chore: backport 04/20/2026

.github/workflows/chart.yml

@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ on:
     paths-ignore: [docs/**, "**.md", "**.mdx", "**.png", "**.jpg"]
 
 env:
-  GO_VERSION: '1.25.8'
+  GO_VERSION: '1.25.9'
   CERT_MANAGER_VERSION: 'v1.16.2'
 
 jobs:
@@ -184,7 +184,7 @@ jobs:
 
       - name: Upload logs
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: e2e-logs-${{ matrix.customized-settings }}
           path: test/e2e/logs-${{ matrix.customized-settings }}/

.github/workflows/code-lint.yml

@@ -14,7 +14,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: "1.25.8"
+  GO_VERSION: "1.25.9"
 
 jobs:
   detect-noop:

.github/workflows/codeql-analysis.yml

@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,4 +69,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+      uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4

.github/workflows/codespell.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0
         with:
           egress-policy: audit
 

.github/workflows/release.yml

@@ -20,7 +20,7 @@ env:
   HUB_AGENT_IMAGE_NAME: hub-agent
   MEMBER_AGENT_IMAGE_NAME: member-agent
   REFRESH_TOKEN_IMAGE_NAME: refresh-token
-  GO_VERSION: "1.25.8"
+  GO_VERSION: "1.25.9"
 
 jobs:
   export-registry:
@@ -46,7 +46,7 @@ jobs:
           ref: ${{ needs.export-registry.outputs.tag }}
 
       - name: Login to ghcr.io
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/trivy.yml

@@ -18,7 +18,7 @@ env:
   MEMBER_AGENT_IMAGE_NAME: member-agent
   REFRESH_TOKEN_IMAGE_NAME: refresh-token
 
-  GO_VERSION: '1.25.8'
+  GO_VERSION: '1.25.9'
 
 jobs:
   export-registry:
@@ -47,7 +47,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Login to ${{ env.REGISTRY }}
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}

.github/workflows/upgrade.yml

@@ -17,7 +17,7 @@ on:
     paths-ignore: [docs/**, "**.md", "**.mdx", "**.png", "**.jpg"]
 
 env:
-  GO_VERSION: '1.25.8'
+  GO_VERSION: '1.25.9'
 
 jobs:
   detect-noop:

.golangci.yml

@@ -1,6 +1,6 @@
 run:
   timeout: 15m
-  go: '1.25.8'
+  go: '1.25.9'
 
 linters-settings:
   stylecheck:

MAINTAINERS.md

@@ -1,10 +1,11 @@
 # The KubeFleet Maintainers
 
-| Maintainer     | Organization | GitHub Username                                    |
-|----------------|--------------|----------------------------------------------------|
-| Ryan Zhang     | Microsoft    | [@ryanzhang-oss](https://github.com/ryanzhang-oss) |
-| Zhiying Lin    | Microsoft    | [@zhiying-lin](https://github.com/zhiying-lin)     |
-| Chen Yu        | Microsoft    | [@michaelawyu](https://github.com/michaelawyu)     |
-| Wei Weng       | Microsoft    | [@weng271190436](https://github.com/weng271190436) |
-| Yetkin Timocin | Microsoft    | [@ytimocin](https://github.com/ytimocin)           |
-| Simon Waight   | Microsoft    | [@sjwaight](https://github.com/sjwaight)           |
+| Maintainer       | Organization | GitHub Username                                    |
+|------------------|--------------|----------------------------------------------------|
+| Ryan Zhang       | Microsoft    | [@ryanzhang-oss](https://github.com/ryanzhang-oss) |
+| Zhiying Lin      | Microsoft    | [@zhiying-lin](https://github.com/zhiying-lin)     |
+| Chen Yu          | Microsoft    | [@michaelawyu](https://github.com/michaelawyu)     |
+| Wei Weng         | Microsoft    | [@weng271190436](https://github.com/weng271190436) |
+| Yetkin Timocin   | Microsoft    | [@ytimocin](https://github.com/ytimocin)           |
+| Stéphane Erbrech | Microsoft    | [@serbrech](https://github.com/serbrech)           |
+| Simon Waight     | Microsoft    | [@sjwaight](https://github.com/sjwaight)           |

