22.04
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
+  check-vendored-code:
    strategy:
-      fail-fast: false
      matrix:
-        component:
-          - runtime-rs
-        include:
-          - component: runtime-rs
-            command: "sudo -E env PATH=$PATH LIBC=gnu SUPPORT_VIRTUALIZATION=true make test"
-          - component: runtime-rs
-            component-path: src/dragonball
+        go-version: [1.16.x, 1.17.x]
+        os: [ubuntu-20.04]
+    runs-on: ${{ matrix.os }}
+    env:
+      TRAVIS: "true"
+      TRAVIS_BRANCH: ${{ github.base_ref }}
+      TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
+      TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
+      RUST_BACKTRACE: "1"
+      target_branch: ${{ github.base_ref }}
    steps:
-      - name: Checkout the code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Install system deps
-        run: |
-          sudo apt-get update && sudo apt-get install -y build-essential musl-tools
-      - name: Install yq
-        run: |
-          sudo -E ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-      - name: Install rust
-        run: |
-          export PATH="$PATH:/usr/local/bin"
-          ./tests/install_rust.sh
-      - name: Running `${{ matrix.command }}` for ${{ matrix.component }}
-        run: |
-          export PATH="$PATH:${HOME}/.cargo/bin"
-          cd "${COMPONENT_PATH}"
-          eval "${COMMAND}"
-        env:
-          COMMAND: ${{ matrix.command }}
-          COMPONENT_PATH: ${{ matrix.component-path }}
-          RUST_BACKTRACE: "1"
-          RUST_LIB_BACKTRACE: "0"
+    - name: Install Go
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Setup GOPATH
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
+        echo "TRAVIS: ${TRAVIS}"
+    - name: Set env
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+    - name: Checkout code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup travis references
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
+        target_branch=${TRAVIS_BRANCH}
+    - name: Setup
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    # Check whether the vendored code is up-to-date & working as the first thing
+    - name: Check vendored code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make vendor

  static-checks:
-    name: static-checks
-    runs-on: ubuntu-22.04
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
    strategy:
-      fail-fast: false
      matrix:
-        cmd:
-          - "make static-checks"
+        go-version: [1.16.x, 1.17.x]
+        os: [ubuntu-20.04]
+    runs-on: ${{ matrix.os }}
    env:
-      GOPATH: ${{ github.workspace }}
-    permissions:
-      contents: read  # for checkout
-      packages: write # for push to ghcr.io
+      TRAVIS: "true"
+      TRAVIS_BRANCH: ${{ github.base_ref }}
+      TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
+      TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
+      RUST_BACKTRACE: "1"
+      target_branch: ${{ github.base_ref }}
    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-          path: ./src/github.com/${{ github.repository }}
-      - name: Install yq
-        run: |
-          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          ./ci/install_yq.sh
-        env:
-          INSTALL_IN_GOPATH: false
-      - name: Install golang
-        run: |
-          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          ./tests/install_go.sh -f -p
-          echo "/usr/local/go/bin" >> "$GITHUB_PATH"
-      - name: Install system dependencies
-        run: |
-          sudo apt-get update && sudo apt-get -y install moreutils hunspell hunspell-en-gb hunspell-en-us pandoc
-      - name: Install open-policy-agent
-        run: |
-          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}"
-          ./tests/install_opa.sh
-      - name: Install regorus
-        env:
-          ARTEFACT_REPOSITORY: "${{ github.repository }}"
-          ARTEFACT_REGISTRY_USERNAME: "${{ github.actor }}"
-          ARTEFACT_REGISTRY_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}/tests/install_regorus.sh"
-      - name: Run check
-        env:
-          CMD: ${{ matrix.cmd }}
-        run: |
-          export PATH="${PATH}:${GOPATH}/bin"
-          cd "${GOPATH}/src/github.com/${GITHUB_REPOSITORY}" && ${CMD}
+    - name: Install Go
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Setup GOPATH
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
+        echo "TRAVIS: ${TRAVIS}"
+    - name: Set env
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+    - name: Checkout code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup travis references
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
+        target_branch=${TRAVIS_BRANCH}
+    - name: Setup
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Installing rust
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
+        PATH=$PATH:"$HOME/.cargo/bin"
+        rustup target add x86_64-unknown-linux-musl
+        rustup component add rustfmt clippy
+    - name: Setup seccomp
+      run: |
+        libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
+        gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
+        echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
+        echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
+        echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
+    - name: Static Checks
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make static-checks

-  govulncheck:
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    uses: ./.github/workflows/govulncheck.yaml
-
-  codegen:
-    name: codegen
-    runs-on: ubuntu-22.04
-    needs: skipper
-    if: ${{ needs.skipper.outputs.skip_static != 'yes' }}
-    permissions:
-      contents: read  # for checkout
+  compiler-checks:
+    strategy:
+      matrix:
+        go-version: [1.16.x, 1.17.x]
+        os: [ubuntu-20.04]
+    runs-on: ${{ matrix.os }}
+    env:
+      TRAVIS: "true"
+      TRAVIS_BRANCH: ${{ github.base_ref }}
+      TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
+      TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
+      RUST_BACKTRACE: "1"
+      target_branch: ${{ github.base_ref }}
    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-      - name: generate
-        run: make -C src/agent generate-protocols
-      - name: check for diff
+    - name: Install Go
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ matrix.go-version }}
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Setup GOPATH
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
+        echo "TRAVIS: ${TRAVIS}"
+    - name: Set env
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+    - name: Checkout code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup travis references
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
+        target_branch=${TRAVIS_BRANCH}
+    - name: Setup
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Installing rust
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
+        PATH=$PATH:"$HOME/.cargo/bin"
+        rustup target add x86_64-unknown-linux-musl
+        rustup component add rustfmt clippy
+    - name: Setup seccomp
+      run: |
+        libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
+        gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
+        echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
+        echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
+        echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
+    - name: Run Compiler Checks
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make check
+
+  unit-tests:
+    runs-on: ubuntu-20.04
+    env:
+      TRAVIS: "true"
+      TRAVIS_BRANCH: ${{ github.base_ref }}
+      TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
+      TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
+      RUST_BACKTRACE: "1"
+      target_branch: ${{ github.base_ref }}
+    steps:
+    - name: Install Go
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.17.x
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Setup GOPATH
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
+        echo "TRAVIS: ${TRAVIS}"
+    - name: Set env
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+    - name: Checkout code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup travis references
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
+        target_branch=${TRAVIS_BRANCH}
+    - name: Setup
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Installing rust
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
+        PATH=$PATH:"$HOME/.cargo/bin"
+        rustup target add x86_64-unknown-linux-musl
+        rustup component add rustfmt clippy
+    - name: Setup seccomp
+      run: |
+        libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
+        gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
+        echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
+        echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
+        echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
+    - name: Run Unit Tests
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && make test
+
+  unit-tests-as-root:
+    runs-on: ubuntu-20.04
+    env:
+      TRAVIS: "true"
+      TRAVIS_BRANCH: ${{ github.base_ref }}
+      TRAVIS_PULL_REQUEST_BRANCH: ${{ github.head_ref }}
+      TRAVIS_PULL_REQUEST_SHA : ${{ github.event.pull_request.head.sha }}
+      RUST_BACKTRACE: "1"
+      target_branch: ${{ github.base_ref }}
+    steps:
+    - name: Install Go
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.17.x 
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Setup GOPATH
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH: ${TRAVIS_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_BRANCH: ${TRAVIS_PULL_REQUEST_BRANCH}"
+        echo "TRAVIS_PULL_REQUEST_SHA: ${TRAVIS_PULL_REQUEST_SHA}"
+        echo "TRAVIS: ${TRAVIS}"
+    - name: Set env
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+        echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
+    - name: Checkout code
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+        path: ./src/github.com/${{ github.repository }}
+    - name: Setup travis references
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        echo "TRAVIS_BRANCH=${TRAVIS_BRANCH:-$(echo $GITHUB_REF | awk 'BEGIN { FS = \"/\" } ; { print $3 }')}"
+        target_branch=${TRAVIS_BRANCH}
+    - name: Setup
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/setup.sh
+      env:
+        GOPATH: ${{ runner.workspace }}/kata-containers
+    - name: Installing rust
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_rust.sh
+        PATH=$PATH:"$HOME/.cargo/bin"
+        rustup target add x86_64-unknown-linux-musl
+        rustup component add rustfmt clippy
+    - name: Setup seccomp
+      run: |
+        libseccomp_install_dir=$(mktemp -d -t libseccomp.XXXXXXXXXX)
+        gperf_install_dir=$(mktemp -d -t gperf.XXXXXXXXXX)
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && ./ci/install_libseccomp.sh "${libseccomp_install_dir}" "${gperf_install_dir}"
+        echo "Set environment variables for the libseccomp crate to link the libseccomp library statically"
+        echo "LIBSECCOMP_LINK_TYPE=static" >> $GITHUB_ENV
+        echo "LIBSECCOMP_LIB_PATH=${libseccomp_install_dir}/lib" >> $GITHUB_ENV
+    - name: Run Unit Tests As Root User
+      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+      run: |
+        cd ${GOPATH}/src/github.com/${{ github.repository }} && sudo -E PATH="$PATH" make test
+
+  test-dragonball:
+    runs-on: self-hosted
+    env:
+      RUST_BACKTRACE: "1"
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set env
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
        run: |
-          diff=$(git diff)
-          if [[ -z "${diff}" ]]; then
-            echo "No diff detected."
-            exit 0
-          fi
-
-          cat << EOF >> "${GITHUB_STEP_SUMMARY}"
-          Run \`make -C src/agent generate-protocols\` to update protobuf bindings.
-
-          \`\`\`diff
-          ${diff}
-          \`\`\`
-          EOF
-
-          echo "::error::Golang protobuf bindings need to be regenerated (see Github step summary for diff)."
-          exit 1
+          echo "GOPATH=${{ github.workspace }}" >> $GITHUB_ENV
+      - name: Install Rust
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          ./ci/install_rust.sh
+          PATH=$PATH:"$HOME/.cargo/bin"
+      - name: Run Unit Test
+        if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
+        run: |
+          cd src/dragonball
+          /root/.cargo/bin/cargo version
+          rustc --version
+          sudo -E env PATH=$PATH LIBC=gnu SUPPORT_VIRTUALIZATION=true make test
--- a/.github/workflows/zizmor.yaml
+++ b/.github/workflows/zizmor.yaml
@@ -1,29 +0,0 @@
-name: GHA security analysis
-
-on:
-  pull_request:
-
-permissions: {}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  zizmor:
-    name: zizmor
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Run zizmor
-        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
-        with:
-          advanced-security: false
-          annotations: true
-          persona: auditor
-          version: v1.13.0
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -1,3 +0,0 @@
-rules:
-  undocumented-permissions:
-    disable: true
--- a/.gitignore
+++ b/.gitignore
@@ -4,10 +4,6 @@
 **/*.rej
 **/target
 **/.vscode
-**/.idea
-**/.fleet
-**/*.swp
-**/*.swo
 pkg/logging/Cargo.lock
 src/agent/src/version.rs
 src/agent/kata-agent.service
@@ -15,6 +11,4 @@ src/agent/protocols/src/*.rs
 !src/agent/protocols/src/lib.rs
 build
 src/tools/log-parser/kata-log-parser
-tools/packaging/static-build/agent/install_libseccomp.sh
-.envrc
-.direnv
+
--- a/83
+++ b/83
@@ -1,4 +1,4 @@
-# Copyright (c) 2019-2023 Intel Corporation
+# Copyright (c) 2019 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -9,83 +9,4 @@
 # Order in this file is important. Only the last match will be
 # used. See https://help.github.com/articles/about-code-owners/

