Azure
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 8 additions & 2 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 10 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/renovate.json‎
Lines changed: 17 additions & 3 deletions b/‎.github/renovate.json‎
Lines changed: 17 additions & 3 deletions
diff --git a/‎.github/workflows/check-coverage.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/check-coverage.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/copilot-setup-steps.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/copilot-setup-steps.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/go-test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/go-test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/golangci-lint.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/golangci-lint.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/shellcheck.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/shellcheck.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/shellspec.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/shellspec.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/validate-components.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/validate-components.yml‎
Lines changed: 3 additions & 3 deletions
@@ -53,6 +53,8 @@ The operational goals of this project are:
 
 When making changes, reason whether the file is used in VHD building stage, or provision stage, or both. Make sure the changes are valid in its life stage. as an example, [windows-vhd-configuration.ps1](./vhdbuilder/packer/windows/windows-vhd-configuration.ps1) defines container images to be cached in VHD, while [configure-windows-vhd.ps1](./vhdbuilder/packer/windows/configure-windows-vhd.ps1) executes commands at provision time.
 
+VHD cleanup steps in `cleanup-vhd.sh` must not silently ignore failures. Verify removal of security-sensitive components and fail the build if expected state is not achieved.
+
 One way to debug / explore / just for fun is to run [e2e](./e2e/) tests. To run locally, follow the readme file under that folder.
 
 The SRE guidelines ground other coding guidelines and practices.
@@ -68,12 +70,16 @@ The SRE guidelines ground other coding guidelines and practices.
 
 ### ShellScripts Guidelines
 
-- use shellcheck for sanity checking
-- use ShellSpec for testing
+- use shellcheck for sanity checking — **all shell scripts must pass the CI shellcheck gate** (`make validate-shell`). This enforces POSIX compliance even in `#!/bin/bash` scripts (e.g., use `[ ]` not `[[ ]]`, use `=` not `==` for string comparison). Use `# shellcheck disable=SCXXXX` inline comments only when necessary and with justification.
+- use ShellSpec for testing — all shell script changes should have corresponding tests in `spec/parts/linux/`
 - the shell scripts are used on both azure linux/mariner and ubuntu and cross platform portability is critical.
 - when using functions defined in other files, ensure it is sourced properly.
+- for scriptless provisioning compatibility, security hotfix functions must be defined in `cse_main.sh` (not sourced from other scripts) so they work standalone.
+- prefer simple single-purpose functions with positional args over complex data-driven designs with associative arrays or encoded strings.
+- use `isUbuntu()`, `isMarinerOrAzureLinux()`, and `isACL()` helper functions for OS detection instead of raw string comparisons.
 - use local variables rather than constants when their scoping allows for it.
 - avoid using variables declared inside another function, even they are visible. It is hard to reason and might introduce subtle bugs.
+- define functions at top-level scope, not nested inside other functions.
 
 ## Pull Request Review Guidelines
 
 
@@ -17,3 +17,13 @@ updates:
     labels:
       - "cleanup"
       - "dependabot"
+
+  - package-ecosystem: "pip"
+    directory: "/vhdbuilder/packer/test/pam"
+    schedule:
+      interval: daily
+      time: "01:00"
+    labels:
+      - "cleanup"
+      - "dependabot"
+    versioning-strategy: increase
@@ -7,9 +7,9 @@
     "custom.regex"
   ],
   "prConcurrentLimit": 0,
-  "prHourlyLimit": 2,
+  "prHourlyLimit": 1,
   "branchConcurrentLimit": 0,
-  "commitHourlyLimit": 2,
+  "commitHourlyLimit": 1,
   "separateMinorPatch": true,
   "recreateWhen": "never",
   "labels": [
@@ -218,8 +218,10 @@
     },
     {
       "matchPackageNames": [
+        "azure-cni",
         "containernetworking/azure-cni"
       ],
+      "groupName": "azure-cni",
       "reviewers": [
         "team:acn-cni-reviewers"
       ],
@@ -380,6 +382,18 @@
         "nilo19"
       ]
     },
+    {
+      "matchPackageNames": [
+        "azure-acr-credential-provider-sysext"
+      ],
+      "groupName": "acr-credential-provider-sysext",
+      "assignees": [
+        "nilo19"
+      ],
+      "reviewers": [
+        "nilo19"
+      ]
+    },
     {
       "matchPackageNames": [
         "kubernetes-cri-tools"
@@ -496,7 +510,7 @@
     },
     {
       "matchPackageNames": [
-        "oss/kubernetes/azure-cloud-node-manager"
+        "**/azure-cloud-node-manager"
       ],
       "groupName": "azure-cloud-node-manager",
       "assignees": [
 
@@ -14,7 +14,7 @@ jobs:
         if: success()
         uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Checkout code
         uses: actions/checkout@v6
       - name: Run unit tests
 
@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
 
       - run: |
           set -ex
 
@@ -8,7 +8,7 @@ jobs:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6
       with:
-        go-version: '1.24'
+        go-version: '1.25'
     - run: |
         set -ex
         make test
 
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - uses: actions/checkout@v6
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
 
@@ -8,7 +8,7 @@ jobs:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6
       with:
-        go-version: '1.24'
+        go-version: '1.25'
     - run: |
         make validate-shell
       name: Lint shell/bash scripts with ShellCheck
@@ -8,7 +8,7 @@ jobs:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6
       with:
-        go-version: '1.24'
+        go-version: '1.25'
     - run: |
         make shellspec-ci
       name: Run shell/bash script unit tests with shellspec
 
@@ -4,12 +4,11 @@ on: pull_request
 jobs:
   cue:
     runs-on: ubuntu-latest
-    environment: test
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
-          go-version: '1.24'
+          go-version: '1.25'
       - name: Install cue
         run: |
           go version
@@ -46,7 +45,8 @@ jobs:
     - uses: actions/checkout@v6
     - uses: actions/setup-go@v6
       with:
-        go-version: '1.24'
+        go-version-file: e2e/go.mod
+        cache-dependency-path: e2e/go.sum
     - name: Run GPU managed components version consistency test
       working-directory: ./e2e
       run: |