Makefile

@@ -49,6 +49,7 @@ HUB_SERVER_URL ?= https://172.19.0.2:6443
 HUB_KIND_CLUSTER_NAME = hub-testing
 MEMBER_KIND_CLUSTER_NAME = member-testing
 MEMBER_CLUSTER_COUNT ?= 3
+JOIN_MEMBERS ?= false
 
 # Directories
 ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
@@ -217,6 +218,18 @@ e2e-tests-custom: setup-clusters ## Run custom E2E tests with labels
 .PHONY: setup-clusters
 setup-clusters: ## Set up Kind clusters for E2E testing
 	cd ./test/e2e && chmod +x ./setup.sh && ./setup.sh $(MEMBER_CLUSTER_COUNT)
+ifeq ($(JOIN_MEMBERS),true)
+	$(MAKE) join-members
+else
+	@echo ""
+	@echo "Clusters are ready but member clusters have not been joined to the hub."
+	@echo "To join them, run: make join-members"
+	@echo "Or re-run with: JOIN_MEMBERS=true make setup-clusters"
+endif
+
+.PHONY: join-members
+join-members: ## Join member clusters to the hub cluster (run after setup-clusters)
+	cd ./test/e2e && chmod +x ./join.sh && ./join.sh $(MEMBER_CLUSTER_COUNT)
 
 .PHONY: collect-e2e-logs
 collect-e2e-logs: ## Collect logs from hub and member agent pods after e2e tests

apis/placement/v1beta1/commons.go

@@ -74,6 +74,11 @@ const (
 	// MemberClusterFinalizer is used to make sure that we handle gc of all the member cluster resources on the hub cluster.
 	MemberClusterFinalizer = FleetPrefix + "membercluster-finalizer"
 
+	// MemberNameLabel is a label automatically added to MemberCluster objects
+	// with the value set to the MemberCluster's name. This enables selecting clusters
+	// by name in ResourceOverride and ClusterResourceOverride via labelSelector.
+	MemberNameLabel = FleetPrefix + "member-name"
+
 	// WorkFinalizer is used by the work generator to make sure that the binding is not deleted until the work objects
 	// it generates are all deleted, or used by the work controller to make sure the work has been deleted in the member
 	// cluster.

charts/README.md

@@ -9,11 +9,11 @@ This directory contains Helm charts for deploying KubeFleet components.
 
 ## Chart Versioning
 
-**Important:** Chart versions match the KubeFleet release versions. When a KubeFleet release is tagged (e.g., `v0.2.1`), the Helm charts are published with the same version (`0.2.1`).
+**Important:** Chart versions match the KubeFleet release versions. When a KubeFleet release is tagged (e.g., `v0.3.0`), the Helm charts are published with the same version (`0.3.0`).
 
-**Example:** To install KubeFleet v0.2.1, use:
+**Example:** To install KubeFleet v0.3.0, use:
 ```bash
-helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent --version 0.2.1
+helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent --version 0.3.0 --namespace fleet-system --create-namespace
 ```
 
 This ensures consistency between the application version and the chart version, making it easy to know which chart version to use with each KubeFleet release.
@@ -43,7 +43,10 @@ helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
 helm install member-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/member-agent \
   --version VERSION \
   --namespace fleet-system \
-  --create-namespace
+  --create-namespace \
+  --set config.hubURL=https://<hub-api-server> \
+  --set config.hubCA=<base64-encoded-hub-ca> \
+  --set config.memberClusterName=<member-cluster-name>
 ```
 
 ### Option 2: Traditional Helm Repository
@@ -65,17 +68,20 @@ helm install hub-agent kubefleet/hub-agent \
 # Install member-agent
 helm install member-agent kubefleet/member-agent \
   --namespace fleet-system \
-  --create-namespace
+  --create-namespace \
+  --set config.hubURL=https://<hub-api-server> \
+  --set config.hubCA=<base64-encoded-hub-ca> \
+  --set config.memberClusterName=<member-cluster-name>
 ```
 