-/CODEOWNERS			@kata-containers/codeowners
-
-VERSION				@kata-containers/release
-
-# The versions database needs careful handling
-versions.yaml			@kata-containers/release @kata-containers/ci @kata-containers/tests
-
-Makefile*			@kata-containers/build
-*.mak				@kata-containers/build
-*.mk				@kata-containers/build
-
-# Documentation related files could also appear anywhere
-# else in the repo.
-*.md				@kata-containers/documentation
-*.drawio			@kata-containers/documentation
-*.jpg				@kata-containers/documentation
-*.png				@kata-containers/documentation
-*.svg				@kata-containers/documentation
-
-*.bash				@kata-containers/shell
-*.sh				@kata-containers/shell
-**/completions/			@kata-containers/shell
-
-Dockerfile*			@kata-containers/docker
-
-/ci/				@kata-containers/ci
-
-*.bats				@kata-containers/tests
-/tests/				@kata-containers/tests
-
-*.rs				@kata-containers/rust
-*.go				@kata-containers/golang
-
-/utils/				@kata-containers/utils
-
-# FIXME: Maybe a new "protocol" team would be better?
-#
-# All protocol changes must be reviewed.
-# Note, we include all subdirs, including the vendor dir, as at present there are no .proto files
-# in the vendor dir. Later we may have to extend this matching rule if that changes.
-/src/libs/protocols/*.proto	@kata-containers/architecture-committee @kata-containers/builder @kata-containers/packaging
-
-# GitHub Actions
-/.github/workflows/		@kata-containers/action-admins @kata-containers/ci
-
-/ci/				@kata-containers/ci @kata-containers/tests
-/docs/				@kata-containers/documentation
-
-/src/agent/			@kata-containers/agent
-
-/src/runtime*/			@kata-containers/runtime
-
-/src/runtime/			@kata-containers/golang
-
-src/runtime-rs/			@kata-containers/rust
-src/libs/			@kata-containers/rust
-
-src/dragonball/			@kata-containers/dragonball
-
-/tools/osbuilder/		@kata-containers/builder
-/tools/packaging/		@kata-containers/packaging
-/tools/packaging/kernel/	@kata-containers/kernel
-/tools/packaging/kata-deploy/	@kata-containers/kata-deploy
-/tools/packaging/qemu/		@kata-containers/qemu
-/tools/packaging/release/	@kata-containers/release
-
-**/vendor/			@kata-containers/vendoring
-
-# Handle arch specific files last so they match more specifically than
-# the kernel packaging files.
-**/*aarch64*			@kata-containers/arch-aarch64
-**/*arm64*			@kata-containers/arch-aarch64
-
-**/*amd64*			@kata-containers/arch-amd64
-**/*x86-64*			@kata-containers/arch-amd64
-**/*x86_64*			@kata-containers/arch-amd64
-
-**/*ppc64*			@kata-containers/arch-ppc64le
-
-**/*s390x*			@kata-containers/arch-s390x
+*.md    @kata-containers/documentation
--- a/21
+++ b/21
@@ -1,4 +1,4 @@
-# Copyright (c) 2020-2023 Intel Corporation
+# Copyright (c) 2020 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 #
@@ -21,11 +21,7 @@ TOOLS += log-parser
 TOOLS += runk
 TOOLS += trace-forwarder

-STANDARD_TARGETS = build check clean install static-checks-build test vendor
-
-# Variables for the build-and-publish-kata-debug target
-KATA_DEBUG_REGISTRY ?= ""
-KATA_DEBUG_TAG ?= ""
+STANDARD_TARGETS = build check clean install test vendor

 default: all

@@ -41,19 +37,18 @@ generate-protocols:
 	make -C src/agent generate-protocols

 # Some static checks rely on generated source files of components.
-static-checks: static-checks-build
-	bash tests/static-checks.sh
+static-checks: build
+	bash ci/static-checks.sh

 docs-url-alive-check:
 	bash ci/docs-url-alive-check.sh

-build-and-publish-kata-debug:
-	bash tools/packaging/kata-debug/kata-debug-build-and-upload-payload.sh ${KATA_DEBUG_REGISTRY} ${KATA_DEBUG_TAG} 
-
 .PHONY: \
 	all \
-	kata-tarball \
-	install-tarball \
+	binary-tarball \
 	default \
+	install-binary-tarball \
 	static-checks \
 	docs-url-alive-check
+
+
--- a/README.md
+++ b/README.md
@@ -1,9 +1,4 @@
-foo
-
-<img src="https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/kata/SVG/kata-1.svg" width="900">
-
-[![CI | Publish Kata Containers payload](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/payload-after-push.yaml) [![Kata Containers Nightly CI](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml/badge.svg)](https://github.com/kata-containers/kata-containers/actions/workflows/ci-nightly.yaml)
-[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/kata-containers/kata-containers/badge)](https://scorecard.dev/viewer/?uri=github.com/kata-containers/kata-containers)
+<img src="https://www.openstack.org/assets/kata/kata-vertical-on-white.png" width="150">

 # Kata Containers

@@ -126,7 +121,7 @@ The table below lists the core parts of the project:
 | [agent](src/agent) | core | Management process running inside the virtual machine / POD that sets up the container environment. |
 | [`dragonball`](src/dragonball) | core | An optional built-in VMM brings out-of-the-box Kata Containers experience with optimizations on container workloads |
 | [documentation](docs) | documentation | Documentation common to all components (such as design and install documentation). |
-| [tests](tests) | tests | Excludes unit tests which live with the main code. |
+| [tests](https://github.com/kata-containers/tests) | tests | Excludes unit tests which live with the main code. |

 ### Additional components

@@ -137,28 +132,19 @@ The table below lists the remaining parts of the project:
 | [packaging](tools/packaging) | infrastructure | Scripts and metadata for producing packaged binaries<br/>(components, hypervisors, kernel and rootfs). |
 | [kernel](https://www.kernel.org) | kernel | Linux kernel used by the hypervisor to boot the guest image. Patches are stored [here](tools/packaging/kernel). |
 | [osbuilder](tools/osbuilder) | infrastructure | Tool to create "mini O/S" rootfs and initrd images and kernel for the hypervisor. |
-| [kata-debug](tools/packaging/kata-debug/README.md) | infrastructure | Utility tool to gather Kata Containers debug information from Kubernetes clusters. |
 | [`agent-ctl`](src/tools/agent-ctl) | utility | Tool that provides low-level access for testing the agent. |
 | [`kata-ctl`](src/tools/kata-ctl) | utility | Tool that provides advanced commands and debug facilities. |
 | [`trace-forwarder`](src/tools/trace-forwarder) | utility | Agent tracing helper. |
 | [`runk`](src/tools/runk) | utility | Standard OCI container runtime based on the agent. |
-| [`ci`](.github/workflows) | CI | Continuous Integration configuration files and scripts. |
-| [`ocp-ci`](ci/openshift-ci/README.md) | CI | Continuous Integration configuration for the OpenShift pipelines. |
+| [`ci`](https://github.com/kata-containers/ci) | CI | Continuous Integration configuration files and scripts. |
 | [`katacontainers.io`](https://github.com/kata-containers/www.katacontainers.io) | Source for the [`katacontainers.io`](https://www.katacontainers.io) site. |
-| [`Webhook`](tools/testing/kata-webhook/README.md) | utility | Example of a simple admission controller webhook to annotate pods with the Kata runtime class |

 ### Packaging and releases

 Kata Containers is now
 [available natively for most distributions](docs/install/README.md#packaged-installation-methods).
-
-## General tests
-
-See the [tests documentation](tests/README.md).
-
-## Metrics tests
-
-See the [metrics documentation](tests/metrics/README.md).
+However, packaging scripts and metadata are still used to generate [snap](snap/local) and GitHub releases. See
+the [components](#components) section for further details.

