From 8e3b2cfc78a45acaa48896aebe184d501a94295d Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Wed, 20 May 2026 16:45:18 +0100
Subject: [PATCH 1/3] security: require human review on updated kind images

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 .github/workflows/kind-images-upgrade.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/kind-images-upgrade.yaml b/.github/workflows/kind-images-upgrade.yaml
index 22be8df4..daeab219 100644
--- a/.github/workflows/kind-images-upgrade.yaml
+++ b/.github/workflows/kind-images-upgrade.yaml
@@ -60,7 +60,7 @@ jobs:
         run: |
           git config --global user.name "cert-manager-bot"
           git config --global user.email "cert-manager-bot@users.noreply.github.com"
-          git add -A && git commit -m "BOT: run 'make upgrade-klone' and 'make generate'" --signoff
+          git add -A && git commit -m "BOT: run 'make upgrade-kind-images'" --signoff
           git push -f origin "$SELF_UPGRADE_BRANCH"
 
       - if: ${{ steps.is-up-to-date.outputs.result != 'true' }}
@@ -92,6 +92,5 @@ jobs:
                 owner,
                 repo,
                 issue_number: result.data.number,
-                labels: ['skip-review']
               });
             }

From 1327bedf143efd70615e5e87c809f35468f68a04 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Wed, 20 May 2026 16:58:45 +0100
Subject: [PATCH 2/3] security: tighten regexes for kind SHAs

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 scripts/learn_kind_images.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/learn_kind_images.sh b/scripts/learn_kind_images.sh
index b5250b97..5b2f8d75 100755
--- a/scripts/learn_kind_images.sh
+++ b/scripts/learn_kind_images.sh
@@ -97,7 +97,7 @@ echo "kind_image_kindversion := ${kind_version}" >> "${kind_versionfile}.tmp"
 echo "" >> "${kind_versionfile}.tmp"
 
 release_json=$(curl -fsSL "https://api.github.com/repos/kubernetes-sigs/kind/releases/tags/${kind_version}"| jq '
-  [ .body  | capture("- v?1\\.(?<minor>[0-9]+)(.(?<patch>[0-9]+))?: `kindest/node:v(?<version>[^@]+)@sha256:(?<sha256>[^`]+)`\r"; "g") ]
+  [ .body  | capture("- v?1\\.(?<minor>[0-9]+)(\\.(?<patch>[0-9]+))?: `kindest/node:v(?<version>[0-9]+\\.[0-9]+\\.[0-9]+(-[A-Za-z0-9.]+)?)@sha256:(?<sha256>[A-Fa-f0-9]{64})`\r"; "g") ]
   | group_by(.minor) | map(max_by(.patch))
   | sort_by(.minor)'
 )

From 9c932d0e21265b29b64415886b91bdedf88fc515 Mon Sep 17 00:00:00 2001
From: Ashley Davis <ashley.davis@cyberark.com>
Date: Wed, 20 May 2026 17:53:59 +0100
Subject: [PATCH 3/3] allow other endings to lines than just the carriage
 return

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
---
 scripts/learn_kind_images.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/learn_kind_images.sh b/scripts/learn_kind_images.sh
index 5b2f8d75..434e7524 100755
--- a/scripts/learn_kind_images.sh
+++ b/scripts/learn_kind_images.sh
@@ -96,8 +96,11 @@ echo "kind_image_kindversion := ${kind_version}" >> "${kind_versionfile}.tmp"
 
 echo "" >> "${kind_versionfile}.tmp"
 
+# Example literal line from kind release notes that we're trying to match in the capture below:
+# - v1.34.3: `kindest/node:v1.34.3@sha256:08497ee19eace7b4b5348db5c6a1591d7752b164530a36f855cb0f2bdcbadd48`\r\n
+
 release_json=$(curl -fsSL "https://api.github.com/repos/kubernetes-sigs/kind/releases/tags/${kind_version}"| jq '
-  [ .body  | capture("- v?1\\.(?<minor>[0-9]+)(\\.(?<patch>[0-9]+))?: `kindest/node:v(?<version>[0-9]+\\.[0-9]+\\.[0-9]+(-[A-Za-z0-9.]+)?)@sha256:(?<sha256>[A-Fa-f0-9]{64})`\r"; "g") ]
+  [ .body  | capture("- v?1\\.(?<minor>[0-9]+)(\\.(?<patch>[0-9]+))?: `kindest/node:v(?<version>[0-9]+\\.[0-9]+\\.[0-9]+(-[A-Za-z0-9.]+)?)@sha256:(?<sha256>[A-Fa-f0-9]{64})`(\\r?\\n|$)"; "g") ]
   | group_by(.minor) | map(max_by(.patch))
   | sort_by(.minor)'
 )