 ### Installing Specific Versions
 
 #### OCI Registry
 
 ```bash
-# Install a specific version from OCI registry (e.g., v0.2.1 release)
+# Install a specific version from OCI registry (e.g., v0.3.0 release)
 helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
-  --version 0.2.1 \
+  --version 0.3.0 \
   --namespace fleet-system \
   --create-namespace
 ```
@@ -86,9 +92,9 @@ helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
 # List available versions
 helm search repo kubefleet --versions
 
-# Install a specific version (e.g., v0.2.1 release)
+# Install a specific version (e.g., v0.3.0 release)
 helm install hub-agent kubefleet/hub-agent \
-  --version 0.2.1 \
+  --version 0.3.0 \
   --namespace fleet-system \
   --create-namespace
 ```
@@ -98,13 +104,13 @@ helm install hub-agent kubefleet/hub-agent \
 #### OCI Registry
 
 ```bash
-# Upgrade to a specific version (e.g., v0.2.1)
+# Upgrade to a specific version (e.g., v0.3.0)
 helm upgrade hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
-  --version 0.2.1 \
+  --version 0.3.0 \
   --namespace fleet-system
 
 helm upgrade member-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/member-agent \
-  --version 0.2.1 \
+  --version 0.3.0 \
   --namespace fleet-system
 ```
 
@@ -137,7 +143,12 @@ For development and testing, you can install charts directly from the local repo
 ```bash
 # Install from local path
 helm install hub-agent ./charts/hub-agent --namespace fleet-system --create-namespace
-helm install member-agent ./charts/member-agent --namespace fleet-system --create-namespace
+helm install member-agent ./charts/member-agent \
+  --namespace fleet-system \
+  --create-namespace \
+  --set config.hubURL=https://<hub-api-server> \
+  --set config.hubCA=<base64-encoded-hub-ca> \
+  --set config.memberClusterName=<member-cluster-name>
 ```
 
 ### Linting

charts/hub-agent/README.md

@@ -2,7 +2,7 @@
 
 ## Chart Versioning
 
-Chart versions match the KubeFleet release versions. For example, to install KubeFleet v0.2.1, use chart version `0.2.1`.
+Chart versions match the KubeFleet release versions. For example, to install KubeFleet v0.3.0, use chart version `0.3.0`.
 
 ## Install Chart
 
@@ -54,12 +54,16 @@ helm install cert-manager jetstack/cert-manager \
 # Then install hub-agent with cert-manager enabled (OCI, specify VERSION)
 helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
   --version VERSION \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set enableWebhook=true
 
 # Or using traditional repository
 helm install hub-agent kubefleet/hub-agent \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set enableWebhook=true
@@ -156,12 +160,16 @@ helm install cert-manager jetstack/cert-manager \
 # Then install hub-agent with cert-manager enabled (OCI, specify VERSION)
 helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
   --version VERSION \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set enableWebhook=true
 
 # Or using traditional repository
 helm install hub-agent kubefleet/hub-agent \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set enableWebhook=true
@@ -177,12 +185,16 @@ Example with custom secret name:
 # Using OCI registry (specify VERSION)
 helm install hub-agent oci://ghcr.io/kubefleet-dev/kubefleet/charts/hub-agent \
   --version VERSION \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set webhookCertSecretName=my-webhook-secret
 
 # Using traditional repository
 helm install hub-agent kubefleet/hub-agent \
+  --namespace fleet-system \
+  --create-namespace \
   --set useCertManager=true \
   --set enableWorkload=true \
   --set webhookCertSecretName=my-webhook-secret