 ## Glossary of Terms

--- a/2
+++ b/2
@@ -1 +1 @@
-3.21.0
+3.1.0-alpha0
--- a/ci/README.md
+++ b/ci/README.md
@@ -1,416 +0,0 @@
-# Kata Containers CI
-
-> [!WARNING]
-> While this project's CI has several areas for improvement, it is constantly
-> evolving. This document attempts to describe its current state, but due to
-> ongoing changes, you may notice some outdated information here. Feel free to
-> modify/improve this document as you use the CI and notice anything odd. The
-> community appreciates it!
-
-## Introduction
-
-The Kata Containers CI relies on [GitHub Actions][gh-actions], where the actions
-themselves can be found in the `.github/workflows` directory, and they may call
-helper scripts, which are located under the `tests` directory, to actually
-perform the tasks required for each test case.
-
-## The different workflows
-
-There are a few different sets of workflows that are running as part of our CI,
-and here we're going to cover the ones that are less likely to get rotten.  With
-this said, it's fair to advise that if the reader finds something that got
-rotten, opening an issue to the project pointing to the problem is a nice way to
-help, and providing a fix for the issue is a very encouraging way to help.
-
-### Jobs that run automatically when a PR is raised
-
-These are a bunch of tests that will automatically run as soon as a PR is
-opened, they're mostly running on "cost free" runners, and they do some
-pre-checks to evaluate that your PR may be okay to start getting reviewed.
-
-Mind, though, that the community expects the contributors to, at least, build
-their code before submitting a PR, which the community sees as a very fair
-request.
-
-Without getting into the weeds with details on this, those jobs are the ones
-responsible for ensuring that:
-
- The commit message is in the expected format
- There's no missing Developer's Certificate of Origin
- Static checks are passing
-
-### Jobs that require a maintainer's approval to run
-
-There are some tests, and our so-called "CI".  These require a
-maintainer's approval to run as parts of those jobs will be running on "paid
-runners", which are currently using Azure infrastructure.
-
-Once a maintainer of the project gives "the green light" (currently by adding an
-`ok-to-test` label to the PR, soon to be changed to commenting "/test" as part
-of a PR review), the following tests will be executed:
-
- Build all the components (runs on free cost runners, or bare-metal depending on the architecture)
- Create a tarball with all the components (runs on free cost runners, or bare-metal depending on the architecture)
- Create a kata-deploy payload with the tarball generated in the previous step (runs on free costs runner, or bare-metal depending on the architecture)
- Run the following tests:
-  - Tests depending on the generated tarball
-    - Metrics (runs on bare-metal)
-    - `docker` (runs on cost free runners)
-    - `nerdctl` (runs on cost free runners)
-    - `kata-monitor` (runs on cost free runners)
-    - `cri-containerd` (runs on cost free runners)
-    - `nydus` (runs on cost free runners)
-    - `vfio` (runs on cost free runners)
-  - Tests depending on the generated kata-deploy payload
-    - kata-deploy (runs on cost free runners)
-      - Tests are performed using different "Kubernetes flavors", such as k0s, k3s, rke2, and Azure Kubernetes Service (AKS).
-    - Kubernetes (runs in Azure small and medium instances depending on what's required by each test, and on TEE bare-metal machines)
-      - Tests are performed with different runtime engines, such as CRI-O and containerd.
-      - Tests are performed with different snapshotters for containerd, namely OverlayFS and devmapper.
-      - Tests are performed with all the supported hypervisors, which are Cloud Hypervisor, Dragonball, Firecracker, and QEMU.
-
-For all the tests relying on Azure instances, real money is being spent, so the
-community asks for the maintainers to be mindful about those, and avoid abusing
-them to merely debug issues.
-
-## The different runners
-
-In the previous section we've mentioned using different runners, now in this section we'll go through each type of runner used.
-
- Cost free runners:  Those are the runners provided by GitHub itself, and
-  those are fairly small machines with virtualization capabilities enabled.
- Azure small instances: Those are runners which have virtualization
-  capabilities enabled, 2 CPUs, and 8GB of RAM.  These runners have a "-smaller"
-  suffix to their name.
- Azure normal instances: Those are runners which have virtualization
-  capabilities enabled, 4 CPUs, and 16GB of RAM.  These runners are usually
-  `garm` ones with no "-smaller" suffix.
- Bare-metal runners: Those are runners provided by community contributors,
-  and they may vary in architecture, size and virtualization capabilities.
-  Builder runners don't actually require any virtualization capabilities, while
-  runners which will be actually performing the tests must have virtualization
-  capabilities and a reasonable amount for CPU and RAM available (at least
-  matching the Azure normal instances).
-
-## Adding new tests
-
-Before someone decides to add a new test, we strongly recommend them to go
-through [GitHub Actions Documentation][gh-actions],
-which will provide you a very sensible background on how to read and understand
-current tests we have, and also become familiar with how to write a new test.
-
-On the Kata Containers land, there are basically two sets of tests: "standalone"
-and "part of something bigger".
-
-The "standalone" tests, for example the commit message check, won't be covered
-here as they're better covered by the GitHub Actions documentation pasted above.
-
-The "part of something bigger" is the more complicated one and not so
-straightforward to add, so we'll be focusing our efforts on describing the
-addition of those.
-
-> [!NOTE]
-> TODO: Currently, this document refers to "tests" when it actually means the
-> jobs (or workflows) of GitHub. In an ideal world, except in some specific cases,
-> new tests should be added without the need to add new workflows. In the
-> not-too-distant future (hopefully), we will improve the workflows to support
-> this.
-
-### Adding a new test that's "part of something bigger"
-
-The first important thing here is to align expectations, and we must say that
-the community strongly prefers receiving tests that already come with:
-
- Instructions how to run them
- A proven run where it's passing
-
-There are several ways to achieve those two requirements, and an example of that
-can be seen in PR #8115.
-
-With the expectations aligned, adding a test consists in:
-
- Adding a new yaml file for your test, and ensure it's called from the
-  "bigger" yaml. See the [Kata Monitor test example][monitor-ex01].
-
- Adding the helper scripts needed for your test to run. Again, use the [Kata Monitor script as example][monitor-ex02].
-
-Following those examples, the community advice during the review, and even
-asking the community directly on Slack are the best ways to get your test
-accepted.
-
-## Required tests
-
-In our CI we have two categories of jobs - required and non-required:
- Required jobs need to all pass for a PR to be merged normally and
-should cover all the core features on Kata Containers that we want to
-ensure don't have regressions.
- The non-required jobs are for unstable tests, or for features that
-are experimental and not-fully supported. We'd like those tests to also
-pass on all PRs ideally, but don't block merging if they don't as it's
-not necessarily an indication of the PR code causing regressions.
-
-### Transitioning between required and non-required status
-
-Required jobs that fail block merging of PRs, so we want to ensure that
-jobs are stable and maintained before we make them required.
-
-The [Kata Containers CI Dashboard](https://kata-containers.github.io/)
-is a useful resource to check when collecting evidence of job stability.
-At time of writing it reports the last ten days of Kata CI nightly test
-results for each job. This isn't perfect as it doesn't currently capture
-results on PRs, but is a good guideline for stability.
-
-> [!NOTE]
-> Below are general guidelines about jobs being marked as
-> required/non-required, but they are subject to change and the Kata
-> Architecture Committee may overrule these guidelines at their
-> discretion.
-
-#### Initial marking as required
-
-For new jobs, or jobs that haven't been marked as required recently,
-the criteria to be initially marked as required is ten days
-of passing tests, with no relevant PR failures reported in that time.
-Required jobs also need one or more nominated maintainers that are
-responsible for the stability of their jobs. Maintainers can be registered
-in [`maintainers.yml`](https://github.com/kata-containers/kata-containers.github.io/blob/main/maintainers.yml)
-and will then show on the CI Dashboard.
-
-To add transparency to making jobs required/non-required and to keep the
-GitHub UI in sync with the [Gatekeeper job](../tools/testing/gatekeeper),
-the process to update a job's required state is as follows:
-1. Create a PR to update `maintainers.yml`, if new maintainers are being
-declared on a CI job.
-1. Create a PR which updates
-[`required-tests.yaml`](../tools/testing/gatekeeper/required-tests.yaml)
-adding the new job and listing the evidence that the job meets the
-requirements above. Ensure that all maintainers and
-@kata-containers/architecture-committee are notified to give them the
-opportunity to review the PR. See
-[#11015](https://github.com/kata-containers/kata-containers/pull/11015)
-as an example.
-1. The maintainers and Architecture Committee get a chance to review the PR.
-It can be discussed in an AC meeting to get broader input.
-1. Once the PR has been merged, a Kata Containers admin should be notified
-to ensure that the GitHub UI is updated to reflect the change in
-`required-tests.yaml`.
-
-#### Expectation of required job maintainers
-
-Due to the nature of the Kata Containers community having contributors
-spread around the world, required jobs being blocked due to infrastructure,
-or test issues can have a big impact on work. As such, the expectation is
-that when a problem with a required job is noticed/reported, the maintainers
-have one working day to acknowledge the issue, perform an initial
-investigation and then either fix it, or get it marked as non-required
-whilst the investigation and/or fix it done.
-
-### Re-marking of required status
-
-Once a job has been removed from the required list, it requires two
-consecutive successful nightly test runs before being made required
-again.
-
-## Running tests
-
-### Running the tests as part of the CI
-
-If you're a maintainer of the project, you'll be able to kick in the tests by
-yourself.  With the current approach, you just need to add the `ok-to-test`
-label and the tests will automatically start.  We're moving, though, to use a
-`/test` command as part of a GitHub review comment, which will simplify this
-process.
-
-If you're not a maintainer, please, send a message on Slack or wait till one of
-the maintainers reviews your PR.  Maintainers will then kick in the tests on
-your behalf.
-
-In case a test fails and there's the suspicion it happens due to flakiness in
-the test itself, please, create an issue for us, and then re-run (or asks
-maintainers to re-run) the tests following these steps:
-
- Locate which tests is failing
- Click in "details"
- In the top right corner, click in "Re-run jobs"
- And then in "Re-run failed jobs"
- And finally click in the green "Re-run jobs" button
-
-> [!NOTE]
-> TODO: We need figures here
-
-### Running the tests locally
-
-In this section, aligning expectations is also something very important, as one
-will not be able to run the tests exactly in the same way the tests are running
-in the CI, as one most likely won't have access to an Azure subscription.
-However, we're trying our best here to provide you with instructions on how to
-run the tests in an environment that's "close enough" and will help you to debug
-issues you find with the current tests, or even provide a proof-of-concept to
-the new test you're trying to add.
-
-The basic steps, which we will cover in details down below are:
-
- 1. Create a VM matching the configuration of the target runner
- 2. Generate the artifacts you'll need for the test, or download them from a
-    current failed run
- 3. Follow the steps provided in the action itself to run the tests.
-
-Although the general overview looks easy, we know that some tricks need to be
-shared, and we'll go through the general process of debugging one non-Kubernetes
-and one Kubernetes specific test for educational purposes.
-
-One important thing to note is that "Create a VM" can be done in innumerable
-different ways, using the tools of your choice.  For the sake of simplicity on
-this guide, we'll be using `kcli`, which we strongly recommend in case you're a
-non-experienced user, and happen to be developing on a Linux box.
-
-For both non-Kubernetes and Kubernetes cases, we'll be using PR #8070 as an
-example, which at the time this document is being written serves us very well
-the purpose, as you can see that we have `nerdctl` and Kubernetes tests failing.
-
-## Debugging tests
-
-### Debugging a non Kubernetes test
-
-As shown above, the `nerdctl` test is failing.
-
-As a developer you can go ahead to the details of the job, and expand the job
-that's failing in order to gather more information.
-
-But when that doesn't help, we need to set up our own environment to debug
-what's going on.
-
-Taking a look at the `nerdctl` test, which is located here, you can easily see
-that it runs-on a `garm-ubuntu-2304-smaller` virtual machine.
-
-The important parts to understand are `ubuntu-2304`, which is the OS where the
-test is running on; and "smaller", which means we're running it on a machine
-with 2 CPUs and 8GB of RAM.
-
-With this information, we can go ahead and create a similar VM locally using `kcli`.
-
-```bash
-$ sudo kcli create vm -i ubuntu2304 -P disks=[60] -P numcpus=2 -P memory=8192 -P cpumodel=host-passthrough debug-nerdctl-pr8070
-```
-
-In order to run the tests, you'll need the "kata-tarball" artifacts, which you
-can build your own using "make kata-tarball" (see below), or simply get them
-from the PR where the tests failed.  To download them, click on the "Summary"
-button that's on the top left corner, and then scroll down till you see the
-artifacts, as shown below.
-
-Unfortunately GitHub doesn't give us a link that we can download those from
-inside the VM, but we can download them on our local box, and then `scp` the
-tarball to the newly created VM that will be used for debugging purposes.
-
-> [!NOTE]
-> Those artifacts are only available (for 15 days) when all jobs are finished.
-
-Once you have the `kata-static.tar.zst` in your VM, you can login to the VM with
-`kcli ssh debug-nerdctl-pr8070`, go ahead and then clone your development branch
-
-```bash
-$ git clone --branch feat_add-fc-runtime-rs https://github.com/nubificus/kata-containers
-```
-
-Add the upstream as a remote, set up your git, and rebase your branch atop of the upstream main one
-
-```bash
-$ git remote add upstream https://github.com/kata-containers/kata-containers
-$ git remote update
-$ git config --global user.email "you@example.com"
-$ git config --global user.name "Your Name"
-$ git rebase upstream/main
-```
-
-Now copy the `kata-static.tar.zst` into your `kata-containers/kata-artifacts` directory
-
-```bash
-$ mkdir kata-artifacts
-$ cp ../kata-static.tar.zst kata-artifacts/
-```
-
-> [!NOTE]
-> If you downloaded the .zip from GitHub you need to uncompress first to see `kata-static.tar.zst`
-
-And finally run the tests following what's in the yaml file for the test you're
-debugging.
-
-In our case, the `run-nerdctl-tests-on-garm.yaml`.
-
-When looking at the file you'll notice that some environment variables are set,
-such as `KATA_HYPERVISOR`, and should be aware that, for this particular example,
-the important steps to follow are:
-
-Install the dependencies
-Install kata
-Run the tests
-
-Let's now run the steps mentioned above exporting the expected environment variables
-
-```bash
-$ export KATA_HYPERVISOR=dragonball
-$ bash ./tests/integration/nerdctl/gha-run.sh install-dependencies
-$ bash ./tests/integration/nerdctl/gha-run.sh install-kata
-$ bash tests/integration/nerdctl/gha-run.sh run
-```
-
-And with this you should've been able to reproduce exactly the same issue found
-in the CI, and from now on you can build your own code, use your own binaries,
-and have fun debugging and hacking!
-
-### Debugging a Kubernetes test
-
-Steps for debugging the Kubernetes tests are very similar to the ones for
-debugging non-Kubernetes tests, with the caveat that what you'll need, this
-time, is not the `kata-static.tar.zst` tarball, but rather a payload to be used
-with kata-deploy.
-
-In order to generate your own kata-deploy image you can generate your own
-`kata-static.tar.zst` and then take advantage of the following script.  Be aware
-that the image generated and uploaded must be accessible by the VM where you'll
-be performing your tests.
-
-In case you want to take advantage of the payload that was already generated
-when you faced the CI failure, which is considerably easier, take a look at the
-failed job, then click in "Deploy Kata" and expand the "Final kata-deploy.yaml
-that is used in the test" section.  From there you can see exactly what you'll
-have to use when deploying kata-deploy in your local cluster.
-
-> [!NOTE]
-> TODO: WAINER TO FINISH THIS PART BASED ON HIS PR TO RUN A LOCAL CI
-
-## Adding new runners
-
-Any admin of the project is able to add or remove GitHub runners, and those are
-the folks you should rely on.
-
-If you need a new runner added, please, tag @ac in the Kata Containers slack,
-and someone from that group will be able to help you.
-
-If you're part of that group and you're looking for information on how to help
-someone, this is simple, and must be done in private. Basically what you have to
-do is:
-
- Go to the kata-containers/kata-containers repo
- Click on the Settings button, located in the top right corner
- On the left panel, under "Code and automation", click on "Actions"
- Click on "Runners"
-
-If you want to add a new self-hosted runner:
-
- In the top right corner there's a green button called "New self-hosted runner"
-
-If you want to remove a current self-hosted runner:
-
- For each runner there's a "..." menu, where you can just click and the
-  "Remove runner" option will show up
-
-## Known limitations
-
-As the GitHub actions are structured right now we cannot: Test the addition of a
-GitHub action that's not triggered by a pull_request event as part of the PR.
-
-[gh-actions]: https://docs.github.com/en/actions
-[monitor-ex01]: https://github.com/kata-containers/kata-containers/commit/a3fb067f1bccde0cbd3fd4d5de12dfb3d8c28b60
-[monitor-ex02]: https://github.com/kata-containers/kata-containers/commit/489caf1ad0fae27cfd00ba3c9ed40e3d512fa492
--- a/ci/darwin-test.sh
+++ b/ci/darwin-test.sh
@@ -7,17 +7,16 @@
 set -e

 cidir=$(dirname "$0")
-runtimedir=${cidir}/../src/runtime
-genpolicydir=${cidir}/../src/tools/genpolicy
+runtimedir=$cidir/../src/runtime

 build_working_packages() {
 	# working packages:
-	device_api=${runtimedir}/pkg/device/api
-	device_config=${runtimedir}/pkg/device/config
-	device_drivers=${runtimedir}/pkg/device/drivers
-	device_manager=${runtimedir}/pkg/device/manager
-	rc_pkg_dir=${runtimedir}/pkg/resourcecontrol/
-	utils_pkg_dir=${runtimedir}/virtcontainers/utils
+	device_api=$runtimedir/pkg/device/api
+	device_config=$runtimedir/pkg/device/config
+	device_drivers=$runtimedir/pkg/device/drivers
+	device_manager=$runtimedir/pkg/device/manager
+	rc_pkg_dir=$runtimedir/pkg/resourcecontrol/
+	utils_pkg_dir=$runtimedir/virtcontainers/utils

 	# broken packages :( :
 	#katautils=$runtimedir/pkg/katautils
@@ -25,15 +24,15 @@ build_working_packages() {
 	#vc=$runtimedir/virtcontainers

 	pkgs=(
-		"${device_api}"
-		"${device_config}"
-		"${device_drivers}"
-		"${device_manager}"
-		"${utils_pkg_dir}"
-		"${rc_pkg_dir}")
+		"$device_api"
+		"$device_config"
+		"$device_drivers"
+		"$device_manager"
+		"$utils_pkg_dir"
+		"$rc_pkg_dir")
 	for pkg in "${pkgs[@]}"; do
-		echo building "${pkg}"
-		pushd "${pkg}" &>/dev/null
+		echo building "$pkg"
+		pushd "$pkg" &>/dev/null
 		go build
 		go test
 		popd &>/dev/null
@@ -41,11 +40,3 @@ build_working_packages() {
 }

 build_working_packages
-
-build_genpolicy() {
-	echo "building genpolicy"
-	pushd "${genpolicydir}" &>/dev/null
-	make TRIPLE=aarch64-apple-darwin build
-}
-
-build_genpolicy
--- a/ci/docs-url-alive-check.sh
+++ b/ci/docs-url-alive-check.sh
@@ -7,6 +7,6 @@
 set -e

 cidir=$(dirname "$0")
-source "${cidir}/../tests/common.bash"
+source "${cidir}/lib.sh"

 run_docs_url_alive_check
--- a/ci/gh-util.sh
+++ b/ci/gh-util.sh
@@ -1,184 +0,0 @@
-#!/bin/bash
-
-# Copyright (c) 2020 Intel Corporation
-# Copyright (c) 2024 IBM Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-
-set -o errexit
-set -o errtrace
-set -o nounset
-set -o pipefail
-
-[[ -n "${DEBUG:-}" ]] && set -o xtrace
-
-script_name=${0##*/}
-
-#---------------------------------------------------------------------
-
-die()
-{
-    echo >&2 "$*"
-    exit 1
-}
-
-usage()
-{
-    cat <<EOF
-Usage: ${script_name} [OPTIONS] [command] [arguments]
-
-Description: Utility to expand the abilities of the GitHub CLI tool, gh.
-
-Command descriptions:
-
-  list-issues-for-pr     List issues linked to a PR.
-  list-labels-for-issue  List labels, in json format for an issue
-
-Commands and arguments:
-
-  list-issues-for-pr <pr>
-  list-labels-for-issue <issue>
-
-Options:
-
- -h                 Show this help statement.
- -r <owner/repo>    Optional <org/repo> specification. Default: 'kata-containers/kata-containers'
-
-Examples:
-
- List issues for a Pull Request 123 in kata-containers/kata-containers repo
-
-  $ ${script_name} list-issues-for-pr 123
-EOF
-}
-
-list_issues_for_pr()
-{
-    local pr="${1:-}"
-    local repo="${2:-kata-containers/kata-containers}"
-
-    [[ -z "${pr}" ]] && die "need PR"
-
-    local commits
-	commits=$(gh pr view "${pr}" --repo "${repo}" --json commits --jq .commits[].messageBody)
-
-    [[ -z "${commits}" ]] && die "cannot determine commits for PR ${pr}"
-
-    # Extract the issue number(s) from the commits.
-    #
-    # This needs to be careful to take account of lines like this:
-    #
-    # fixes 99
-    # fixes: 77
-    # fixes #123.
-    # Fixes: #1, #234, #5678.
-    #
-    # Note the exclusion of lines starting with whitespace which is
-    # specifically to ignore vendored git log comments, which are whitespace
-    # indented and in the format:
-    #
-    #     "<git-commit> <git-commit-msg>"
-    #
-    local issues
-	issues=$(echo "${commits}" |\
-        grep -v -E "^( |	)" |\
-        grep -i -E "fixes:* *(#*[0-9][0-9]*)" |\
-        tr ' ' '\n' |\
-        grep "[0-9][0-9]*" |\
-        sed 's/[.,\#]//g' |\
-        sort -nu || true)
-
-    [[ -z "${issues}" ]] && die "cannot determine issues for PR ${pr}"
-
-    echo "# Issues linked to PR"
-    echo "#"
-    echo "# Fields: issue_number"
-
-    local issue
-    echo "${issues}" | while read -r issue
-    do
-        printf "%s\n" "${issue}"
-    done
-}
-
-list_labels_for_issue()
-{
-    local issue="${1:-}"
-
-    [[ -z "${issue}" ]] && die "need issue number"
-
-    local labels
-	labels=$(gh issue view "${issue}" --repo kata-containers/kata-containers --json labels)
-
-    [[ -z "${labels}" ]] && die "cannot determine labels for issue ${issue}"
-
-    echo "${labels}"
-}
-
-setup()
-{
-    for cmd in gh jq
-    do
-        command -v "${cmd}" &>/dev/null || die "need command: ${cmd}"
-    done
-}
-
-handle_args()
-{
-    setup
-
-    local opt
-
-    while getopts "hr:" opt "$@"
-    do
-        case "${opt}" in
-            h) usage && exit 0 ;;
-            r) repo="${OPTARG}" ;;
-			*) echo "use '-h' to get list of supprted aruments" && exit 1 ;;
-        esac
-    done
-
-    shift $((OPTIND - 1))
-
-    local repo="${repo:-kata-containers/kata-containers}"
-    local cmd="${1:-}"
-
-    case "${cmd}" in
-        list-issues-for-pr) ;;
-        list-labels-for-issue) ;;
-
-        "") usage && exit 0 ;;
-        *) die "invalid command: '${cmd}'" ;;
-    esac
-
-    # Consume the command name
-    shift
-
-    local issue=""
-    local pr=""
-
-    case "${cmd}" in
-        list-issues-for-pr)
-            pr="${1:-}"
-
-            list_issues_for_pr "${pr}" "${repo}"
-            ;;
-
-        list-labels-for-issue)
-            issue="${1:-}"
-
-            list_labels_for_issue "${issue}"
-            ;;
-
-        *) die "impossible situation: cmd: '${cmd}'" ;;
-    esac
-
-    exit 0
-}
-
-main()
-{
-    handle_args "$@"
-}
-
-main "$@"
--- a/ci/install_go.sh
+++ b/ci/install_go.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+cidir=$(dirname "$0")
+source "${cidir}/lib.sh"
+
+clone_tests_repo
+
+new_goroot=/usr/local/go
+
+pushd "${tests_repo_dir}"
+# Force overwrite the current version of golang
+[ -z "${GOROOT}" ] || rm -rf "${GOROOT}"
+.ci/install_go.sh -p -f -d "$(dirname ${new_goroot})"
+[ -z "${GOROOT}" ] || sudo ln -sf "${new_goroot}" "${GOROOT}"
+go version
+popd
--- a/ci/install_libseccomp.sh
+++ b/ci/install_libseccomp.sh
@@ -7,9 +7,12 @@

 set -o errexit

-script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cidir=$(dirname "$0")
+source "${cidir}/lib.sh"

-source "${script_dir}/../tests/common.bash"
+clone_tests_repo
+
+source "${tests_repo_dir}/.ci/lib.sh"

 # The following variables if set on the environment will change the behavior
 # of gperf and libseccomp configure scripts, that may lead this script to
@@ -21,12 +24,12 @@ workdir="$(mktemp -d --tmpdir build-libseccomp.XXXXX)"

 # Variables for libseccomp
 libseccomp_version="${LIBSECCOMP_VERSION:-""}"
-if [[ -z "${libseccomp_version}" ]]; then
-	libseccomp_version=$(get_from_kata_deps ".externals.libseccomp.version")
+if [ -z "${libseccomp_version}" ]; then
+    libseccomp_version=$(get_version "externals.libseccomp.version")
 fi
 libseccomp_url="${LIBSECCOMP_URL:-""}"
-if [[ -z "${libseccomp_url}" ]]; then
-	libseccomp_url=$(get_from_kata_deps ".externals.libseccomp.url")
+if [ -z "${libseccomp_url}" ]; then
+    libseccomp_url=$(get_version "externals.libseccomp.url")
 fi
 libseccomp_tarball="libseccomp-${libseccomp_version}.tar.gz"
 libseccomp_tarball_url="${libseccomp_url}/releases/download/v${libseccomp_version}/${libseccomp_tarball}"
@@ -34,79 +37,77 @@ cflags="-O2"

 # Variables for gperf
 gperf_version="${GPERF_VERSION:-""}"
-if [[ -z "${gperf_version}" ]]; then
-	gperf_version=$(get_from_kata_deps ".externals.gperf.version")
+if [ -z "${gperf_version}" ]; then
+    gperf_version=$(get_version "externals.gperf.version")
 fi
 gperf_url="${GPERF_URL:-""}"
-if [[ -z "${gperf_url}" ]]; then
-	gperf_url=$(get_from_kata_deps ".externals.gperf.url")
+if [ -z "${gperf_url}" ]; then
+    gperf_url=$(get_version "externals.gperf.url")
 fi
 gperf_tarball="gperf-${gperf_version}.tar.gz"
 gperf_tarball_url="${gperf_url}/${gperf_tarball}"

-# We need to build the libseccomp library from sources to create a static
-# library for the musl libc.
-# However, ppc64le, riscv64 and s390x have no musl targets in Rust. Hence, we do
-# not set cflags for the musl libc.
-if [[ "${arch}" != "ppc64le" ]] && [[ "${arch}" != "riscv64" ]] && [[ "${arch}" != "s390x" ]]; then
-	# Set FORTIFY_SOURCE=1 because the musl-libc does not have some functions about FORTIFY_SOURCE=2
-	cflags="-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -O2"
+# We need to build the libseccomp library from sources to create a static library for the musl libc.
+# However, ppc64le and s390x have no musl targets in Rust. Hence, we do not set cflags for the musl libc.
+if ([ "${arch}" != "ppc64le" ] && [ "${arch}" != "s390x" ]); then
+    # Set FORTIFY_SOURCE=1 because the musl-libc does not have some functions about FORTIFY_SOURCE=2
+    cflags="-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -O2"
 fi

 die() {
-	msg="$*"
-	echo "[Error] ${msg}" >&2
-	exit 1
+    msg="$*"
+    echo "[Error] ${msg}" >&2
+    exit 1
 }

 finish() {
-	rm -rf "${workdir}"
+    rm -rf "${workdir}"
 }

 trap finish EXIT

 build_and_install_gperf() {
-	echo "Build and install gperf version ${gperf_version}"
-	mkdir -p "${gperf_install_dir}"
-	curl -sLO "${gperf_tarball_url}"
-	tar -xf "${gperf_tarball}"
-	pushd "gperf-${gperf_version}"
-	# Unset $CC for configure, we will always use native for gperf
-	CC="" ./configure --prefix="${gperf_install_dir}"
-	make
-	make install
-	export PATH=${PATH}:"${gperf_install_dir}"/bin
-	popd
-	echo "Gperf installed successfully"
+    echo "Build and install gperf version ${gperf_version}"
+    mkdir -p "${gperf_install_dir}"
+    curl -sLO "${gperf_tarball_url}"
+    tar -xf "${gperf_tarball}"
+    pushd "gperf-${gperf_version}"
+    # gperf is a build time dependency of libseccomp and not to be used in the target.
+    # Unset $CC since that might point to a cross compiler.
+    CC= ./configure --prefix="${gperf_install_dir}"
+    make
+    make install
+    export PATH=$PATH:"${gperf_install_dir}"/bin
+    popd
+    echo "Gperf installed successfully"
 }

 build_and_install_libseccomp() {
-	echo "Build and install libseccomp version ${libseccomp_version}"
-	mkdir -p "${libseccomp_install_dir}"
-	curl -sLO "${libseccomp_tarball_url}"
-	tar -xf "${libseccomp_tarball}"
-	pushd "libseccomp-${libseccomp_version}"
-	[[ "${arch}" == $(uname -m) ]] && cc_name="" || cc_name="${arch}-linux-gnu-gcc"
-	CC=${cc_name} ./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static --host="${arch}"
-	make
-	make install
-	popd
-	echo "Libseccomp installed successfully"
+    echo "Build and install libseccomp version ${libseccomp_version}"
+    mkdir -p "${libseccomp_install_dir}"
+    curl -sLO "${libseccomp_tarball_url}"
+    tar -xf "${libseccomp_tarball}"
+    pushd "libseccomp-${libseccomp_version}"
+    ./configure --prefix="${libseccomp_install_dir}" CFLAGS="${cflags}" --enable-static --host="${arch}"
+    make
+    make install
+    popd
+    echo "Libseccomp installed successfully"
 }

 main() {
-	local libseccomp_install_dir="${1:-}"
-	local gperf_install_dir="${2:-}"
+    local libseccomp_install_dir="${1:-}"
+    local gperf_install_dir="${2:-}"

-	if [[ -z "${libseccomp_install_dir}" ]] || [[ -z "${gperf_install_dir}" ]]; then
-		die "Usage: ${0} <libseccomp-install-dir> <gperf-install-dir>"
-	fi
+    if [ -z "${libseccomp_install_dir}" ] || [ -z "${gperf_install_dir}" ]; then
+        die "Usage: ${0} <libseccomp-install-dir> <gperf-install-dir>"
+    fi

-	pushd "${workdir}"
-	# gperf is required for building the libseccomp.
-	build_and_install_gperf
-	build_and_install_libseccomp
-	popd
+    pushd "$workdir"
+    # gperf is required for building the libseccomp.
+    build_and_install_gperf
+    build_and_install_libseccomp
+    popd
 }

 main "$@"
--- a/ci/install_rust.sh
+++ b/ci/install_rust.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Copyright (c) 2019 Ant Financial
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -e
+
+cidir=$(dirname "$0")
+source "${cidir}/lib.sh"
+
+clone_tests_repo
+
+pushd ${tests_repo_dir}
+.ci/install_rust.sh ${1:-}
+popd
--- a/ci/install_vc.sh
+++ b/ci/install_vc.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+cidir=$(dirname "$0")
+vcdir="${cidir}/../src/runtime/virtcontainers/"
+source "${cidir}/lib.sh"
+export CI_JOB="${CI_JOB:-default}"
+
+clone_tests_repo
+
+if [ "${CI_JOB}" != "PODMAN" ]; then
+	echo "Install virtcontainers"
+	make -C "${vcdir}" && chronic sudo make -C "${vcdir}" install
+fi
--- a/ci/install_yq.sh
+++ b/ci/install_yq.sh
@@ -5,57 +5,28 @@
 # SPDX-License-Identifier: Apache-2.0
 #

-[[ -n "${DEBUG}" ]] && set -o xtrace
-
 # If we fail for any reason a message will be displayed
 die() {
 	msg="$*"
-	echo "ERROR: ${msg}" >&2
+	echo "ERROR: $msg" >&2
 	exit 1
 }

-function verify_yq_exists() {
-	local yq_path=$1
-	local yq_version=$2
-	local expected="yq (https://github.com/mikefarah/yq/) version ${yq_version}"
-	if [[ -x  "${yq_path}" ]] && [[ "$(${yq_path} --version)"X == "${expected}"X ]]; then
-		return 0
-	else
-		return 1
-	fi
-}
-
 # Install the yq yaml query package from the mikefarah github repo
 # Install via binary download, as we may not have golang installed at this point
 function install_yq() {
 	local yq_pkg="github.com/mikefarah/yq"
-	local yq_version=v4.44.5
-	local precmd=""
-	local yq_path=""
+	local yq_version=3.4.1
 	INSTALL_IN_GOPATH=${INSTALL_IN_GOPATH:-true}

-	if [[ "${INSTALL_IN_GOPATH}" == "true" ]]; then
+	if [ "${INSTALL_IN_GOPATH}"  == "true" ];then
 		GOPATH=${GOPATH:-${HOME}/go}
 		mkdir -p "${GOPATH}/bin"
-		yq_path="${GOPATH}/bin/yq"
+		local yq_path="${GOPATH}/bin/yq"
 	else
 		yq_path="/usr/local/bin/yq"
 	fi
-	if verify_yq_exists "${yq_path}" "${yq_version}"; then
-		echo "yq is already installed in correct version"
-		return
-	fi
-	if [[ "${yq_path}" == "/usr/local/bin/yq" ]]; then
-		# Check if we need sudo to install yq
-		if [[ ! -w "/usr/local/bin" ]]; then
-			# Check if we have sudo privileges
-			if ! sudo -n true 2>/dev/null; then
-				die "Please provide sudo privileges to install yq"
-			else
-				precmd="sudo"
-			fi
-		fi
-	fi
+	[ -x  "${yq_path}" ] && [ "`${yq_path} --version`"X == "yq version ${yq_version}"X ] && return

 	read -r -a sysInfo <<< "$(uname -sm)"

@@ -72,19 +43,6 @@ function install_yq() {
 	"aarch64")
 		goarch=arm64
 		;;
-	"arm64")
-		# If we're on an apple silicon machine, just assign amd64. 
-		# The version of yq we use doesn't have a darwin arm build, 
-		# but Rosetta can come to the rescue here.
-		if [[ ${goos} == "Darwin" ]]; then
-			goarch=amd64
-		else 
-			goarch=arm64
-		fi
-		;;
-	"riscv64")
-		goarch=riscv64
-		;;
 	"ppc64le")
 		goarch=ppc64le
 		;;
@@ -106,9 +64,10 @@ function install_yq() {
 	fi

 	## NOTE: ${var,,} => gives lowercase value of var
-	local yq_url="https://${yq_pkg}/releases/download/${yq_version}/yq_${goos}_${goarch}"
-	${precmd} curl -o "${yq_path}" -LSsf "${yq_url}" || die "Download ${yq_url} failed"
-	${precmd} chmod +x "${yq_path}"
+	local yq_url="https://${yq_pkg}/releases/download/${yq_version}/yq_${goos,,}_${goarch}"
+	curl -o "${yq_path}" -LSsf "${yq_url}"
+	[ $? -ne 0 ] && die "Download ${yq_url} failed"
+	chmod +x "${yq_path}"

 	if ! command -v "${yq_path}" >/dev/null; then
 		die "Cannot not get ${yq_path} executable"
--- a/ci/lib.sh
+++ b/ci/lib.sh
@@ -0,0 +1,66 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o nounset
+
+export tests_repo="${tests_repo:-github.com/kata-containers/tests}"
+export tests_repo_dir="$GOPATH/src/$tests_repo"
+export branch="${target_branch:-main}"
+
+# Clones the tests repository and checkout to the branch pointed out by
+# the global $branch variable.
+# If the clone exists and `CI` is exported then it does nothing. Otherwise
+# it will clone the repository or `git pull` the latest code.
+#
+clone_tests_repo()
+{
+	if [ -d "$tests_repo_dir" ]; then
+		[ -n "${CI:-}" ] && return
+		# git config --global --add safe.directory will always append
+		# the target to .gitconfig without checking the existence of
+		# the target, so it's better to check it before adding the target repo.
+		local sd="$(git config --global --get safe.directory ${tests_repo_dir} || true)"
+		if [ -z "${sd}" ]; then
+			git config --global --add safe.directory ${tests_repo_dir}
+		fi
+		pushd "${tests_repo_dir}"
+		git checkout "${branch}"
+		git pull
+		popd
+	else
+		git clone -q "https://${tests_repo}" "$tests_repo_dir"
+		pushd "${tests_repo_dir}"
+		git checkout "${branch}"
+		popd
+	fi
+}
+
+run_static_checks()
+{
+	clone_tests_repo
+	# Make sure we have the targeting branch
+	git remote set-branches --add origin "${branch}"
+	git fetch -a
+	bash "$tests_repo_dir/.ci/static-checks.sh" "$@"
+}
+
+run_docs_url_alive_check()
+{
+	clone_tests_repo
+	# Make sure we have the targeting branch
+	git remote set-branches --add origin "${branch}"
+	git fetch -a
+	bash "$tests_repo_dir/.ci/static-checks.sh" --docs --all "github.com/kata-containers/kata-containers"
+}
+
+run_get_pr_changed_file_details()
+{
+	clone_tests_repo
+	# Make sure we have the targeting branch
+	git remote set-branches --add origin "${branch}"
+	git fetch -a
+	source "$tests_repo_dir/.ci/lib.sh"
+	get_pr_changed_file_details
+}
--- a/ci/openshift-ci/README.md
+++ b/ci/openshift-ci/README.md
@@ -1,157 +0,0 @@
-OpenShift CI
-============
-
-This directory contains scripts used by
-[the OpenShift CI](https://github.com/openshift/release/tree/master/ci-operator/config/kata-containers/kata-containers)
-pipelines to monitor selected functional tests on OpenShift.
-There are 2 pipelines, history and logs can be accessed here:
-
-* [main - currently supported OCP](https://prow.ci.openshift.org/job-history/gs/origin-ci-test/logs/periodic-ci-kata-containers-kata-containers-main-e2e-tests)
-* [next - currently under development OCP](https://prow.ci.openshift.org/job-history/gs/origin-ci-test/logs/periodic-ci-kata-containers-kata-containers-main-next-e2e-tests)
-
-
-Running openshift-tests on OCP with kata-containers manually
-============================================================
-
-To run openshift-tests (or other suites) with kata-containers one can use
-the kata-webhook. To deploy everything you can mimic the CI pipeline by:
-
-```bash
-#!/bin/bash -e
-# Setup your kubectl and check it's accessible by
-kubectl nodes
-# Deploy kata (set KATA_DEPLOY_IMAGE to override the default kata-deploy-ci:latest image)
-./test.sh
-# Deploy the webhook
-KATA_RUNTIME=kata-qemu cluster/deploy_webhook.sh
-```
-
-This should ensure kata-containers as well as kata-webhook are installed and
-working. Before running the openshift-tests it's (currently) recommended to
-ignore some security features by:
-
-```bash
-#!/bin/bash -e
-oc adm policy add-scc-to-group privileged system:authenticated system:serviceaccounts
-oc adm policy add-scc-to-group anyuid system:authenticated system:serviceaccounts
-oc label --overwrite ns default pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/warn=baseline pod-security.kubernetes.io/audit=baseline
-```
-
-Now you should be ready to run the openshift-tests. Our CI only uses a subset
-of tests, to get the current ``TEST_SKIPS`` see
-[the pipeline config](https://github.com/openshift/release/tree/master/ci-operator/config/kata-containers/kata-containers).
-Following steps require the [openshift tests](https://github.com/openshift/origin)
-being cloned and built in the current directory:
-
-```bash
-#!/bin/bash -e
-# Define tests to be skipped (see the pipeline config for the current version)
-TEST_SKIPS="\[sig-node\] Security Context should support seccomp runtime/default\|\[sig-node\] Variable Expansion should allow substituting values in a volume subpath\|\[k8s.io\] Probing container should be restarted with a docker exec liveness probe with timeout\|\[sig-node\] Pods Extended Pod Container lifecycle evicted pods should be terminal\|\[sig-node\] PodOSRejection \[NodeConformance\] Kubelet should reject pod when the node OS doesn't match pod's OS\|\[sig-network\].*for evicted pods\|\[sig-network\].*HAProxy router should override the route\|\[sig-network\].*HAProxy router should serve a route\|\[sig-network\].*HAProxy router should serve the correct\|\[sig-network\].*HAProxy router should run\|\[sig-network\].*when FIPS.*the HAProxy router\|\[sig-network\].*bond\|\[sig-network\].*all sysctl on whitelist\|\[sig-network\].*sysctls should not affect\|\[sig-network\] pods should successfully create sandboxes by adding pod to network"
-# Get the list of tests to be executed
-TESTS="$(./openshift-tests run --dry-run --provider "${TEST_PROVIDER}" "${TEST_SUITE}")"
-# Store the list of tests in /tmp/tsts file
-echo "${TESTS}" | grep -v "$TEST_SKIPS" > /tmp/tsts
-# Remove previously-existing temporarily files as well as previous results
-OUT=RESULTS/tmp
-rm -Rf /tmp/*test* /tmp/e2e-*
-rm -R $OUT
-mkdir -p $OUT
-# Run the tests ignoring the monitor health checks
-./openshift-tests run --provider azure -o "$OUT/job.log" --junit-dir "$OUT" --file /tmp/tsts --max-parallel-tests 5 --cluster-stability Disruptive --run '^\[sig-node\].*|^\[sig-network\]'
-```
-
-[!NOTE]
-Note we are ignoring the cluster stability checks because our public cloud is
-not that stable and running with VMs instead of containers results in minor
-stability issues. Some of the old monitor stability tests do not reflect
-the ``--cluster-stability`` setting, one should simply ignore these. If you
-get a message like ``invariant was violated`` or ``error: failed due to a
-MonitorTest failure``, it's usually an indication that only those kind of
-tests failed but the real tests passed. See
-[wrapped-openshift-tests.sh](https://github.com/openshift/release/blob/master/ci-operator/config/kata-containers/kata-containers/wrapped-openshift-tests.sh)
-for details how our pipeline deals with that.
-
-[!TIP]
-To compare multiple results locally one can use
-[junit2html](https://github.com/inorton/junit2html) tool.
-
-
-Best-effort kata-containers cleanup
-===================================
-
-If you need to cleanup the cluster after testing, you can use the
-``cleanup.sh`` script from the current directory. It tries to delete all
-resources created by ``test.sh`` as well as ``cluster/deploy_webhook.sh``
-ignoring all failures. The primary purpose of this script is to allow
-soft-cleanup after deployment to test different versions without
-re-provisioning everything.
-
-[!WARNING]
-Do not rely on this script in production, return codes are not checked!**
-
-
-Bisecting e2e tests failures
-============================
-
-Let's say the OCP pipeline passed running with
-``quay.io/kata-containers/kata-deploy-ci:kata-containers-d7afd31fd40e37a675b25c53618904ab57e74ccd-amd64``
-but failed running with
-``quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64``
-and you'd like to know which PR caused the regression. You can either run with
-all the 60 tags between or you can utilize the [bisecter](https://github.com/ldoktor/bisecter)
-to optimize the number of steps in between.
-
-Before running the bisection you need a reproducer script. Sample one called
-``sample-test-reproducer.sh`` is provided in this directory but you might
-want to copy and modify it, especially:
-
-* ``OCP_DIR`` - directory where your openshift/release is located (can be exported)
-* ``E2E_TEST`` - openshift-test(s) to be executed (can be exported)
-* behaviour of SETUP (returning 125 skips the current image tag, returning
-  >=128 interrupts the execution, everything else reports the tag as failure
-* what should be executed (perhaps running the setup is enough for you or
-  you might want to be looking for specific failures...)
-* use ``timeout`` to interrupt execution in case you know things should be faster
-
-Executing that script with the GOOD commit should pass
-``./sample-test-reproducer.sh quay.io/kata-containers/kata-deploy-ci:kata-containers-d7afd31fd40e37a675b25c53618904ab57e74ccd-amd64``
-and fail when executed with the BAD commit
-``./sample-test-reproducer.sh quay.io/kata-containers/kata-deploy-ci:kata-containers-9f512c016e75599a4a921bd84ea47559fe610057-amd64``.
-
-To get the list of all tags in between those two PRs you can use the
-``bisect-range.sh`` script
-
-```bash
-./bisect-range.sh d7afd31fd40e37a675b25c53618904ab57e74ccd 9f512c016e75599a4a921bd84ea47559fe610057
-```
-
-[!NOTE]
-The tagged images are only built per PR, not for individual commits. See
-[kata-deploy-ci](https://quay.io/kata-containers/kata-deploy-ci) to see the
-available images.
-
-To find out which PR caused this regression, you can either manually try the
-individual commits or you can simply execute:
-
-```bash
-bisecter start "$(./bisect-range.sh d7afd31fd40 9f512c016)"
-OCP_DIR=/path/to/openshift/release bisecter run ./sample-test-reproducer.sh
-```
-
-[!NOTE]
-If you use ``KATA_WITH_SYSTEM_QEMU=yes`` you might want to deploy once with
-it and skip it for the cleanup. That way you might (in most cases) test
-all images with a single MCP update instead of per-image MCP update.
-
-[!TIP]
-You can check the bisection progress during/after execution by running
-``bisecter log`` from the current directory. Before starting a new
-bisection you need to execute ``bisecter reset``.
-
-
-Peer pods
-=========
-
-It's possible to run similar testing on peer-pods using cloud-api-adaptor.
-Our CI configuration to run inside azure's OCP is in ``peer-pods-azure.sh``
-and can be used to replace the `test.sh` step in snippets above.
--- a/ci/openshift-ci/bisect-range.sh
+++ b/ci/openshift-ci/bisect-range.sh
@@ -1,30 +0,0 @@
-#!/bin/bash
-# Copyright (c) 2024 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-if [[ "$#" -gt 2 ]] || [[ "$#" -lt 1 ]] ; then
-	echo "Usage: $0 GOOD [BAD]"
-	echo "Prints list of available kata-deploy-ci tags between GOOD and BAD commits (by default BAD is the latest available tag)"
-	exit 255
-fi
-GOOD="$1"
-[[ -n "$2" ]] && BAD="$2"
-ARCH=amd64
-REPO="quay.io/kata-containers/kata-deploy-ci"
-
-TAGS=$(skopeo list-tags "docker://${REPO}")
-# For testing
-#echo "$TAGS" > tags
-#TAGS=$(cat tags)
-# Only amd64
-TAGS=$(echo "${TAGS}" | jq '.Tags' | jq "map(select(endswith(\"${ARCH}\")))" | jq -r '.[]')
-# Sort by git
-SORTED=""
-[[ -n "${BAD}" ]] && LOG_ARGS="${GOOD}~1..${BAD}" || LOG_ARGS="${GOOD}~1.."
-for TAG in $(git log --merges --pretty=format:%H --reverse "${LOG_ARGS}"); do
-	[[ "${TAGS}" =~ ${TAG} ]] && SORTED+="
-kata-containers-${TAG}-${ARCH}"
-done
-# Comma separated tags with repo
-echo "${SORTED}" | tail -n +2 | sed -e "s@^@${REPO}:@" | paste -s -d, -
--- a/ci/openshift-ci/cleanup.sh
+++ b/ci/openshift-ci/cleanup.sh
@@ -1,61 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) 2024 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# This script tries to removes most of the resources added by `test.sh` script
-# from the cluster.
-
-scripts_dir=$(dirname "$0")
-deployments_dir=${scripts_dir}/cluster/deployments
-
-# shellcheck disable=SC1091 # import based on variable
-source "${scripts_dir}/lib.sh"
-
-# Set your katacontainers repo dir location
-[[ -z "${katacontainers_repo_dir}" ]] && echo "Please set katacontainers_repo_dir variable to your kata repo"
-
-# Set to 'yes' if you want to configure SELinux to permissive on the cluster
-# workers.
-#
-SELINUX_PERMISSIVE=${SELINUX_PERMISSIVE:-no}
-
-# Enable workaround for OCP 4.13 https://github.com/kata-containers/kata-containers/pull/9206
-#
-WORKAROUND_9206_CRIO=${WORKAROUND_9206_CRIO:-no}
-
-# Ignore errors as we want best-effort-approach here
-trap - ERR
-
-# Delete webhook resources
-oc delete -f "${scripts_dir}/../../tools/testing/kata-webhook/deploy"
-oc delete -f "${scripts_dir}/cluster/deployments/configmap_kata-webhook.yaml.in"
-
-# Delete potential smoke-test resources
-oc delete -f "${scripts_dir}/smoke/service.yaml"
-oc delete -f "${scripts_dir}/smoke/service_kubernetes.yaml"
-oc delete -f "${scripts_dir}/smoke/http-server.yaml"
-
-# Delete test.sh resources
-oc delete -f "${deployments_dir}/relabel_selinux.yaml"
-if [[ "${WORKAROUND_9206_CRIO}" == "yes" ]]; then
-	oc delete -f "${deployments_dir}/workaround-9206-crio-ds.yaml"
-	oc delete -f "${deployments_dir}/workaround-9206-crio.yaml"
-fi
-[[ ${SELINUX_PERMISSIVE} == "yes" ]] && oc delete -f "${deployments_dir}/machineconfig_selinux.yaml.in"
-
-# Delete kata-containers
-pushd "${katacontainers_repo_dir}/tools/packaging/kata-deploy" || { echo "Failed to push to ${katacontainers_repo_dir}/tools/packaging/kata-deploy"; exit 125; }
-oc delete -f kata-deploy/base/kata-deploy.yaml
-oc -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
-oc apply -f kata-cleanup/base/kata-cleanup.yaml
-echo "Wait for all related pods to be gone"
-( repeats=1; for _ in $(seq 1 600); do
-  oc get pods -l name="kubelet-kata-cleanup" --no-headers=true -n kube-system 2>&1 | grep "No resources found" -q && ((repeats++)) || repeats=1
-  [[ "${repeats}" -gt 5 ]] && echo kata-cleanup finished && break
-  sleep 1
-done) || { echo "There are still some kata-cleanup related pods after 600 iterations"; oc get all -n kube-system; exit 1; }
-oc delete -f kata-cleanup/base/kata-cleanup.yaml
-oc delete -f kata-rbac/base/kata-rbac.yaml
-oc delete -f runtimeclasses/kata-runtimeClasses.yaml
--- a/ci/openshift-ci/cluster/configs/selinux.conf
+++ b/ci/openshift-ci/cluster/configs/selinux.conf
@@ -1,6 +0,0 @@
-# Copyright (c) 2020 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-SELINUX=permissive
-SELINUXTYPE=targeted
--- a/ci/openshift-ci/cluster/deploy_webhook.sh
+++ b/ci/openshift-ci/cluster/deploy_webhook.sh
@@ -1,34 +0,0 @@
-#!/bin/bash
-#
-# Copyright (c) 2021 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# This script builds the kata-webhook and deploys it in the test cluster.
-#
-# You should export the KATA_RUNTIME variable with the runtimeclass name
-# configured in your cluster in case it is not the default "kata-ci".
-#
-set -e
-set -o nounset
-set -o pipefail
-
-script_dir="$(realpath "$(dirname "$0")")"
-webhook_dir="${script_dir}/../../../tools/testing/kata-webhook"
-# shellcheck disable=SC1091 # import based on variable
-source "${script_dir}/../lib.sh"
-KATA_RUNTIME=${KATA_RUNTIME:-kata-ci}
-
-pushd "${webhook_dir}" >/dev/null
-# Build and deploy the webhook
-#
-info "Builds the kata-webhook"
-./create-certs.sh
-info "Override our KATA_RUNTIME ConfigMap"
-sed -i deploy/webhook.yaml -e "s/runtime_class: .*$/runtime_class: ${KATA_RUNTIME}/g"
-info "Deploys the kata-webhook"
-oc apply -f deploy/
-
-# Check the webhook was deployed and is working.
-RUNTIME_CLASS="${KATA_RUNTIME}" ./webhook-check.sh
-popd >/dev/null
--- a/ci/openshift-ci/cluster/deployments/configmap_installer_kernel.yaml
+++ b/ci/openshift-ci/cluster/deployments/configmap_installer_kernel.yaml
@@ -1,13 +0,0 @@
-# Copyright (c) 2021 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Instruct the daemonset installer to configure Kata Containers to use the
-# host kernel.
-#
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ci.kata.installer.kernel
-data:
-  host_kernel: "yes"
--- a/ci/openshift-ci/cluster/deployments/configmap_installer_qemu.yaml
+++ b/ci/openshift-ci/cluster/deployments/configmap_installer_qemu.yaml
@@ -1,14 +0,0 @@
-# Copyright (c) 2021 Red Hat, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-# Instruct the daemonset installer to configure Kata Containers to use the
-# system QEMU.
-#
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ci.kata.installer.qemu
-data:
-  qemu_path: /usr/libexec/qemu-kvm
-  host_kernel: "yes"
--- a/ci/openshift-ci/cluster/deployments/machineconfig_sandboxedcontainers_extension.yaml
+++ b/ci/openshift-ci/cluster/deployments/machineconfig_sandboxedcontainers_extension.yaml
@@ -1,9 +0,0 @@
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: worker
-  name: 50-enable-sandboxed-containers-extension
-spec:
-  extensions:
-  - sandboxed-containers
--- a/Show More
+++ b/Show More